Business Phone System Hacking

Introduction

Fraudsters are targeting unsecured PABX’s in New Zealand and getting away with hundreds of thousands of dollars annually.

The incidence of fraud increased fourfold in 2010 with an estimated 30–40 New Zealand companies getting hit by international fraudsters each month.

Leaving your PABX unsecured is like leaving your PIN numbers or bank account details and access codes pinned to your front door.

Security of your PABX is as important as the security of your PC.  It’s relatively easy for people to defraud you of thousands of dollars if you haven’t made your system secure.

Who’s at risk?

Often this is the small businessman or woman with a PABX (often their first). In one recent case it was an individual who had downloaded a free software-based VoIP PABX and installed it on their home computer.

An unsecured PABX system can be compromised via an insecure voicemail system (or similar), that allows incoming callers to dial extensions directly. From there, some insecure PABX systems can even allow callers to access outside lines. Hackers have targeted these systems around the world, sometimes resulting in a large volume of international calls being charged to the PABX user’s account.

To help ensure your business is protected against this type of fraud, we advise you check your PABX system is secure and that it is adequately configured to maximise your security. 

Minimising your risk

We recommend you take action now by reading and following the below security measures .

If you have any questions regarding your own particular PABX, contact your vendor in the first instance for advice on securing your system.

Guard against PABX hacking – what you can do

1. CHOOSE A STRONG PASSWORD: Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
2. CHANGE IT: Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
3. KEEP IT CONFIDENTIAL: Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
4. REVIEW REGULARLY: Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
5. VENDOR TERMS AND CONDITIONS: Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.

Guard against PABX hacking – more tips

1. Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
2. Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
3. Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
4. Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
5. Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.
6. Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used, consider using strong authentication such as smartcards/tokens.
7. Restrict any destinations that should not normally be dialed: for example, premium rate, international, operator and directory enquiry numbers.
8. Review your PABX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
9. Bar voicemail ports for outgoing access to trunks if possible.  If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
10. Lock surplus mailboxes until allocated to a user.
11. If DISA is not used then disable it completely.
12. Restrict access to equipment eg. your comms room and master terminals.
13. Only give the appropriate and minimum level of system access required to carry out a task.
14. Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers. Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
15. Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.

Remember, if you have any questions regarding your own particular PABX, contact your PABX vendor in the first instance for advice on securing your system.