Companies hit by 400% increase in phone fraud

The first quarter of this year has seen a 400% increase in phone fraud, according to the Telecommunications Industry Group (TIG), an association that numbers Telecom and Vodafone among its members.

Ten companies a week are having their PABX systems attacked by international hackers, who then make out-bound calls to premium pay numbers they've set up in North Africa or Europe.

The numbers often cost $US15 a minute, and the attacks often happen in the evening or weekends - so a business can be ripped off to the tune of thousands before it realises anything’s amiss.

Dialing for dollars
TIG chief executive Rob Spray told NBR the average company was lost $10,000 to phone system hackers. But his organisation is also aware of cases where businesses have been stung for between $20,000 and $50,000.

Mr Spray has a big-picture reason for the jump in phone fraud.

Traditionally, only big companies could afford their own PABX (private automatic branch exchange; or the system that connects your organisations’ phones, faxes - and these days often PCs - to a phone company’s network, and often handles features like voice mail.)

But the rise of cheaper digital or “IP” (internet protocol) PABXes over the past five years - including software PABXes like Asterix - has seen many smaller businesses install their own.

DIY blunders
Many have not taken basic security precautions, and many do not have call-logging options enabled - so the first they know of a fraud is when their phone company alerts them. And if the attack is after-hours, thousands of dollars worth of calls could have been wracked up by then.

VoIP engineer Steve Biddle told NBR he had personally dealt with a dozen compromised phone systems over the past 12 months . All were IP-based.

“I put this down to the fact it's very simple for somebody who knows nothing about VoIP (voice over IP) to have a working IP PBX set up in probably an hour,” said Mr Biddle.

“Unfortunately this has lead to many people who know very little setting up their systems in an insecure way.

“Also a growing number of ‘VoIP experts’ selling and installing VoIP solutions without understanding the implications”.

Companies that do a DIY installation do not always take basic security precautions, such as password-protecting their PABX, and every extension, Mr Biddle said.

Many leave a manufacturer's default password in place, choose an easily guessable one like “0000” or “1234” or simply have none.

This leaves a PABX open to malicious hackers, who use auto-diallers to call thousands of PABXes, looking for vulnerable systems.

Lately, the auto-diallers have been specifically targeting New Zealand, which is the immediate cause of the surge in attacks this year, Mr Spray said.

Mr Biddle said many companies did not understand that their firewall software had to be fine-tuned to allow internet access to their IP-based PBX from their VoIP provider(s), but no one else.

Bad guys unlikely to be caught
TIG considers that education and better security practices were the answer. There had been some instances of arrests overseas - one Filipino ring was caught after taking US companies for $US52 million over a year - but ultimately there was not much New Zealand law enforcement authorities could do about a hack perpetrated from Kazakhstan.

In his consultancy work, Mr Biddle has found attacks closer to home: “I've also personally come across large numbers of calls made to an 0900 number in New Zealand that was associated with an online betting agency in Asia, which allowed the fraudster to top up an online account.”

Victims liable, telcos not
Mr Spray said a company with an insecure PABX was liable for any loss to fraudsters. His members (who include Telecom and Vodafone and) had to pay international operators for any calls that were placed.

The TIG chief executive recommends a company worried about its PABX get its IT contractor, or the company that installed the PABX, to run a security audit.

A list of security tips has also been placed on TIG’s website here.