Saying ‘yes-yes’ to phone system protection

To say that Dr. Jeremy Orgel experienced “sticker shock” when he opened his February long-distance phone bill grossly understates the matter.

Orgel, a San Francisco psychoanalyst and physiotherapist, normally spends approximately US$100 per month on long-distance calls. But here was a bill for more than US$20,000.

“The hours of collect calls that had been charged to me were astounding,” he said.

Orgel’s service provider, AT&T Corp., said he was a victim of the “Yes-Yes” voice mail fraud. In early January, somebody cracked the doctor’s voice mail password and changed his greeting to say “yes” repeatedly. The amendment let fraudsters charge long-distance calls to his account. The February bill included 6,500 minutes of conversation out of Saudi Arabia.

Orgel isn’t alone. Other San Francisco professionals were hit by Yes-Yes. Most victims run small shops. Some saw their long-distance bills climb into the tens of thousands of dollars.

If the fraudsters were able to scam so many long-distance calls from small operations, imagine what damage these thieves might have caused an enterprise. “If a company runs its own PBX, it is a target,” said Joseph Seanor, Washington, D.C.-based security consulting manager with Avaya Inc.’s enterprise security practice.

So how can companies help protect themselves?

Delete the default accounts that ship with the PBX – “system,” “admin,” and “remote” among them. These come with simple passwords that are easy to suss out, and could leave the system vulnerable.

Pay attention to voice mail greetings, advised Elon Bailey, a manager at AT&T’s global fraud management organization. She said telecom managers should check frequently to make sure the auto attendant says what the company wants it to say, and not “yes” repeatedly, for example.

“If voice mail or PBX systems have out-dialling capabilities through the auto-attendant…consider disabling it,” Bailey said, pointing out that phone hackers might learn the dial-out code and charge long-distance calls to the company.

Watch for unusual activity on PBX logs. These indicators of how many calls took place, their duration, destination and origins, yield patterns that network managers can use to filter out potential hacker activity.

Follow through on security plans. “Customers…get a 400 or 500-page report from the consultant saying, ‘Here’s all your vulnerabilities,'” Seanor said.

Limit user access. “You can cut off people from having access from certain phones to certain locations in the world,” said Barry Brock, director, information technology services at Algonquin College in Ottawa.