Phreakers are still at it.
Plummeting long-distance phone rates and free calls via VoIP still haven’t removed the economic incentives for voicemail hacking, also referred to as “phreaking” by industry insiders, to make free long-distance calls.
SMB companies with PBX/switchboard systems are typically the targets for this type of fraud, although residential customers are also victimized with some frequency, says Jim Johannsson, spokesman for Vancouver-based carrier Telus. “Average losses per event are about $7,000,” says Johannsson, adding that losses can be higher depending on how quickly the fraud is detected.
Telus’ Corporate Security Fraud Management Centre uses telco-specific pattern analysis software to detect and investigate abnormal calling patterns, and contacts customers when fraud is suspected. According to Telus estimates, the centre saved its customers a total of $1.5 million in 2005.
Noting a recent increase in incidents, the center issued a number of tips to help customers protect themselves.
As in other IT spheres, fraudsters exploit people’s tendency to use simple passwords such as 1111 or default manufacturers’ passwords to hack into voicemail systems. They also exploit system features like call-through dialing, which is designed to allow a mailbox owner to dial in from an off-site location to make calls from a work line. Fraudsters typically call after hours and use a company’s automated answering system to troll for vulnerable mailboxes.
Sometimes they use social engineering, masquerading as a phone company’s technician, says Johannsson. Fraudsters will call switchboard operators, claiming they’re conducting tests on the line, and ask them to dial 9 and the pound key.
“When you transfer a call like this, fraudsters can seize the phone trunk and connect all kinds of calls to it,” says Johannsson, adding that legitimate technicians never require this kind of “test” done. This type of trunk access fraud can be particularly costly to a business, he says.
Overseas destinations for fraudulent calls are areas well-known for other types of cybercrime – Africa, Eastern Europe and the Middle East – but Austria is also a hotbed of phreaking activity, for unknown reasons, says Johannsson.
Telus and other telcos have been working together for years to clamp down on toll fraud, and the net losses have declined over time. “But the number of fraud attempts is increasing, although fewer are successful,” says Johannsson.
Industry experts speculate the recent surge in voice mail fraud may be due to the downsizing of many IT departments at the customer end, leaving inexperienced IT staff stranded to deal with telecom management. “There’s no question the experienced telecom manager of yore is becoming a rare breed,” says Stefan Dubowski, an analyst at Decima Reports, an Ottawa-based technology research firm. “If you look at Telus’ tips, they are all fundamental security measures.”
The true number of voicemail hacking incidents is higher than reported. “The problem is companies don’t want to reveal it’s happened to them. From our research, the figure is 100 times [the reported number],” says Roberta Fox, a senior partner at the Toronto-based Fox Group, a telecom consultancy.
Dubowski agrees incidents are under-reported. “Companies that have been hacked would have trouble explaining it to their customers.”
Fox points out that getting redress from telcos for hacks can be a long, drawn-out process. “If someone comes in via the voicemail system and uses the trunk, that’s where it costs you – not just in money, but in time and effort going to telcos to make the case that you didn’t make those calls,” she says.
In the past, some carriers have appeared reticent to take care of these situations, says Dubowski. “Telus’ seems to taking a proactive approach and I like that,” he says. But he adds that IT managers can only rely on carriers and their fraud detection software to a point. “It still comes down to the IT department and enterprise control to prevent it.”
Weary IT managers may sigh at the thought of screwing down security in yet another area. “I would encourage companies to have diligent voicemail practices in place even if end users don’t like it,” says Fox. “Better to do it right than to go through the pain of going after refunds and credits.”