CPE/PBX Fraud Management Checklist

An Overview of Key CPE/PBX Fraud Management Controls

AssuringBusiness all rights reserved

1 2

Every business user of PBX, IVR, Voicemail and other telecommunications equipment, products and services is exposed to telecoms fraud. Theres no need to wait for the bang. Take some immediate steps to control the risk; use this guide and checklist to start and defuse the problem
Problem Snapshot
Many businesses utilise telecoms equipment for their offices and customer contact channels, such as PBX/PABX (Private Branch Exchange), Voicemail and Interactive Voice Response (IVR) systems; collectively CPE (Customer Premises Equipment) as its known in the telecoms industry. But many do not realise how these systems might expose them to significant losses from telecoms fraud. Fraud attacks can affect all enterprises; corporates, government and SMEin fact anyone who utilises CPE/PBX, even home-based consumers. Direct costs typically run from US $10k to $100k, but can run to millions of dollars on a single major attack. The really scary part is that, in most cases, the user will be liable for the charges incurred; CPE/PBX users are generally held responsible for its security and operation. These charges are huge when including fraud, and youll be lucky to get any waiver from your telecoms service provider. In the main, CPE/PBX frauds focus on trafficking illicit international or premium rate calls. But depending on the nature of the attack, the direct losses are not the only issue. Often an attack can cause business operations to grind to a halt, affecting sales and revenues. Or customers may be turned away because of IVR or voicemail hacking. There are many attack variants each with different impacts. Go to www.assuringbusiness.com and follow the links to CPE Fraud Business Impact for more detailed information of how your business might be attacked and affected.

This Guide & Checklist

This document provides a very brief overview of some risk management steps to consider, and a checklist to help steer the way. However, its important to know that every business environment is different and so this document is merely a highlevel guide to cover some of the common challenges and management opportunities. Every business should examine its own specific risks and control opportunities in detail to arrive at a plan that tackles their specific issues comprehensively. Businesses need to be informed of their risks, and active in their risk management practices. Failure to review, plan and act on such risks can lead to significant economic loss, and the possibility of critical business disruption. Why take the risk? AssuringBusiness is here to guide and advise in all of your CPE/PBX fraud management activities, and provide the tools to help. Drop us a line at ask@assuringbusiness.com if youd like a little more information on what we can do to help you diffuse the problem. Dean Smith CEO, AssuringBusiness
Partnering in Profitability

AssuringBusiness all rights reserved

Failure to act proactively to prevent, detect and manage telecoms fraud can have a devastating economic and operational effect.
CPE Fraud Management: Six Key Steps
1. Review access security protocols. Request information from the CPE supplier and/or maintainer regarding the exact nature of security protocols deployed on the CPE/PBX, ensuring that common or easily guessed access credentials are NOT used on any channel. The business should determine whether the nature of access controls are consistent with their own security policies or expectations. Ideally, multi-authentication access controls should be deployed incorporating some form of one-time password token. 2. Configure the CPE/PBX to reduce risk. Work with the telecoms manager and system maintainer to review and deploy sensible CPE configurations and options to limit risk. Consider what features the business really needs and the nature of user interface controls such as PINs. Continuously review and audit this configuration to identify changes that may present a risk. 3. Monitor usage, or seek protection. Investigate fraud and usage monitoring options on the CPE itself (e.g. utilising the call records and logs generated by CPE). But also check with the network operator/service provider they may offer a fraud protection service, or may consider introducing one if demand is sufficient. Businesses may also consider creating their own fraud control software if they have access to the appropriate data. 4. Deploy specialist anti-fraud tools. Consider the deployment of special fraud control platforms as an adjunct to the CPE, ideally to prevent fraud opportunities, or utilizing a call-accounting package that provides fraud monitoring reports. These tools take many forms and may be available via the CPE provider or direct from specialist vendors. 5. Understand liability. Check terms and conditions of service and supply in all aspects of the telecoms environment (hardware, connectivity, usage etc.) to determine liability for issues should they occur. Businesses should be aware of the risks and these may be tracked in their enterprise risk management or Business Assurance plan. 6. Review telecoms service billing. Check all service bills thoroughly to determine whether the business has fallen victim to fraud (or other over-charging) that has not been detected. Pay particular attention to higher-cost services, or unusual service usage patterns. Most network operators/service providers have standard processes for managing enquiries or claims for fraud if the business believes it has been a victim.
AssuringBusiness all rights reserved

4 5

Checklist
Ownership, Policy and Awareness Make somebody, perhaps the Telecoms or IT Security Manager, responsible for maintaining the security of your CPE/PBX platforms. Ensure that they develop a good understanding of the risks and management opportunities. Ensure you have a company telecoms security and user policy and it is communicated effectively. The policy should align with existing security and employee policies. Understand your liability in case there is fraud. Plan ahead. Track risk on the Enterprise Risk Management or Business Assurance plan. Educate your employees on the fraud potential; show them what to look out for and how they can help, including how to spot social engineering and similar con artists. In particular watch out for bogus callers asking to be connected to the switchboard operator posing as a company employee, collect calls, and for requests for information from pseudo officials. Treat internal telephone directories, user guides, system administration manuals and system admin reports as confidential information. Dispose of securely. Strictly control access to the equipment itself. Not only could it be configured for fraud, but circuit boards and components are high value commodities susceptible to theft. Access and Feature Control and Use Strictly control access to your systems remote maintenance port. Use multi-authentication and one-time password tokens where possible. Ensure that any system passwords are changed after installation (often default codes are left in place) and that these are changed regularly, preferably monthly, and when personnel change. Ensure that passwords/access credentials are considered and formatted to enhance security (e.g. no repeats or sequences, adequate length and character mix, no easy-guess or common formats etc.). The structure should align with the security principles of your other sensitive systems. Always protect any necessary risky features with PIN/access codes - the longer the better and do not allow easy guess PIN/codes. Avoid using tones to prompt for PIN entry - many hacking programs listen for this. Secure the storage and distribution of PINs, passwords etc. within your company. Prompt Voicemail users to record daily greetings - it will be easier to spot seized mail-boxes. Lock surplus mail-boxes until allocated to users. When employees leave, disable their services, lock mail-boxes and revoke all systems access codes.
AssuringBusiness all rights reserved

The CFCA estimates CPE/PBX Fraud to be costing around US $4.42 billion annually. In the same survey, the total global losses to telecoms fraud are estimated to be US $46.3 billion, a year-on-year increase of 0.21% from 2011.

CPE Configuration De-activate all unnecessary features. Only enable what you really need. Especially consider deactivating DISA (Direct Inward System Access) and voicemail features that allow calls to be routed/diverted through your systems. Bar calls to international and Premium Rate Service (PRS/Audiotext) and common Revenue Share destinations as standard. Allow access only on specified business need. Ensure that automated answering equipment does not allow access to dial tone. Look for telephone extensions diverted to long distance or international destinations (particularly those not in use for long periods). A local call to the extension will onward connect. Implement controls to ensure that new system features or changes to the existing configuration do not compromise security. Review system configuration and security regularly. Follow-up on any irregularities. Monitoring and Control Always check your CPE usage logging reports or itemised bills for suspicious activity and investigate anomalies. Remember that a total absence of usage is also suspicious where some activity is expected. Review CPE/PBX audit logs to monitor and identify high-risk configuration or security changes or events. Some systems allow for alarms to be raised if usage exceeds a defined parameter, e.g. call duration. If available, use these facilities to monitor and/or block suspicious activity. Consider using call-accounting packages or specialist fraud control bolt-on tools to proactively prevent and/or detect fraud attack. Have clearly defined and communicated reporting and response mechanisms in place to control risks, including outside office hours.

About AssuringBusiness
AssuringBusiness delivers Business Assurance Solutions and Services. Operating globally, we are a Business Assurance thought-leader. Business Assurance manages risk whilst leveraging organisation, technology and operations to enable sustainable business growth, performance and profitability. Good Business Assurance does not slow an enterprise down, it helps it move faster; strengthening revenues, reducing costs and enhancing customer experience while maintaining a sensible risk balance. AssuringBusiness expertise is often combined with established and specialised technologies, or simply applied to improve existing business infrastructure and processes. Our innovative yet pragmatic approach is profiting our clients by millions of dollars every year. Offerings include advisory, right-sourcing and human capital services alongside a rich portfolio of leading-edge technologies, some in collaboration with other dynamic vendors to further optimise client investment. AssuringBusiness senior resources have been applying their specialised domain knowledge including supporting the fight against CPE/PBX Fraud around the world for over 24 years. If your business would like to understand its telecoms risks, raise fraud awareness, or put in place a risk management strategy, drop us a line to ask@assuringbusiness.com Or go to www.assuringbusiness.com to learn more. Partnering in Profitability

5
AssuringBusiness all rights reserved

Partnering in Profitability
Business Assurance Solutions and Services Revenue Assurance | Fraud Management | Receivables Management | Security

www.assuringbusiness.com ask@assuringbusiness.com
Offices or representatives: London | Mumbai | Singapore | Kuala Lumpur | Dubai | Sao Paulo | Washington DC

AssuringBusiness all rights reserved