Telephone System Security Best Practice

CONTENTS
Contents ....................................................................................................................................... 2
Toll Fraud ..................................................................................................................................... 3
Toll Fraud over hacked voicemail systems..........................................................................................3
Industry best practices ........................................................................................................................4
The Firewall Approach ........................................................................................................................5
General Rules .....................................................................................................................................5
Toll Fraud

Toll Fraud over hacked voicemail systems

Over recent months the telecom industry has received many reports of increased
hacking activity, where customers are reporting that they are being billed for Premium
Rate or International telephone calls fraudulently made through their telephone systems.

This attack involves hackers accessing your telephone system via system options that
eventually permit the hacker to place either Premium Rate or International Calls.

These hackers most often call a business after-hours utilising some software called a
war dialler. This allows them to categorise your telephone lines and decide how best to
attack your telephone system. This could be via the use its automated answering system
or vulnerable voicemail boxes or unsecured telephone lines (DISA). Experienced
hackers sometimes recognise the equipment they are calling by its prompts and know
the equipment’s default passwords, allowing them access to mailboxes with unchanged
passwords (or they will try guessing at simple passwords such as 1234 and 1111).

It is imperative for you to protect yourself against this type of fraud by ensuring your
telephone system and voicemail equipment is safeguarded and your employees are
educated about password security best practices.

For customers who own their telephone and voicemail systems, you are responsible for
the protection of your equipment and are responsible for any toll charges.
Industry best practices

• Ensuring your employees change the manufacturers’ default password

immediately upon being assigned a voicemail box and frequently thereafter.

• Programming your voice mail system to require passwords with a minimum of 6

characters (8 is preferred – the more complex the password, the more difficult it
is to guess)

• Training your employees not to use easily-guessed passwords such as their

phone numbers, local number, simple number combinations or patterns.

• When assigning a phone to a new employee, never make the temporary

password the employee’s telephone number.

• If possible programme your voice mail system to force users to change their
password at least every 90 days. If not then introduce a corporate password
policy which requires them to do so.

• If possible all forms of automated trunk to trunk (straight through dialling)

should be disabled. Straight through dialling allows you to make telephone calls
through your mailbox or telephone system when you are at an offsite location. If
this feature is used, it is important that you generate and monitor reports to
ensure your mailboxes are not being abused.

• Remove all unassigned mailboxes

The above security measures are of a general nature and will not protect every aspect of
an individual telephone system – you are encouraged to contact either your maintainer
or a specialist telecom security company to discuss the unique aspects and
vulnerabilities of your telephone equipment in greater detail.

Remember that you are responsible for paying for all calls originating from, and
charged calls accepted at, your telephone, regardless of who made or accepted them.
The Firewall Approach

In our opinion this offers the most effective approach to telephone system security;

Deny everything – Allow Nothing – Treat every opened facility as a possible

vulnerability.

General Rules

PBX

All DISA lines should be disabled

Call forward external from end users phones should be restricted
Redirect of incoming numbers to outside numbers should be restricted
General Access phones should be limited to calling local numbers only
Call Barring levels should be assigned correctly for long distance calling
Access to known high toll fraud areas should be restricted.
Monitor and track long distance activity using Call Detail Reports

Voice Mail

Deny inbound calls via Auto Attendant to external numbers.

Restrict or control Voicemail revert (0) – dialling to pagers and mobiles
Restrict or control Personal IVR’s (dial 2 to transfer to my mobile)
Restrict or control Voicemail Remote Notification to pagers and mobiles
If available use remote notification to email to notify of voicemail messages
End Users forced to change Mailbox access passwords on a regular basis
End Users password minimum length is set at least to 6 digits or more
Administration of mailboxes removing any unused mailboxes
Call Barring should be used to restrict outbound access where possible

All Systems:

Passwords should not be posted or distributed

Passwords should be changed on a regular basis
Passwords must be changed from default passwords
Where possible restrict trunk to trunk (inbound/outbound) call transfers
Monitor systems using traffic and call detail reports to check calling patterns

• calls to unusual locations

• high call volume
• long call durations
• international and calls to 0990 numbers
• high traffic after business hours