The New York Times recently published an article that told frightening tales of companies falling victim to hackers engaged in telephone toll fraud, and getting stuck with huge phone bills as a result. Here’s how the story begins:
Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time.
“I thought: ‘This is crazy. It must be a mistake,’ ” Mr. Foreman said.
It wasn’t. Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives. It would have taken 34 years for the firm to run up those charges legitimately, based on its typical phone bill, according to a complaint it filed with the Federal Communications Commission.
As that tab from a single weekend indicates, the phone hacking problem is massive in scope. The NYT story, citing figures from the Communications Fraud Control Association (CFCA), says it costs businesses $4.73 billion globally last year. I could not verify that figure (although I saw lots of other news sources repeating it, and quoting the Times story). It appears to me the figure is actually much larger.
The CFCA’s 2013 Global Fraud Loss Survey puts the figure at $46.3 billion, or slightly more than 2% of all global telecom revenues. That’s up from $40.1 billion in the 2011 survey but down from the $60+ billion reported in both 2005 and 2008. (Note: you have to fill out a registration form to get the report. When you submit, it brings you back to a blank form, which may lead you to believe it didn’t work. Actually, they’ll email you the report – so you don’t need to fill out the form three times like I did.)
At the risk of piling on the NYT, its story also says nothing about how to prevent toll fraud which, it seems to me, would be of some interest to companies that are not interested in getting huge phone bills due to phone hacking. To get to the bottom of that I talked with David Tipping, Vice President and GM of Sonus Products. Sonus makes session border controllers (SBCs), which help secure the very type of IP-based voice connections that are at the heart of the problem.
Anatomy of an IP phone hack
To understand how to prevent a phone hack, it’s helpful to understand how the hacks work. Essentially, hackers just ping random IP addresses on the Internet looking for responses that indicate the address is attached to an IP-PBX, Tipping says. The response to the ping will indicate which brand of IP-PBX it is and from there the hackers are in business, as there’s no shortage of scripts readily available on the Internet describing how to break into various IP-PBX platforms.
Once they get access, hackers can profit in at least a couple of ways. One is to set up Web sites offering international calls at discount rates. The hackers take in money from site visitors and complete their calls through the compromised PBXs, leaving the PBX owner with the bill.
Another scheme, outlined in the NYT story, involves hackers leasing premium rate phone numbers, typically used for adult entertainment, psychics and the like, from one of many Web services. For each call placed to the service, the lessee gets a percentage of the revenue. Once hackers compromise a PBX, they use auto-dialers to place hundreds of calls to the services, pocketing a nice chunk of change for each call and, again, sticking the PBX’s owner with the tab.
How SBCs help prevent toll fraud
Companies can protect against such hacks by using a Session Border Controller, which protects SIP-based communications sessions – the type IP-PBX calls use. In this scenario, the SBC helps in two big ways, Tipping says.
First, when hackers ping the IP address of the IP-PBX, they will get a response from the SBC, not the PBX. “The hackers will have no insight into what’s inside those corporate walls,” he says. “Hackers are not exceptionally hard workers. If they come across an IP address that’s protected, they’ll move on to all the others that aren’t.”
While that is typically enough to protect against hacks from outside, SBCs provide an additional level of protection by enabling users to put rules in place that match their calling patterns. If the company never needs to call certain countries, for example, it can apply rules to disallow any calls to those countries. Similarly, companies can configure rules for number of calls per hour, or by time of day and days of the week. This will be effective in preventing an inordinate number of calls in a compressed timeframe, typically at night or over the weekend when no employees are around to detect nefarious behavior.
Of course this is just one of the benefits of an SBC. Check out our previous coverage to learn more about how SBCs can help you deliver secure, high-quality videoconferences and some key questions to ask when buying an SBC.