CCI has received three reports of phone hacking from clients in just the last few weeks. In one instance, a VoIP system was hacked by an overseas entity and in the space of only a few days the charges ran to more than $150,000. In another, nearly 1,000 calls were made over just three days after a system was hacked.
Phone hacking is not currently covered under any CCI insurance policies and in most cases telecommunications providers are not liable to cover any costs incurred.
Phone hackers look for weaknesses in an organisation's phone system. Once they've gained access, they dial in and make calls through the organisation's phones, usually overseas, running up substantial costs.
"Phone hacking can happen on both PABX and more modern VoIP systems," says CCI Information Security Officer, Tony Lawrence.
"It's not unlike how you or I might use an international calling card. We dial a number, enter a code and receive a dial tone to call out. Except hackers do this without authorisation and the cost of the calls are borne by the organisation whose system has been hacked."
Once a phone system has been compromised, hackers frequently on-sell calling cards in overseas countries, which are used, often by unsuspecting members of the public, to make calls. The more outgoing lines the system has available the more people can connect and dial out, so it's easy to see how quickly charges can add up.
"This spike in reports of phone hacking from CCI clients has us concerned," says CCI Risk Consultant, Chris Hall. "Failing to recognise and manage this risk could cost clients dearly."
There are things you can do to protect your organisation from this type of criminal attack.
Keep equipment up-to-date with the latest software.
Develop and implement a password policy. Poor or weak passwords are easily cracked and put the system at risk.
Segment voice and data networks.
Ensure firewalls, the security system (hardware or software-based) that monitors information going in and out, are adequate. Hackers look for vulnerabilities in firewalls.
Follow the security measures suggested by your system provider.
Restrict Administrator access. Hackers often seek to gain administration privileges to get into the system. The fewer people with this level of access, the smaller the risk.
Consider blocking outbound calls to international numbers, especially if you only conduct business in Australia. If you need to call international numbers, block unnecessary destinations or put restrictions on who can make these calls.
Use phone logging and/or billing software. Toll Fraud is difficult to detect from outside as the phone traffic appears to be authentic. Scanning for atypical call activity or billing costs may pick it up and minimise potential losses.
To help reduce your exposure, the Telecommunications Industry Ombudsman recommends you contact your telephone system service provider and ask them the following questions:
Can I place a hard cap on my account? This caps the amount to be paid for usage each billing period.
What can I do to make a PABX system more secure?
Can I bar international calls, or can I be given a dialer code?[ii]
When you speak to your provider we suggest you also discuss reviewing the security of your system in consultation with them.
To speak to one of our CCI Risk Consultants call the risksupport helpdesk on 1300 660 827.
This article originally appeared on the risksupport website on 14 June 2016.
[i] Source: 2015 Communications Fraud Control Association (CFCA) Global Fraud Loss Survey
To provide you with the right information we need to know a little bit about what you're looking for