toll fraud

Implementing Security When Its Too Late Is a Double-Negative

Implementing security controls after an attack or compromise of data is like shutting the barn door after the horse has already escaped…but worse.

Getting serious about VoIP and unified communications security after the whole solution is architected and implemented is costly enough. It is generally much easier and less expensive to implement sound security practices and controls organically as a part of the solution rather than tacking them on after the fact.

Sometimes architectural and procedural decisions made without security in mind are like water under the bridge and can’t be undone. You can put security controls in place, but they won’t be as effective as they could have been if security would have been a part of the initial design.

If you wait until after a successful attack or compromise of data you are just adding insult to injury. Its a double-negative. Now, on top of the more expensive, less effective security you were going to get by not thinking of security in the first place, you also have the expense of whatever financial impact or lost revenue the attack has, plus any potential damage to the reputation and credibility of the company.

Sipera VP of Marketing, Adam Boone, talked recently about just how costly it can be to forget about VoIP and unified communications security. Boone shared a story of a client victimized by toll fraud. Attackers placed 9,000 minutes of international calls turning the company’s normal phone bill of a couple hundred dollars to a $19,000 bill.

That’s $19,000 the company had to eat, on top of any security solutions it chose to implement to prevent similar attacks in the future. Shutting the door before the horse escaped would have saved it at least $19,000.

Is your VoIP or unified communications infrastructure secure? Are you planning to figure out the answer to that question now, or after it is compromised?

2.6 Million Lost Jobs Result of Communications Fraud

Did I get your attention? I thought I might.

Now, let’s step back and look at the perhaps questionable or dubious math I used to arrive at this sensational conclusion.

A recent worldwide survey by the Communications Fraud Control Association (CFCA) reported that the annual loss from communications fraud is about $80 billion (USD). Assuming an annual income of $30,000 - perhaps low for United States standards, but arguably quite high by global standards- that means that companies lose the equivalent amount of money as 2.6 million employees’ annual salaries.

So, could 2.6 million more people have decent paying jobs if we got communications fraud under control? I am sure the correlation is not that direct. If more money in the corporate coffers translated to more jobs or higher paying jobs then trickle-down economics wouldn’t be such an abysmal failure.

But, money is money. Assuming your employer could save 10% or 15% of the annual communications expenses by reducing or eliminating fraud it might make that next request for a raise go a little smoother.

Forgetting employees entirely- the company has its own interests to look out for as well. I assume the corporations can find better things to do with $80 billion. Relative to the losses, the investment in the tools and technologies to secure communications and prevent fraud is relatively small. Companies should view this report as a wake up call of sorts and use it to build the business case for funding that VoIP / unified communications security project that is pending approval.

The Rising Risk of Toll Fraud

Toll fraud is not new. Toll fraud has existed in some form, more or less, since telecom providers have charged customers for placing calls. But, just as technology and the computer / Internet revolution have streamlined productivity and helped people to work more efficiently, it provides the same benefits to cyber criminals.

The convergence of voice and data that comes with VoIP and unified communications deployments means that voice networks are now accessible- and exploitable- via many of the same vectors traditionally reserved for attacks on data. Attacks can be automated, they can be executed faster, and they can do more damage in less time thanks to the processing power and bandwidth available to work with. Read The 9 Deadly Security Gaps: Protecting Against the Rising Risk of Toll Fraud to learn more about the threats and how you can defend your VoIP / UC network from attack.

VoIP Fraud Meets Terrorism

A recent report in the Wall Street Journal details the bust of a VoIP toll fraud ring in The Phillipines. According to the WSJ article:

A federal grand jury in New Jersey indicted three people Friday, including one man who has been linked to al Qaeda. The three suspects, who live in the Philippines, are accused of providing Pakistani nationals in Italy with access to stolen phone lines.

The same company that was used to pay the three hackers also financed the communications of terrorists in last year’s Mumbai attacks, in which a small group killed more than 170 people, people familiar with the matter alleged.

The group is alleged to be responsible for stealing 12 million minutes of phone service estimated to be worth $55 million.

Attackers Place $120,000 in Unauthorized Phone Calls

Your phone bill varies from month to month in many cases. Actually- maybe not. I have been using Vonage for my home phone service for about 5 years now and the flat fee is what it is. I don’t pay for voicemail service, or any additional amounts for long distance like my cable provider charges customers of their digital voice service (although I think they finally realized those things are supposed to be included. now they just charge $15 a month more for fewer features). I just pay the same amount every month and I get all of the features and services available (psst - if you want to sign up for Vonage drop me an email. We can both get 2 months of free service if I refer you).

Ah, but I digress. My phone bill has been the same for years, but even phone bills that vary tend to stay within a certain range. If you run a business perhaps the bill is $2,000 one month, $2250 the next month, and $1900 the month after that. You would probably be pretty shocked then to open the mail and find a bill for $120,000!!

That is what happend to one Australian company. Preliminary reports from the investigation suggest that the attackers gained access to both traditional PBX and VoIP communications systems and place more than 11,000 unauthorized international calls in a span of about 2 days. Toll fraud has been around forever, and VoIP attacks are on the rise. Make sure you understand the threat and how to protect your systems.

Summing Up VoIP Security for 2008

A lot happened in 2008. We had what seemed to be a marathon Presidential campaign season capped off with the election of the first African-American to be President of the United States. We had a housing crisis with a mortgage industry in free fall. We had the government bailing out Wall Street banks and investment firms to the tune of $700 Billion with no oversight and no strings attached, while scoffing at bailing out the automobile manufacturing industry for $30 Billion with conditions and a plan to turn things around. We saw 2.6 million Americans lose their jobs. Aside from that part about electing a new President, 2008 didn’t seem to hold much worth smiling about.

Mark Collier, CTO of SecureLogix and co-author of Hacking Exposed-VoIP, found a silver lining though. In his blog, Collier sums up the year in VoIP security for 2008. He notes that, overall, the year was kind of boring. That may not sound like a silver lining, but if the alternative was one of the ’sky-is-falling’ FUD (fear, uncertainty, and doubt) predictions being realized then suddenly boring is not so bad. Check out Collier’s blog for more details of the state of VoIP security in 2008 and links to some of the few attacks that were publicly disclosed.

Protecting VoIP Against Three Common Threats

There are a number of way, theoretically, that a VoIP communications system could pose a security risk to an enterprise. Let’s face it, while the network administrators have been in the trenches fighting unauthorized access, malware infections, data compromise, and more on a daily basis for the last 10 years, the voice guys have been sitting on a pretty stable and secure platform. While there are huge benefits for an enterprise to migrate from traditional voice to VoIP, those benefits come with a convergence onto that data network that is constantly under attack. That means that the benefits and efficiency of VoIP come with an increase in the number of security threats as well.

That said, attackers are still working on refining how to compromise VoIP for gain. Many of the VoIP weaknesss are proprietary, meaning that they vary from vendor to vendor and make it more difficult for attackers to determine targets. However, there are three VoIP threats that are consistent across pretty much all VoIP implementations and two of the three are actually just new twists on old attacks that were used against traditional voice systems as well.

The three most common VoIP threats are voice spam (sometimes referred to as SPIT (Spam over Internet Telephony), toll fraud (or theft of service), and denial-of-service attacks. For more details about these threats and what you can do to protect your VoIP network against them, check out The Biggest VoIP Securiy Threats - and How to Stop Them.

Exploiting VoIP for Toll Fraud

Toll fraud is nothing new. Pretty much since there have been telephones, or at least enterprise telephone systems, attackers have sought to somehow hijack or piggyback on them in order to place toll phone calls at the expense of the company that owns the phone system. As with many other types of ‘cyber crime’, the crime itself is not new, but technology often makes it easier and faster than the more traditional version of the crime.

Mark Collier, CTO of SecureLogix and co-author of Hacking Exposed: VoIP, noted in a recent blog post what a threat VoIP toll fraud is. Collier points out that, while there may be a variety of ways to attack a VoIP system, toll fraud is one of the few with a clear and direct motive. Collier refers to a white paper detailing a recent toll fraud VoIP breach in Germany, and also alludes to a similar situation here in the United States that resulted in $250,000 of toll fraud theft. You can get more details on these incidents and VoIP toll fraud in general by checking out this post on Collier’s blog.

Beware Extension ‘9011′

If you have ever used a corporate phone system, you are probably familiar with the concept of dialing ‘9′ to get an outside line. That allows employees to simply dial extensions to communicate internally, but still use the normal plain old telephone system for placing calls outside of the company. Typically you dial ‘9′ which results in a second dial tone and then you can dial the phone number like usual.

One of the most low-tech forms of attack on a voice system is for an outside caller to ask to be transferred to extension ‘9011′. The ‘9′ initiates the outside line dial tone, and the ‘011′ is the code to initiate an international direct dial phone call. Transferring a caller to extension ‘9011′ enables that caller to place international phone calls that end up being charged to the company because they originate from your phone system. It doesn’t happen often, but it is low-tech enough that it still happens on occasion. Make sure your users, particularly receptionists or customer service representatives that answer incoming calls frequently, are aware of this toll fraud scam and are educated to never transfer anyone to extension ‘9011′.

VoIP Vulnerabilities

I know I am a broken record, or kicking a dead horse, or some other analogy about stating the same obvious thing over and over, but as the world adopts VoIP for voice communications they need to be aware of the security risks and take the appropriate steps to protect their communications and their networks. Sipera Systems has published a list of the Top 5 VoIP Vulnerabilities. If you have implemented, or plan to implement a VoIP solution, be aware that eavesdropping, VoIP hopping, vishing, toll fraud, and the Skype worm are all issues you should be concerned with. Take a look at Sipera’s Top 5 VoIP Vulnerabilities in 2007 list for more details.