Toll Fraud - Preventative Measures

How was the phone system hacked?
Usually voice mail is the culprit from an outside hacker by using Outbound Transfer or Off Premise Notify features.
-Outbound Transfer - When a user allows callers to press 7 from their mailbox to reach their mobile, the hacker will change this number
-Off Premise Notification - a Hacker will program *72 plus a number, this will forward the phone line and they have also programmed another mailbox to cancel it in the morning using *73
-DISA (Auto Answer) if enabled on one of the lines it can allow a remote user via password to dial into the system to make Long Distance calls
-Forwarded Sets - An unruly employee paid to forward a set after hours then turns it off in the morning


These are guides lines only
Every site is setup different or has different software so you will need to do what suits the client.
Some of the tips below will block features for some users such as "Off Premise Notification" and "Outbound Transfer" from the voice mail systems....in this case rely on just programming a Restriction Filter and applying it to the voice mail DN's.
Below will also show ways to block voice mail from any access to the lines, while this is overkill it does not hurt to do so.


See also Tip FAQ http://www.tek-tips.com/faqs.cfm?fid=7280 for those with a NAM

KSU/BCM:
-Have Installer change Configuration and Administration passwords - in case of unruly employee tampering.
-Disable DISA and/or change COS password to something more secure - DISA is used for remote users to access the phone system.
-Setup restriction filters and have them applied to voice mail ports/DN's - This is for older Voice Mail systems
-Setup restriction filters and have them applied to lines and/or sets and/or setup COS passwords to bypass restrictions on sets.
[highlight #F57900]Concerning above two lines about restrictions[/highlight]:
1. On older versions of voice mail such as NAM 3.0 you could restrict voice mail, only the primary DN (Feature 985 to see) needs to be restricted
2. On newer voice mails the restrictions are ignored when you apply them to voice mail primary DN (Feature 985 to see)
Instead you can apply the restrictions to the lines or you can apply restrictions to the DN # that matches the mailbox #
This means if you are DN222 with Mailbox 222 you can restrict 011 for oversea calls and apply the given filter to DN222, this will not let the set or the mailbox to dial 011 however the set can override this if you setup a COS password.
Feel free to post in the forum for more explanation if needed.
-Disable Allow Redirect option for all sets - This prevents a user from redirecting one line to another or Call Forwarding the phone to an external number.
Restriction example- Restrict 0 for overseas, * (or *72), 10 for those 10XX type services.

BCM Update:
-Note that if your BCM allows users access to Mailbox Manager then you are at risk of being hacked.
-The login via the browser does not have a maximum attempts setting so it can be hacked easily from the outside world by an automated script
-The hacker will then change your Outbound Transfer number
-Port 80 and 443 are web browser ports that should be blocked in your router, VPN is a more secure choice from outside your network.
-More importantly via Callpilot Manager denying the mailbox or Class of Service access to any Pools or Outbound Transfer as well restrictions on the sets or lines will stop Toll Fraud


Voice Mail
-Norstar Application Module (NAM) run the Toll Fraud Patches, see this link http://www.tek-tips.com/faqs.cfm?fid=7280 - Note that you can post in forum asking for a link for patch.
-Callpilot 100/150 upgrade software to 3.1
-BCM's with Callpilot make sure you are upgraded to the latest BCM patches.
-Delete all unused mailboxes
-Have ALL users change mailbox passwords to 6 or 8 digit non-trivial passwords, including General Delivery and System Manager mailboxes, however if you do not need remote access to the System Manager mailbox to change greetings then leave it at default 0000 so it cannot be accessed from outside.
-Disable Outbound Transfer and Off premise Notification in admin programming of Class Of Service(COS).
-Remove any valid entries under Outdial in admin programming of mailboxes
-Disable the "disable External Initialization" feature in COS
-Change maximum number of password attempts under COS
-Set "Return to AA to No" to prevent ** access (remote access to mailbox), note that this will effect what happens to callers after listening to an info mailbox.


Carrier/Telco
-Have the carrier restrict oversea calls if you do not ever call overseas and/or have them setup passwords.
They maybe also be able to restrict certain digits (filter).

Suggested restrictions (use all or some depending on environment) based on North America:

* - Will prevent any attempt to override restrictions and prevent the use of Call Forward (*72)
0 - Will prevent Overseas calls
10 - Will prevent 10XX numbers

Other Restrictions you might be intrested in:
1 - Will prevent local long distance (Exceptions to add are toll free numbers 1800,1888,1887,1866,1855,1844)
411 - Will prevent charges for using the service local Directory Assistance
1555 - Will prevent charges for using the service abroad Directory Assistance
700, 900, 976 (1700, 1900, 1976) Will prevent charges for using the Premium Rate Services


For those whom need Off Premise Notify or Outbound Transfer it is recommended these user are in their own Class Of Service and that they use 8 digit complex passwords with a short Password Attempts setting before it locks the mailbox.

Reports:
You would need to setup an SMDR to see what ext. made the call or run reports from voice mail system....see your vendor for more details.