Toll Fraud

[desertinn]

I talked with the AT&T toll abuse center a few weeks ago because of my customer had a breech in their Nortel and calls were being routed out via a CO Call Transfer feature.

I asked AT&T what is the big problem with telephone systems and toll abuse and they said by far the new internet based VOIP networked based telephone systems. Because they are internet accessible they can be hacked easier than stand alone telephone systems.

I am very concerned about installing VOIP systems considering all the problems I have heard and now this Toll Abuse issue.

 

[donb01]

My solution to that problem was to install a Hybrid System (Siemens HiPath 4000) in place of my traditional PBX. It interfaces to the outside world through and ISDN PRI circuit, and all of my IP functions and access to the switch by IP for maintenance is behind the corporate firewall and not out-facing. The only thing that sucks there is that for any of my users to have soft-phones on their laptops or IP-phones at their homes they need a VPN connection into our network to allow them access to their gateway, but we set up common VPN profiles for that purpose and have to install the client on their PC's. For the number of users I have in this situation I feel this is a small inconvenience in exchange for not having my systems out where the bad guys can get them. If our use ever gets high enough that I need out-facing IPs for my gateways then I'll have to start worrying about it I guess...

You can get Toll Fraud whether or not you have a VOIP system - all you need is some incorrect setup on your PBX for DISA, or allow trunk to trunk access and have your voicemail system configured incorrectly so callers can transfer to outside numbers, or just a stupid switchboard operator that gets a call from an "AT&T Technician" that is "testing the line" and needs her to transfer the call to "0" so they can check something.... Been there, got the T-Shirt (and the $275 toll charge!).

Any system can be compromised somehow or other if you aren't careful )

 

[Westi]

If you install a system and have it being accessible via the Internet without sufficient security then I will say you deserve being hacked and taken to the cleaners.
My question is also why would you have a VoIP system accessible from the Internet, there is no need for that. You either have a VPN gateway that will take that connection from your IP set or you have a VPN router on site to connect to the VPN gateway on the other site but never ever should you have the phone system sit in the open Internet.
I also suspect that the person you spoke to had not a clue what they were really talking about because it is way easier to hack into an old Nortel voicemail and test if some users have the good old 1234 password and then transfer to an external number from their mailbox than trying to hack into a system whose public IP you don't know, which you don't know the make and model of or the login.
I can probably hack into a Nortel system in 1 hour by just calling around with the yellow pages on my lap and test who has a Nortel and a stupid enough user with an easy to guess password vs days of trying to guess an IP address on the internet.

Joe W.

FHandw., ACSS

insanity is just a state of mind

 

[Sympology]

Sound like a desperate Telco not trying to lose buiness to me.
You can also look at sticking a media converter in and having it generate a SMTP trap for any login attempts and changes. We do this in combination with NetXMS, so even if we login, an alert pops up on our desktops.
I trained on a meridian over a decade ago and Toll fraud was mentioned then. As pointed out, hell a of a lot easier on a Meridian than via a corperate firewall + VPN + PBX.

Robert Wilensky:
We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true.