System access numbers are designed to connect external diallers, such as a home handset, onto the PABX. This allows the home handset to behave as if it were an extension inside the company.
This allows people at home to make national or international calls, while only incurring the cost of a local call, or even a toll-free call, to the PABX. It is often used after hours and means employees do not need to stay at the office to make the calls, or it is used by sales people who spend the majority of their time on the road.
A person gaining access to these telephone numbers could easily use the system to sell cheap international calls or to place calls to premium-rate numbers. A client recently fell victim to such a fraud and lost hundred of thousands of rands in calls made to Nigeria.
How is this done?
A person gaining access to these telephone numbers could easily use the system to sell cheap international calls or to place calls to premium-rate numbers.
John Bannister, IT director, Multimatics.
Many companies advertise their telephone numbers. The other telephone trunk lines held by the business will have telephone numbers very similar to the advertised telephone number. In order to find the telephone number of the PABX DISA ports, all a fraudster needs to do is use a PC program and a modem to repeatedly dial numbers in sequence until it hits one that answers with the correct kind of tone.
The same PC program then repeatedly dials the number it has found, each time trying different authorisation codes until one works - and bingo, you get a new dial tone! That`s the technical method. However, many companies do not stress the importance of keeping these telephone numbers completely confidential. This means the numbers can be stumbled upon by accident and fall into the wrong hands.
With an IP-based PABX that is enabled for voice over Internet Protocol it may be even easier to hack into the system, either for financial gain or merely for destructive motives.
What can be done?
Ideally, one should disconnect all system access ports and disable the facility on the PABX.
The next best option is to block all overseas and premium rate numbers on the ports as some of the biggest thefts have involved overseas calls. The problem is that many companies use the system specifically for overseas calls. If this is the case, international destinations that are not required for the company`s normal business and ones that are in similar time zones should be blocked and employees can make these calls from the office.
The following measures can also be taken:
* If it is possible, turn off the ports at night as many fraudulent calls are made late at night. However, many companies have this system so that the staff can use the phone after hours.
* Set the system so that it rings five to six times before it is answered. The phone should not be answered with a steady tone and should ideally have a voice message. This is because fraudsters use programs to automatically dial numbers in search of the ports. They mark a "hit" when the number answers on the first few rings with a nice steady tone.
* Issue different passwords and codes to each user.
* Set passwords to a minimum six digits and enforce password changes every 30 days if the PABX allows for this.
* A policy should be set for users that are allowed to select their own passwords. For example, they can not use extension numbers, company registration numbers, ID numbers, birthdays, etc. Make someone responsible for testing the users` passwords.
* Delete all passwords programmed into the PABX for testing and service purposes, as well as the original default passwords. In addition, the passwords of ex-employees and any codes an ex-employee might have known should be deleted.
* Implement the ports so that entering an invalid password causes the system to drop the line, no matter how inconvenient employees may find that to be.
* Monitor the system continually through PABX status logs and study call detail reports from the telephone management system on a regular basis to spot fraud-related calling patterns early.
* Make sure the person implementing all of the above is an expert.
Share