Hackers have been featured on the news recently as credit cards and passwords have been obtained in breaches, leaving millions to worry about whether their bank accounts or e-mail addresses are secure. However, there is another area that unethical hackers are targeting that isn’t getting as much attention – business phone lines and business phone systems. Although this hacking method is not as “sexy” as the hijacking of credit card information, it is arguably as financially rewarding for the perpetrators.
Only recently have phone hackers been called to the attention of the public, as billions of dollars have been swindled through this simple, low-tech hacking technique. These hackers tend to focus on small to medium-sized businesses that often use local service providers rather than the major carriers such as AT&T Mobility, Verizon Wireless and Sprint. These businesses are less likely to take precautions around their phone systems, and routinely leave open doors for hackers, such as insecure voicemail passwords.
The increased success in phone hacking is largely due to one main cause – users’ and administrators’ deficiencies in protecting their phone systems. In an era where everything online is considered exposed to hackers and where voice over IP systems are more prevalent, traditional voice services are not immediately seen as a threat to business security. However, the majority of recent phone hacking is done through insecure voicemail boxes, distantly followed by VoIP-type hacking, which involves hijacking or spoofing VoIP account credentials.
Once they gain access to voicemail boxes or VoIP credentials, hackers are able to set up to forward or originate calls to premium numbers, mostly international, through which the hacker receives a cut of the charges collected. With high-speed computers, hackers are now able to make hundreds of calls concurrently, running up phone bills into the hundreds of thousands of dollars over just a weekend.
Combatting phone fraud
There are several ways to combat this type of fraud, a few of which businesses can implement internally and the others they should look for in their telecom service provider.
Enforce minimum 6-digit voicemail passcodes with stringent default requirements
Passwords are such an important part of digital security, which makes it ironic that they are often overlooked when it comes to telecom security. Having a unique passcode is one of the best ways to combat an external attack. By creating a 6-digit passcode as opposed to a 4-digit one, the difficulty of hacking into voicemails grows exponentially. Enforcing different criteria for passcodes, such as not allowing passcodes to contain the same numbers as the phone number, makes it even more difficult for hackers to break in. All are typical best practices that apply to any digital system password policies.
Do not allow call forwarding to international numbers
Businesses enable wrong doers by allowing users to deploy call forwarding to international numbers. Hackers search exhaustively for the ability to dial in to a user’s voicemail portal and forward that number internationally to the premium numbers mentioned above. For increased security, turn off the call forwarding ability by default and only allow certain users who know the exposure it causes to deploy it.
Block calling to the countries that are the biggest offenders
This may seem obvious, but if it’s not done automatically by your telecom provider it probably isn’t going to be top of mind among all the other concerns a business faces. As this list is constantly changing, ask your telecom provider if it is able to block the calls for the entire office, which will drastically decrease the opportunities for hackers to forward or spoof calls to premium international destinations.
Lock out voicemail after multiple invalid attempts
If at first you don’t succeed, try, try again – but not when it comes to logging into your voicemail. Set up accounts to automatically lock after a certain number of invalid attempts to ensure the hackers don’t have an unlimited number of tries to break into your system.
Disable international calling by default
Should employees need to dial an international number, it’s possible to give individual users the ability to dial internationally. However, by disabling these calls by default it ensures that erroneous calls can’t be made without specific approval and purpose. Another added security element would be to require an authorization code on an outbound international call.
Security, from physical to online, has always been a concern for businesses, but it’s important to not forget the phone system. Sensitive information is constantly being shared, so it’s important to take every step possible to keep a business safe. By connecting with your telecom provider and following the tips above, your business should have your phone lines as protected as possible, leaving time and resources to focus on other security concerns.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.
Photo copyright: / 123RF Stock Photo