CPE/PBX fraud can kill a business...don’t take it sitting down
Many businesses utilize telecoms equipment for their offices and customer contact channels, such as PBX/PABX (Private Branch Exchange), Voicemail and Interactive Voice Response (IVR) systems; collectively CPE (Customer Premises Equipment) as it’s known in the telecoms industry. But many of those businesses do not realize how these systems might expose them to significant losses from telecoms CPE/PBX fraud. Such fraud costs billions of dollars every year and often the service user is left footing the bill...
Here, Dean Smith, AssuringBusiness, provides a brief overview of the all-too-common telecoms fraud risks that have affected businesses ever since CPE and telecoms were invented.
What is PBX Fraud?
Building flexible communications systems to support business operations often results in an enterprise, large or small, being open to fraud attack. The main motive for fraud is to obtain free calls/service, which is often, in turn, the basis of Service Resale or Revenue Share frauds. Telecoms fraud is a multi-billion dollar business globally and is often linked to more serious criminal or terrorist activities. There is also a breed of ‘telephony extortionists’ who break into systems to seize control, or corrupt systems, holding their target to ransom.
Voicemail systems have also been hijacked to enable the criminal element to trade information securely. Access to confidential information may also be the aim when cracking Voicemail boxes, and business competitors have resorted to variants of telecoms fraud attack to deny their competitors revenues, increase their costs or disrupt their business activities. CPE/PBX hackers or opportunists can make considerable sums in selling on vulnerable access codes to organized criminals/fraudsters.
The CFCA (Communications Fraud Control Association) has estimated the global impact of CPE/PBX Fraud to be in the region of US $4.42 billion in 2012 (survey conducted 2013), with total communications fraud losses exceeding $46 billion. Individual CPE/PBX fraud attacks can reach millions of dollars of impact if well organized, and be critically disruptive to business operations
Types of Fraud Attack
Attacks vary. Some will use ‘brute-force’ to crack DISA (Direct Inward System Access) PIN codes to make onward calls. Others will use their skills and knowledge of the equipment to test the most likely codes and passwords using commands they know to work for that CPE. One of the most dangerous attacks, however, is where the system maintenance port is compromised and administrator privileges obtained. The CPE can then be controlled almost in totality. For example, DISA may be activated where the feature had previously been blocked. Extensions may be permanently forwarded to foreign numbers. New users may be created. The production of local CPE records (e.g. CDRs – Call Detail Records or similar) or audit logs may be suspended during fraudulent activity to reduce the risk of detection by the CPE user. Configurations may also be changed back to their original state after fraudulent use, for example, over a holiday, a weekend or at night.
There are numerous high profile examples of CPE/PBX fraud; even the famed Scotland Yard of London, England, has been affected with an estimated fraud impact of GBP1m (around $1.6m at the time). The increasing evolution of telecoms network technologies is opening new avenues of attack and the continued development of CPE products and features will also bring new threats. CPE/PBX fraud modes are common vehicles for serious revenue frauds and a business may be targeted from almost any country, not necessarily locally. With increasing use of soft-CPE (Voice over Internet Protocol - VoIP) and integrated IT network connectivity, there comes an increasing exposure to standard IT/information security threats to achieve telecoms fraud goals. These attack skills are globally available.
Who Foots the Bill?
In the main, fraud committed against CPE/PBX users/customers is considered the responsibility of the customer and not the CPE supplier, maintainer or network operator as they are generally not responsible for configuration and operation. However, this burden of responsibility does not help the customer protect against attack – many businesses are simply not aware of the risks.
Increasingly, network operators and CPE/PBX providers/maintainers are educating their customers, supporting them in the fight against fraud. This is a wise move and may help to prevent litigation where suppliers might otherwise be blamed by the customer for fraud losses. Where businesses suffer fraud, they may be unable to pay the huge bills presented, or recover other economic costs, and this may result in bankruptcy and/or bad debt if strictly pursued.
In the highly competitive market for business customers, differentiation of offering is increasingly important for service providers. Fraud management and security services are being more widely offered to promote CPE vendors/maintainers and network operators/service providers as responsible suppliers. Some even offer products guaranteeing loss limitation and/or recovery in the event of a successful attack; a form of insurance against fraud (providing that certain preventative and detection controls are in place or subscribed to). But many do not.
Key Vulnerabilities and Techniques Used in Fraud Attacks
The vulnerabilities and techniques used in most fraud cases originate from several common sources:
- CPE/PBX Supplier – some CPE suppliers may use standard/default security access and password configuration. Standard security protocols are well known and CPE with these settings can be easily compromised.
- CPE/PBX Maintainer – security configurations are sometimes set to the same access/security configurations across customers for engineering teams to easily undertake remote maintenance. With common set-up, compromise is facilitated.
- Internal – any employee of the CPE or maintenance supplier, or people with access to telecoms configuration data within the business user/customer organization, may have an opportunity to facilitate fraud. Also, where CPE has been installed locally by employees, they may present similar vulnerabilities to those described for Supplier and Maintainer issues above.
- Hacking – maintenance and DISA access may be compromised through hacking or brute-force attacks.
- CPE/PBX configuration – features and functions on CPE are often inappropriately configured to deter, prevent, mitigate or detect a fraud attack.
- Social engineering – a term applied to fraudsters who will obtain necessary information or codes, or place calls/obtain services, by deceiving employees of the target business. One of the more common attacks.
- Skip-hopping, or dumpster-diving – where fraudsters obtain useful information from the waste of the target business/customer that helps to compromise the CPE directly or by social engineering. This is a VERY common risk and many businesses will be exposed as they lack secure information management and disposal practices.
Other Attack Examples
Other telecoms fraud attacks that business should be aware of and protect against include:
- Denial of Service. Toll-free numbers are commonplace in business. Cases have been noted where auto-diallers have been deployed to bombard the toll-free numbers to prevent legitimate use (rapid/frequent calling) or cause a service failure. The same principle is used by attackers on the Internet targeting websites and portals.
- Industrial Espionage. Obtaining sensitive information of a business via communications platforms, e.g. voicemail hacking, call forwarding, social engineering etc. but dumpster diving and poor information security management practices also generate significant risk here.
- Vengeance. Cases of attack have been noted where the motive appears to be based on vengeance, e.g. the case of a North American abortion clinic that had its voicemail greeting changed to something like “Welcome to ………, we murder babies for you”. Disgruntled employees are also potential sources of this type of attack.
- Diversion of Business. Competition can be tough. Cases have been noted where call centers or switchboards have gone very quiet only to discover that the access number promoted in literature or advertising campaigns has been hijacked and diverted to a competitors business or other answering platform.
- Extortion. Seizing control of platforms (denying business as usual) until money or favor is paid.
- Account Surfing. Employees of the business or supplier/service provider may add unauthorized services/users to an account incurring additional costs that are not identified in normal billing reviews.
CPE/PBX Fraud Management Strategy: Six Key Steps
Businesses utilizing CPE/PBX’s should consider the following risk management activities, and others as needed for their specific environment:
- Review access security protocols. Request information from the CPE supplier and/or maintainer regarding the exact nature of security protocols deployed on the CPE/PBX, ensuring that common or easily guessed access credentials are NOT used on any channel. The business should determine whether the nature of access controls are consistent with their own security policies or expectations. Ideally, multi-authentication access controls should be deployed incorporating some form of one-time password token.
- Configure the CPE/PBX to reduce risk. Work with the telecoms manager and system maintainer to review and deploy sensible CPE configurations and options to limit risk. Consider what features the business really needs and the nature of user interface controls such as PINs. Continuously review and audit this configuration to identify changes that may present a risk.
- Monitor usage, or seek protection. Investigate fraud and usage monitoring options on the CPE itself (e.g. utilizing the call records and logs generated by CPE). But also check with the network operator/service provider – they may offer a fraud protection service, or may consider introducing one if demand is sufficient. Businesses may also consider creating their own fraud control software if they have access to the appropriate data.
- Deploy specialist anti-fraud tools. Consider the deployment of special fraud control platforms as an adjunct to the CPE, ideally to prevent fraud opportunities, or utilizing a call-accounting package that provides fraud monitoring reports. These tools take many forms and may be available via the CPE provider or direct from specialist vendors.
- Understand liability. Check terms and conditions of service and supply in all aspects of the telecoms environment (hardware, connectivity, usage etc.) to determine liability for issues should they occur. Businesses should be aware of the risks and these may be tracked in their enterprise risk management or Business Assurance plan.
- Review telecoms service billing. Check all service bills thoroughly to determine whether the business has fallen victim to fraud (or other over-charging) that has not been detected. Pay particular attention to higher-cost services, or unusual service usage patterns. Most network operators/service providers have standard processes for managing inquiries or claims for fraud if the business believes it has been a victim.
Businesses need to be informed of their risks, and active in their risk management practices. Failure to review, plan and act on such risks can lead to significant economic loss and the possibility of critical business disruption.