Basic HTML Version
www.binfo.co.uk
magazine
10
Telephony fraud, or ‘phreaking’ as it’s
commonly known, is a growing problem for
businesses of all sizes. If you don’t think
telephone fraud is a big issue for your
organisation, then consider this scenario.
A fraud attack occurs over a bank holiday
weekend from Friday night at 8.00pm until
Tuesday morning at 8.00am, a total of 84 hours. The victim company’s
SIP trunk has 15 channels which are in constant use dialling a premium
rate number that charges £2 per minute, per call. This equates to £1,800
every hour or £151,200 for the full 84 hours! That level of fraudulent
attack could put the victim company out of business.
How is it done? One of the most common attack vectors is a ‘dial-
thru’ where the attacker dials into the phone system and then uses its
functionality to generate an outbound call to a premium rate destination in
response to the inbound call.
Sometimes known as ‘phreaking’, traditional dial-thru is one of the oldest
forms of attack. The attacker will simply dial all of the phone numbers of an
organisation, often during the night, looking for a number that is answered
by the automated functions of the phone system, such as voicemail,
automated digital assistant, the remote DISA (Direct Inward System Access)
and so on.
A classic successful dial-thru fraud is achieved when a user’s unprotected
voice mailbox is reconfigured to forward calls to an external number. Any
subsequent calls answered by this mailbox will then generate calls to the
external number at the expense of the owner. This form of attack can work
across analogue, ISDN and the latest VoIP lines.
To prevent simple dial-thru frauds ensure that voicemail passwords are
secure and not still set to factory default settings. Allowing users to access
their voicemail from outside the office is a very common feature, but it is
also a very common phreaking attack vector, so only enable this feature if
the end user is fully aware of the potential implications. If you absolutely
must enable it, consider using outgoing rules/call barring functionality to
limit the exposure to expensive international and premium rate numbers.
If you have provisioned all your DDIs (direct dial inwards) onto the phone
system, but are only using some of them, instead of routing the unused DDIs
to an Auto Attendant (where they may be able to access voicemail) simply
end the call thus reducing the number of routes into your system.
Ensure that all PIN passwords are changed from the default to something
secure especially the administrator password. Don’t forget that there are also
passwords for system extensions such as fax server, conference rooms and
so on. As hackers are often aware of these numbers it is extremely important
to ensure they have strong passwords. Change the password for the DDI
voicemail of a staff member when they leave the company.
Dial-thru phreaking is just one of a number of vectors for fraudulent
phone system hacking. Spitfire has produced a ‘white paper’ which explains
the various attack methodologies and the steps you can take to protect
yourself against fraud.
Visit
www.spitfire.co.uk
to read the white paper in full.
Credentials management company Jumio is warning
business people and consumers to take more care when
connecting to the freeWi-Fi network at their local coffee
shop or risk falling prey to fraudsters.
Its new white paper,
The Fraudster’s Playbook
, reveals
that criminals will often run bogus networks with the same
name to deceive inattentive coffee lovers and trick them into
handing over personal details that they then use to commit
further fraud.
Here’s how it’s done:
1.
The fraudster sits in a coffee shop and uses a laptop to
create aWi-Fi hub with the same name as the venue’s
legitimateWi-Fi hotspot;
2.
A customer inadvertently logs onto the fraudulent hotspot,
which contains malware giving the fraudster access to the
user’s machine from just a few metres away.
3.
The fraudster accesses the customer’s online accounts by
hacking their password using cryptography tools such as
Cain & Abel, while sipping a latte and smiling over at the
victim.
4.
The customer leaves the coffee shop and the fraudster
moves on to the next victim, gaining access to another
tranche of online banking, retail and social media accounts
ready for exploitation.
Tony Sales, convicted fraudster turned fraud prevention
consultant, said: “This is one of the fraudsters’ favourite
ID theft exploits as it yields rich data that they can use to
conduct fraud straightaway. They sit around in coffee shops for
half a day and get 50 or so identities with passwords to their
targets’ online grocery shopping, their online bank accounts
and other transactional sites. Then it’s time to get back to base
to leverage this data and get spending.”
Other hunting grounds favoured by fraudsters are airports
and transport hubs; hospitals and doctors’ offices; libraries and
bookshops; and apartment blocks.
David Pope, director of marketing and payment fraud
expert at Jumio, said: “Businesses and consumers alike must
be aware that there are many disreputable networks posing
as official networks – their only true purpose is to steal the
personal details of unsuspectingWi-Fi users.”
The
Fraudster’s Playbook
lifts the lid on five common tricks
that fraudsters use to steal identities to enable them to go
on to commit fraud at great cost to individuals and society.
The National Fraud Authority estimates that fraud costs the
UK economy £52 billion a year, 41% of which it attributes to
online attacks (source:
Annual Fraud Indicator
, June 2013).
To download a free copy, please visit
www.jumio.com
.
In the first article in a new series,
Tom Fellowes, Sales Director of
Spitfire Network Services, warns of
the dangers of phreaking
Don’t be a victim of
phone fraud
All for the love of a latte
agenda
The Spitfire Communications Column