Call Now

01704 540547

Send us an Email

Request a Callback

Phone Phreaking; How to Prevent Phone System Hacking

Phone phreaking; How to prevent phone system hacking

Phone phreaking is a form of hacking that applies to telephone networks. Hackers, usually based abroad, tap into the business? phone systems and take control of the lines to gain free phone services. Often the hackers use the lines for costly international calls, or to dial premium rate lines that they have set up before hand.

Companies that are hacked are liable for any of the costs occurred. . A Channel 4 News item valued the UK?s losses to this criminal activity at ?1 Billion in 2012 alone. The average loss being between ?1500 and ?3000, these costs generally only take 2 to 3 days to be incurred, however bills of tens of thousands are worryingly common.

Any business with a phone system is potentially at risk from these hackers, in particular companies that have phone systems that allow employees to call in from the outside and use their company?s network to make calls. Employees need a PIN to access their voicemails, and to make calls, however this is often where the weakness lies. Many businesses are unaware of the risk of phone phreaking, or don’t fully understand their PBX systems. Unless the PIN number is manually changed, the PIN is left as the manufacturer issued, default number; 1234, for example. Hackers can then easily guess the PIN; once they are in they can take control of the lines. These activities are commonly carried out during weekends and bank holidays to avoid detection. But with the high call charges it doesn?t take long for them to add thousands to the company?s telecommunication bills.

It is not only private businesses at risk; anyone with a phone system is a potential target including schools, charities and public bodies. The most high profile case in the UK was New Scotland Yard, from which hackers took ?1?million over an 18 month period.

There are a?number of changes and adjustments?that can be?carried out?to minimise the risk of your phone systems being compromised.

 

  • Change your PBX Admin Passwords from the default manufacturer ones and make sure that they?re at least 6 digits in length and Alphanumeric if possible (there will generally be a password to access the system via a computer and also an admin password to access the programming from a handset).
  • If you do not need to make trunk to trunk calls (usually needed for conference calling facilities and for voicemail follow me features) disable this feature, or at least disable it for the extensions that do not need to make these types of call.
  • If you need to make trunk to trunk calls on the voicemail or on the extensions, set some destination restriction on your?phone system?so that only certain destinations can be dialled.
  • If you do not need to make international or premium rate calls ask your network operator to bar these types of call.
  • Make sure your voicemail administrator and user passwords are not left default and that they are a minimum of 6 digits in length and also change your user passwords every 90 days.
  • Delete all un-used voicemail boxes.
  • Make sure that if your phone system needs to be accessible via the internet, then you protect this access via a secure method such as a VPN or by locking the access to come from specified IP addresses only.
  • Make sure all IP extensions are protected with a strong password.
  • Delete all un-used IP Extensions.
  • Consider a voice firewall, that can block calls to certain known fraudulent destinations
  • Port closure / remote access by maintainers
  • Transfer to 900 extra

All of these adjustments will help limit the possibility of your system being hacked but having processes of early detection are also essential to limit your exposure to loss. These methods include making sure that you review your phone bills for any un-usual activity as high volumes of calls can sometimes start a few days after the initial attack has happened. If you have any call logging software on your phone system, you could schedule twice daily destination reports and also review these for any unusual call traffic. Obviously these methods will require the commitment and diligence of the person that is responsible for the monitoring and this task will need to be delegated to someone else on Holidays and Sickness absence.
You could also install a Voice Firewall which can be configured by you independently of your telephony provider to block calls to certain known fraudulent destinations and also monitor the calls for known patterns of fraudulent behaviour. This can then be set to notify you of suspected attacks without the need of daily personnel interaction.

If AdaptiveComms provide your telephone bill we can block at network level all international and premium calls .If that is not appropriate for your business, we can provide and install a firewall for any system.
These precautions can dramatically decrease risk, but no method is guaranteed. Your business is liable for any costs incurred, not your supplier.
For further details or to discuss your options with an AdaptiveComms expert please call us on :01704 540547.