1994 Toll-Fraud Losses

Voice- and data-security managers must increase their own awareness of the hacker threat before they can protect against attacks. And these defenses should include the following tips, tricks and guidelines.

PBX DISA ports. PBX direct-inward-system-access (DISA) ports are used to support off-site executive, maintenance and sales force communications after hours or when traveling. DISA ports can save long-distance costs, but represent the highest toll-fraud risk to corporations extend.

These ports often come equipped with built-in, factory-preset passwords, which should be changed upon delivery. In addition, they should be supported by a multilayered protection system, such as the Secure System Access Line (SSAL), from Proctor & Associates Co. Inc., Redmond, Wash. This device requires a customer-assigned, fourteen-digit security code to be dialed, and notifies the system administrator of possible hacker attempts. The device is also recommended for use on all remote-maintenance ports to telephone systems, voice mail, automatic attendants and modems.

Voice-mail systems. Voice-mail passwords should be at least six digits long, and should never match the last six digits of the telephone number (a common practice). Voice-mail passwords should never be repeated or consecutive numbers. Many voice-mail systems have built-in security administration, which will disallow such easily hacked passwords.

Voice-mail remote-administration ports should always be protected with a security device or dial-back modem to discourage hackers. Hackers can and will reprogram voice-mail systems, to allow trunk-to-trunk tandem calling or to override security programming, if they reach the remote-administration port.

Voice-mail boxes should be programmed to shut down after three password attempts, and the system administrator should receive notification before any mail box is·reactivated. If multiple voice-mail boxes seem to have been "locked out" of the system, hacker activity should be suspected and system monitoring increased.

800 lines and automated attendants.

Toll-free 800;number attacks also have increased, with New York City-based sources representing three-quarters of the incidents. Many companies have installed automated-attendant services to answer 800 calls and direct them to appropriate departments. But automated-attendant services offer an unsupervised environment to the hacker.

So, automated attendants must be secured against hackers trying to enter voicemail systems, perform trunk-to-trunk tandem transfers or gain access to other services or communications systems from within the automated-attendant equipment. Systems must be programmed to allow only specific access routes, and when other attempts are made, callers should be diverted to a trained operator. The operator should notify the security manager when repeated attempts are made to dial unauthorized codes.

In addition, many automated-attendant systems can be programmed to function differently after normal business hours, when hackers are most active. This can be used to block unwanted traffic.

Calling-card fraud. Long-distance calling-card fraud represents the least danger for criminals and is used successfully by call/sell operations to place international calls at victims' expense. Unfortunately, security managers can do little to stop long-distance calling-card fraud.

Obvious measures include warning employees about shoulder-surfing and other techniques for viewing or recording numbers as they are entered into public telephones. But the best defense against calling-card fraud is to apply reasonable precautions when using the cards and to use long-distance services that offer protection against these fraudulent bills.

Call-forwarding schemes. Call-forwarding schemes represent a serious threat. Call forwarding is a standard offering or feature of many telecommunications services and PBXs. It forwards incoming unanswered or busy-signal calls from Direct Inward Dial (DID) trunks, tie lines and 800 services to outside lines or long-distance facilities. And subsequent call charges are billed to the PBX owner or service subscriber.

Call-forwarding features also are used within companies, during business hours, to implement unattended transfers from employee to employee. This feature is often abused by employees, who forward business phones to home or relatives' phones. Hackers, too, can reprogram these systems to forward calls to a number of their choosing, allowing them to hide behind the victim's PBX and making call tracing almost impossible. They then receive a free ride to bulletin boards, and other hacker destinations.

The only defense against call forwarding fraud is to use call-forwarding features that do not support trunk-to-trunk connections. Telecommunications systems' class-of-service restriction tables can be used to disallow these functions. The tables also can be configured to allow executive call forwarding to outside lines, but to disallow this capability for administrative staff

700 calling fraud. Recent 700-number conference-calling schemes represent another expensive toll-fraud risk. Once a hacker has entered a telecommunications system and determines that normal long-distance capabilities have been blocked, the hacker will attempt to set up a 700-number conference call.

If permitted by the corporate PBX, this is done by dialing a known 700 conference number and programming or requesting a conference-call arrangement. Subsequent calls may then be placed to both international and North American destinations, and the victim's PBX receives the bill. Therefore, all corporate telecommunications systems should be restricted from dialing 700 conference numbers and periodically tested by the security or telecommunications staff

900/976 calls. A new service used by companies to reduce 800 line charges has been long-distance 900 or 976 numbers, which bill calling parties directly. However, the downside of this service is that corporations have had to restrict 900/9'76 dialing from within their own premises.

So a new service is being provided by local-exchange carriers, to set up local numbers that bill back to calling parties. These local services are called 900/976 look-alikes. And again, corporate telecommunications systems should be programmed to restrict dialing to 900/976 and local look-alike exchanges, to keep hackers from using them at victims' expense. (For a list of these extensions, contact the author at 713-686-2896.)

Carrier dial-through. In this attack, a hacker enters a communications system and attempts to identify the victim's chosen common carrier. The hacker then tries to dial the direct-access codes for other carriers, which have not been monitoring, and will not know, the victim corporation's calling patterns. In-house hacker-detection software can alert managers to this attack. But without that aid, the resulting toll-fraud generally will not be detected until an erroneous long-distance bill is received. So, check those bills with a fine-toothed comb.

Clip-on fraud. This new attack, which is as it sounds, occurs when the hacker physically intervenes on the telephone company side of the corporate telephone switch. This can be accomplished from within a multistory building or at a wire-distribution box miles from the victim's site.

The only defense against this tactic is good physical security within the premises, reinforced by a telecommunications management system that records all long-distance transactions. With this documentation, victims can prove that fraudulent calls were not initiated through their systems.

Social engineering. Hackers also depend on "social engineering" to learn telecommunications and data-systems profiles, obtain passwords, find unlisted 800 numbers and extract information such as modem access numbers. Surprisingly, hackers still experienced tremendous success simply asking for this information from unwary system operators, administrators and employees.

The strongest countermeasure to social engineering is training, combined with telecommunications-fraud monitoring software and firewalls on local-area-network servers. Employees, system operators and administrators also should verify the identity of any person requesting information about telecommunications or data systems.

Infosecurity managers need to understand that hacker attacks are a real and changing threat, which can only be met with constant system monitoring, good management and strong technological countermeasures. U.S. businesses have invested in the information society of the '90s, and should implement the infosecurity safeguards of the '90s to protect this investment.

The Organized Hackerhood

Bernie R. Milligan is president of Communications & Toll Fraud Specialists Inc., with offices in Texas and Tennessee. CTF Specialists provides voice- and data-communications security consulting services, including network engineering, design and implementation.