Toll fraud challenges and prevention in a VoIP environment
As long as there have been telephones and charges for conducting calls, there has been toll fraud. In the 1970s and 1980s, hackers used a technique called “phreaking” to trick pay phones by producing a 2400 hertz signal which mimicked the signaling mechanism used to control long-distance calls. Some individuals were even able to duplicate these signal tones through whistling. Despite the move to a digital phone system, individuals are still conducting fraud, taking advantage of unsuspecting companies.
The combination of today’s cheap and powerful computers and the ability to quickly install Voice-over IP (VoIP) throughout the world means fraudsters have access to a massive supply of targets. For companies and service providers, there exists a balance between using real-time detection to cut off service and ensuring business operations are not unnecessarily interrupted.
Providers are asking themselves what their responsibilities are to their clients, and what safeguards they can institute to lessen the threat of fraud attacks through VoIP networks. Successful VoIP vendors offer proactive monitoring that is able to recognize and manage threats in real time.
The risks of toll fraud within a VoIP network are severe. Some hackers are able to hijack systems and push through charges that can total $2,000 an hour or more. With VoIP, you are sending credentials to someone’s device while you call, and that device communicates back to you. This communication needs to be properly encrypted or you run the risk of someone copying it in transit. Hackers can get directly into phone devices, copy the credentials and place them in their own equipment.
With older phone systems, the volume of calls hackers could conduct was limited by the number of phone lines. If an office had five lines, then the thieves could not place more than five calls at a time. With VoIP, each line can be opened up to make many simultaneous calls, so the five-phone office could be defrauded by nearly 50 different lines, allowing costs to explode, especially when conducting international calls at up to a dollar a minute.
Similar to a strategy of deferring home burglaries, companies that take steps to make themselves unappealing targets can minimize the chances of being victim of fraud. Installing motion detector lights, sturdy locks, and an alarm system can make your home a harder target than the house down the street. For burglars, there’s always a supply of houses, so they will simply move on to the next one that has not been safeguarded. The same holds true for phone fraud and companies using VoIP. There are tens of thousands of unsecured phone providers, and thieves that are looking to score $20,000 in phone services for a day will not be satisfied with $100 and a quick shutoff.
VoIP does of course offer substantial benefits such as cost savings and self-setup. If implemented properly, most VoIP systems are truly “plug and play," and do not require a visit from the phone vendor. However, if the company does not set up the system properly by not following vendor directions, then they can be exposed to fraud. Perhaps the company configured the phone system on an unsecure computer, for example on a machine that doesn’t have simple password protection. Another source of exposure could be the lack of internal best practices, such as using “1234” as the voicemail password, which is easily guessed and allows backdoor entry to the entire system.
The main tactic for VoIP providers to protect against the fraud threat is to implement sophisticated early detection rules which allow them to suspend service in real-time when a breach is discovered. These early-warning systems require a delicate touch, with advanced vendors understanding they need to avoid being intrusive while looking out for client’s best interests.
Advanced detection systems will utilize algorithms which actively look at each customer’s real-time call patterns and compare them to historical data. It allows the vendor to spot for example a company that typically has $200 in call charges per month that suddenly starts registering $300 worth of calls in a day. It can also flag odd international calls, especially for clients that typically only call within the US. When such aberrations are detected, the vendor simply shuts off the account’s international calling and promptly contacts them to determine if the calls are a part of normal business operations.
Toll fraud will not go away as long as some systems and companies expose themselves to risk, and the potential monetary gains for the thieves remain. Companies can make themselves more unappealing to such thieves by working with an experienced vendor that features proactive monitoring in order to effectively deter phone-system fraudsters.
[Image courtesy Combined Media]