Telecommunication service thefts

The telecommunication industry faces a growing threat of theft of customer services. No telecommunications system can be totally free from the risk of unauthorized usages. Insuring that your systems are maintained in a secure manner is therefore a prime responsibility of each organization. This section provides information on toll fraud and service theft, and on ways to use the system administration tools to minimize the possibility of such unauthorized activities occurring on your system.

The following topics are included:

Toll fraud

• What is Toll fraud?

• How does Toll fraud occur?

• Voice mail fraud

• Automated Attendant

• Modular Messaging and Toll fraud

Detecting Toll fraud

Unauthorized system use

Toll fraud

Toll fraud is one of the most expensive corporate crimes that poses a major threat to telecommunication systems. Toll frauds can result in huge phone bills, revenue loss in terms of its operational impact, additional expenses, service interruptions, and the most important of them all, loss of customer confidence.

What is Toll fraud?

Toll fraud is the unauthorized use of a company's telecommunications service by an unauthorized party (for example, a person who is not a corporate employee, an agent, or a subcontractor). It occurs when people misdirect their own telecommunications charges to another person or business.

How does Toll fraud occur?

Toll fraud is possible when your system allows the incoming caller to make a network connection with another person. It is therefore important to protect vulnerable areas such as call transfer and bridging to an outbound call. There are numerous ways in which unauthorized users can attempt to breach your system security. These include:

• Unauthorized system use. Intruders access your system and create a mailbox and use the system. Hackers use personal computers, random number generators, and password cracking programs to break into customer premises equipment-based systems. Hackers continuously dial into the PBX or telephone equipment and probe the system for a weakness that will provide access to an outside line. Once an outside line is obtained, long distance calls are made.

• Unauthorized mailbox use. An intruder discovers how to access a particular mailbox, perhaps by:
  - Finding the password on a subscriber's desk or in a wallet
  - Trying all the common variations of passwords
  - Buying the password from a computer hacker who breached the system security and logged in as an administrator

• Fraudulent call transfer. An intruder uses the transfer-to-extension feature by transferring to the first few digits of a trunk access code.

Voice mail fraud

There are two types of voice mail fraud. The first type, which is responsible for most of the equipment-related toll fraud loss, relies on misuse of the call transfer capabilities of voice mail systems. Once thieves transfer to dial tone, they may dial a Trunk Access Code (TAC), Feature Access Code, Facility Access Code (FAC), or an extension number. If the system is not properly secured, thieves can make fraudulent long distance calls or request a company employee to transfer them to a long distance number.

The second type of voice mail fraud occurs when a hacker accesses a mailbox to either take it over or simply access the information stored within it. In the first situation, a hacker dials either 9 or a TAC that allows the call to be transferred to the outgoing facilities. In the second situation, a hacker typically hacks the mail password and changes it along with the greeting. This gives the hacker access to proprietary corporate information.

Automated Attendant

Automated attendant is a service that connects to the PBX system to help route calls to the appropriate extension. A menu of options allows callers to choose a predefined destination, such as a department, announcement, or an attendant, or a user-defined destination, such as an extension number. Automated attendant devices (such as the MM system) are connected to one or more ports on the switch and provide the necessary signaling to the switch when a call is being transferred.

Many automated attendant systems are vulnerable to toll fraud and are easy targets for toll hackers. When hackers connect to an automated attendant system, they try to find a menu choice (even one that is unannounced) that leads to an outside facility. Hackers also may try entering a portion of the toll number they are trying to call to see if the automated attendant system passes the digits directly to the switch. To do this, the hacker matches the length of a valid extension number by dialing only a portion of the long distance telephone number. For example, if extension numbers are four digits long, the hacker enters the first four digits of the long distance number. After the automated attendant sends those numbers to the switch and disconnects from the call, the hacker provides the switch with the remaining digits of the number. Many voice messaging systems incorporate automated attendant features. Although there are some steps you can take to tighten the security of the automated attendant itself, additional steps must be taken on the switch side to reduce the risk of toll fraud.

Before you set up Automated Attendant, ensure that you do the following to minimize unauthorized usage:

• Never allow a menu choice to transfer to an outgoing trunk without a specific destination.

• When a digit (1 through 9) is not a menu option, program it to transfer to an attendant, an announcement, to disconnect, or other intercept treatment.

• When 8 or 9 are Feature Access Codes for the switch, make sure the same numbers on the automated attendant menu are either translated to an extension or, if not a menu option, are programmed to transfer to an attendant, announcement, to disconnect, or other intercept treatment.

• Restrict call transfers to subscribers when Basic Call Transfer is used.

• Use outcalling restrictions to prohibit users from obtaining an external line when they dial an initial digit of an invalid mailbox number. See the MAS Administration Guide (pdf) for more information on outcalling restrictions.

Modular Messaging and Toll fraud

The following Modular Messaging features can be used to commit toll fraud:

Call Me

This is a feature where Modular Messaging calls subscribers at a designated telephone number or a telephone list when subscribers receive a message that meets a certain specified criteria. Subscribers who are permitted to use the feature create rules for the conditions that trigger Call Me, and the phone numbers that are called.

Find Me

This is a feature that redirects unanswered calls to a list of telephone numbers specified by the subscriber. Find Me is implemented for only those calls that are unanswered and not for calls if the extension is busy.

What you need to do

When a message triggers Call Me or Find Me, the MAS generates an outgoing call to a list of telephone numbers that the subscriber provides. If there is no answer at the first number in the list, the call is directed to the next number and then to subsequent numbers till the subscriber answers the call. Since the voice server (MAS) makes outgoing calls to designated phone numbers, it makes the system vulnerable to toll fraud. These features are enabled by means of a Class-of-Service (COS) setting. Administrators are advised to enable these features by relevant COS for only those subscribers that truly require this method of notification. Administrators can also assign a restrictive PBX COS to the PBX ports used to make the outcall, or requiring account codes or authorization codes.

Detecting Toll fraud

To detect possible hacker activity, users and administrators should look for the following signals:

• Employees cannot get outside lines.

• Customers have difficulties in getting through to your 800 number. The busy line could even impact local Direct Inward Dial (DID) lines.

• Unexplained increase in long distance usage.

• Increase in short duration calls.

• Significant increase in internal requests for assistance in making outbound calls, particularly international ones.

• Nights and weekends have heavy call volumes.

• Sudden increase in wrong numbers.

• Bills show calls made to strange places.

• Attendants report frequent "no one there" or "sorry, wrong number" calls.

• Switchboard operators complain of frequent hang-ups or touch-tone sounds when they answer.

• Sudden or unexplained inability to access specific administrative functions within the system.

• Staff or customer complaints of inability to enter the voice mail system.

• Simultaneous Direct Inward System Access (DISA) authorization code use coming from two different places at the same time.

• Unusual increase in usage of customer premises equipment-based system memory.

• Unusual increase in the number of subscribers with locked mailboxes.

• Unexplained changes in system software parameters.

You can use monitoring techniques to review and keep track of various activities on your system. Modular Messaging provides a Reporting tool that generates comprehensive reports on subscriber mailbox port usage, subscriber incoming and outcalling activity, planning capacity, and tracking system security. You can view each of these reports for an entire day or for each hour. Reviewing these reports on a regular basis will help you establish traffic trends. Monitor your system on a regular basis by using these reporting and monitoring tools, and take corrective action if you notice any suspicious or unusual patterns.

In addition, you can use the following measures to reduce the possibilities of frauds:

• Restrict call transfers to the host PBX by not allowing transfers, by using Enhanced Call Transfer, or by allowing Transfer to Subscriber Only.

• When password protection into voice mailboxes is offered, use at least the minimum length specified for passwords.

• Deactivate unassigned mailboxes and remove unused mailboxes.

• Lock out consecutive unsuccessful attempts to enter a voice mailbox. Modular Messaging does this for an administered threshold for unsuccessful attempts.

• Establish your password as soon as your voice mail system extension is assigned. This will ensure that only you have access to your mailbox.

• Discourage the practice of writing down passwords, storing them, or sharing them with others. Keep your password in a secure place and never discard it while it is active.

• Never program passwords on auto dial buttons.

• Contact Avaya for additional measures that you can take to prevent fraud.

Unauthorized system use

To minimize the risk of unauthorized break-ins to the system, strictly follow the compliance guidelines for your voice mail (vm) passwords, system administration (sa) passwords, trusted server passwords, and use the password aging feature.

Modular Messaging comes with administrative password features and options that assist you in securing your system. These include:

• Changing default administrator password. When you first get your system, make sure that you change both the system administrator, and the voice mail administrator logins passwords immediately. These logins are used to access the Avaya Message Storage Server (MSS). Access to the Avaya Messaging Application Server (MAS) is restricted to Windows Access Control Lists (ACLs) using the Windows Terminal Services into the MAS.

• Administrator password standards. You must follow the minimum password standards to comply with the system's standards.

• Administrator password aging. Use the password aging feature parameters to enhance the security levels of the system. This will ensure that administration passwords are changed at regular intervals. You can also use the password expiration feature for administrative logins to reduce the danger of unauthorized access.

See Password and mailbox administration for more information on passwords and mailbox administration.

You can ensure additional security by using the Avaya Access Security Gateway (ASG) guard which is used to provide secure remote access to the MSS. See Adjuncts for more information on ASG.

Top of page