By SOPHIE DONOGHUE
BRUSSELS – Toll fraud, based on hacking into a company’s PBX (private branch exchange) telephone system, is a mushrooming “business” in Europe. Yet for small companies there is no regulatory recourse nor is there a common EU approach to the problem, say industry experts.
This and other cyber-issues were the subject of discussions during the Cyber Threat Summit in Dublin on 20 September. SECURITY EUROPE monitored the event via live webcast.
An easily overlooked form of hacking, toll fraud leaves many businesses and entities wide open to this kind of theft, speaker Paul Byrne told the conference. The founder of the Dublin-based company PBX Wall, Byrne’s own previous small business was ruined by PBX hackers.
For a telling statistic, he pointed to recent reports from the Communications Fraud Control Association (CFCA) which puts the value of international telecommunications fraud at nearly EUR 4 billion each year. Based in New Jersey, CFCA consists of approximately 200 telecommunications carriers, private network owners, end-users and law enforcement officers from around the world.
Toll fraud involves hacking into an entity’s PBX and generating revenue over its telephone lines at the entity’s expense. Hackers make a profit by using the lines to illicitly call pre-registered international premium rate numbers – activity that, in the eyes of the entity’s service provider – appears normal, thus setting off no alarm bells if the hacker spreads out the fraud over time.
Voicemail is one of the most common windows for hackers and the biggest threat to businesses that use a PBX phone system or voicemail. Hackers often gain access through voicemail menus protected with only simple passwords (1111, 2222, 1234, etc.) or unchanged factory default passwords. Once inside a PBX environment, unauthorised third parties can use system commands to gain a dial tone and thus place calls. They can then “re-sell” the service by passing on the access to crooked operators who offer below-market long-distance service, with the operator’s profit covered by the targeted company’s PBX bill.
Unsuspecting businesses and organisations can end up their PBX systems generating thousands of euros worth of telephone bills in a matter of hours. If not detected, it can lead to astronomical bills, as experienced by Ireland’s Department of Social Affairs which was hit with a telephone bill one weekend in 2003 of 300,000 euros. Businesses tend to be targeted at weekend periods or overnight when business premises are unattended, observed Byrne.
On the policy and regulatory front, PBX fraud is often swept under the carpet by the telecom industry, which raises a major question mark over accountability, said Byrne. In strictly legal terms, telecom carriers across Europe are entitled to collect telephone fees generated by their customers’ lines while the defrauded business is legally obligated to pay the bill. Demands by outraged businesses for recourse are generally fruitless, leaving the organisation no choice to bitterly pay the bill.
Installing and enforcing a strong password-management policy is the first step towards protection. However, much more needs to be done, said Byrne, adding that organised crime and terrorist networks are the main players in this game who use the profits to fund their other illegal activities.
As for law enforcement agencies, it’s difficult to justify a cross-border investigation unless large amounts of money or perpetrators are involved. Not surprisingly, hackers tend to target businesses in different countries, which increases the fragmentation, or they “dip” into a given PBX for only relatively short times thus generating smaller amounts to stay below a company’s radar. As a result, very few PBX fraud cases end in prosecution and perpetrators are rarely caught. In nearly every instance, the toll fraud victim ends up footing the bill.
Logic suggests that industry, regulators and police authorities should mull how tools such as the EU’s evolving security-breach logbook might be used to help trace the perpetrators of PBX fraud. In a world where communications devices are increasingly connected to each other, it’s only a matter of time before this kind of “piggyback” fraud spreads from fixed-location PBXs to anything that makes a phone call.