Home / Our news and views / The telecom industry’s look-the-other-way problem: toll fraud for all

The telecom industry’s look-the-other-way problem: toll fraud for all


BRUSSELS – Toll fraud, based on hacking into a company’s PBX (private branch exchange) telephone system, is a mushrooming “business” in Europe. Yet for small companies there is no regulatory recourse nor is there a common EU approach to the problem, say industry experts.

This and other cyber-issues were the subject of discussions during the Cyber Threat Summit in Dublin on 20 September. SECURITY EUROPE monitored the event via live webcast.

An easily overlooked form of hacking, toll fraud leaves many businesses and entities wide open to this kind of theft, speaker Paul Byrne told the conference. The founder of the Dublin-based company PBX Wall, Byrne’s own previous small business was ruined by PBX hackers.

For a telling statistic, he pointed to recent reports from the Communications Fraud Control Association (CFCA) which puts the value of international telecommunications fraud at nearly EUR 4 billion each year. Based in New Jersey, CFCA consists of approximately 200 telecommunications carriers, private network owners, end-users and law enforcement officers from around the world.

Toll fraud involves hacking into an entity’s PBX and generating revenue over its telephone lines at the entity’s expense. Hackers make a profit by using the lines to illicitly call pre-registered international premium rate numbers – activity that, in the eyes of the entity’s service provider – appears normal, thus setting off no alarm bells if the hacker spreads out the fraud over time.

Voicemail is one of the most common windows for hackers and the biggest threat to businesses that use a PBX phone system or voicemail. Hackers often gain access through voicemail menus protected with only simple passwords (1111, 2222, 1234, etc.) or unchanged factory default passwords. Once inside a PBX environment, unauthorised third parties can use system commands to gain a dial tone and thus place calls. They can then “re-sell” the service by passing on the access to crooked operators who offer below-market long-distance service, with the operator’s profit covered by the targeted company’s PBX bill.

Unsuspecting businesses and organisations can end up their PBX systems generating thousands of euros worth of telephone bills in a matter of hours. If not detected, it can lead to astronomical bills, as experienced by Ireland’s Department of Social Affairs which was hit with a telephone bill one weekend in 2003 of 300,000 euros. Businesses tend to be targeted at weekend periods or overnight when business premises are unattended, observed Byrne.

On the policy and regulatory front, PBX fraud is often swept under the carpet by the telecom industry, which raises a major question mark over accountability, said Byrne. In strictly legal terms, telecom carriers across Europe are entitled to collect telephone fees generated by their customers’ lines while the defrauded business is legally obligated to pay the bill. Demands by outraged businesses for recourse are generally fruitless, leaving the organisation no choice to bitterly pay the bill.

Installing and enforcing a strong password-management policy is the first step towards protection. However, much more needs to be done, said Byrne, adding that organised crime and terrorist networks are the main players in this game who use the profits to fund their other illegal activities.

     THE UPSHOT: One of the most frustrating aspects of toll fraud is its lack of attention. The telecoms industry knows it is a serious problem, but doesn’t want it publicized. It’s the same attitude they apply toward security breaches in general. The EU’s revised telecommunication rules of 2009 require operators to notify when its network has been compromised, yet operators hate the idea of sharing this with each other for reasons of “confidentiality”, or fears that their problems will leak out and damage their public image. Meanwhile, regulatory authorities don’t care about PBX password security and have bigger issues to deal with.
As for law enforcement agencies, it’s difficult to justify a cross-border investigation unless large amounts of money or perpetrators are involved. Not surprisingly, hackers tend to target businesses in different countries, which increases the fragmentation, or they “dip” into a given PBX for only relatively short times thus generating smaller amounts to stay below a company’s radar. As a result, very few PBX fraud cases end in prosecution and perpetrators are rarely caught. In nearly every instance, the toll fraud victim ends up footing the bill.
Logic suggests that industry, regulators and police authorities should mull how tools such as the EU’s evolving security-breach logbook might be used to help trace the perpetrators of PBX fraud. In a world where communications devices are increasingly connected to each other, it’s only a matter of time before this kind of “piggyback” fraud spreads from fixed-location PBXs to anything that makes a phone call.

About Sophie Donoghue

Sophie Donoghue was deputy editor and policy analyst at SECURITY EUROPE during 2012-2013 and now freelances for the publication from London. She can be reached at: sd@seceur.info

Check Also

The EP pushes for international ban on the use of killer robots

BRUSSELS – Members of the European Parliament (MEPs) are demanding a ban on weapons that have no “meaningful human control”.The resolution, passed overwhelmingly on 12 September by a majority of the MEPs (566)  is non-binding, however, on the 28 member states but is supported by Federica Mogherini, the EU’s policy chief for security and defence policy. She has already begun an international dialogue to try and bring the world into consensus as to the direction of autonomous warfare. The resolution notes that lethal autonomous weapons (LAWs) are machines without the ability or capacity to make human decisions and, as such, remote operators must take responsibility for life or death decisions. Much like drones, these weapons bring up strong ethical and moral dilemma regarding...