• No results found

Protect your Business phone systems from FRAUD!

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Protect your Business phone systems from FRAUD!"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Protect your Business phone systems from FRAUD!

Detailed hereafter are two examples of businesses whose telephone systems have been subject of fraud, also included is an extract from the ‘Action Fraud’ website. Within is advice concerning preventative measures that can be adopted. In particular you may want to consider doing the following…

 Change the default settings on your system, schedule further changes on a regular basis.

 Have your system engineer prevent dialling out to premium rate numbers & all calls during the hours that you are closed.

Dale Bradley came into the office of Whirlwind WS, the company he runs in Ramsgate, Kent, at 7.30 one morning to find the red lights on the internal phone exchange were flashing. That meant someone was making calls through it.

There was just one problem: he was the only person in the office. "I could not understand who was making the calls because I was the only one in and I could not break in to the conversations," Bradley explains. He reported the problem to BT, which told him it must be a fault on his equipment - a modern Panasonic digital business exchange installed in November 2004.

A month later, BT returned: an investigation unit had tracked unusual activity on Whirlwind's lines, probably fraud. Someone had

cracked the 16-digit alphanumeric password set up on the exchange and used it to make international calls to the Philippines, Dubai, US and Italy, ringing up costs of £1,000 in the process.

Whirlwind had been hit by one of the longest-running problems to plague businesses running modern internal digital exchanges: "dial-through fraud", so called because it exploits a facility offered on many exchanges that lets company employees ring in to the switchboard, and then by keying certain dialling codes, get an outside line to anywhere in the world. Because it's meant for employees, the company picks up the bill for the outgoing call. But anyone who cracks the protection around those codes can make unlimited calls at the company's expense.

Bradley expected that the criminals could be traced back to the phones from which they had called in to his switchboard - a relatively simple process, given modern computerised exchanges. But he was to discover that provisions put in by this government, ostensibly intended to help the detection of computer-based crime, would actually work against him - by making it too expensive to track down the perpetrators.

First, though, since BT had identified the calls as fraud, surely it could forgive the bill, suggested Bradley. Not at all; Whirlwind was liable for calls made from its system, BT said. Insult turned to injury on the discovery that the company's insurance policy has a standard clause exempting "electronic losses". Whirlwind picked up the tab. Intercept data

But since BT had discovered it was fraud, could the police investigate, using the information BT had discovered? No. The police said it would not be "cost effective" to investigate: BT would charge £1,500 for the "intercept data" that would reveal where the calls coming into the exchange had come from on that morning.

(2)

Modern digital exchanges, especially those in small companies and organisations, are particularly vulnerable to dial-through fraud, says Gus Hauptfleisch, a freelance telecommunications consultant based in London. "The security is often weaker in small organisations. Typically, the thieves will phone out of hours and wait to be switched through to the digital voice mail," he explains. "They then use a digital tone generator to activate the remote diagnostic facilities built into the digital exchange."

Such hacking, which is used to make calls across the world, is estimated to cost British businesses millions of pounds annually. "All of the telecoms companies are aware of the problem, but it is notoriously difficult to get them to acknowledge its size or take responsibility," says Hauptfleisch.

There is evidence that in the UK the situation has deteriorated in the past year. The Metropolitan police says fraud from inner-city shops offering cheap international calls is increasing; yet individual police forces are more reluctant than ever to mount investigations because of substantially increased charges that the communications companies now demand to help police enquiries. And it's allbecause of a little-known provision of the Regulation of Investigatory Powers Act 2000 (Ripa).

"As far as the involvement of the police are concerned, there are frequent requests for BT to disclose information, and in this case the request was for the incoming call records," BT's spokesman says. "It is not very widely known, but in all such cases there is a cost incurred." That is the £1,500 BT wanted to supply the records to police.

So how does BT justify such a high cost for what must be an automated retrieval process? "That is the cost of providing the

information," said the BT spokesman. "It is a matter for Kent police if they choose not to pay."

A spokesman for Kent police confirmed that this was why the investigation was dropped. "With crimes of this sort we have to take a decision about which to investigate. Each case is looked at on its merits and in the light of policy guidelines. In this case the losses just did not justify the cost of the investigation."

But where did that £1,500 figure come from? According to Kent police, the detective in charge of the investigation filed a "Ripa request", asking BT to provide the originating call data under a mechanism laid out in the act. "Some communications companies only charge us £40 for data released under the act, but as we understand it they are allowed to charge up to £1,500, and that is what BT did," said the Kent police spokesman.

A spokesman for the Home Office confirmed that the wide discrepancy in charges to the police for exactly the same information from different communications companies was possible under the act. "The communications companies are not allowed to profit from the charges they levy but they are entitled to recover their costs," he said.

Some communications companies, like BT, employ large numbers of staff and state-of-the-art equipment capable of tracing calls almost instantly, said the Home Office spokesman; others employ just one person and can take much longer to retrieve call data. In both cases the companies are allowed to recover the costs of staff and equipment, so the bills vary widely. The Home Office says there is no scale as charges as such, but neither is there a mechanism for police forces to appeal if they think they have been overcharged. BT controls the majority of the network so it is the major supplier under RIPA of both incoming call records and intercept data to the

(3)

police, MI5, MI6 and Defence Intelligence. But the different groups have different needs. The intelligence community wants information quickly, regardless of cost. BT has responded by setting up a fast but expensive surveillance service whose costs are recouped piecemeal. The police, with much higher volumes of simple inquiries, are far more cost conscious. BT's call investigation charges may thus subsidise complex intelligence operations by penalising run-of-the-mill police operations.

Consequently, police forces are turning away legitimate complaints from people like Bradley because they can no longer afford the cost of the investigations - even though arguably someone who hacks into one phone exchange to make fraudulent calls is likely to do it many times . Catching them, even at an apparent £500 "loss", results in bigger savings for everyone else.

Galling exploit

What made the exploit particularly galling to Bradley and the telecommunications maintenance company that installed the exchange - one of the KX TDA range from Panasonic, the market leader in providing internal exchanges of fewer than 100 lines to small businesses - is that they thought it was secured. They had replaced the default passwords (which are often "admin" and "0000" or "1234") with a 16-character passcode.

But another weakness remained. Modern digital exchanges are designed to be maintained remotely so engineers can alter configurations or set up new lines without making a site visit. Anyone with the appropriate maintenance software who has cracked the 16-character code can take command of an entire system without its users' knowledge.

The engineer who maintained the Whirlwind WS system was stunned. "It never occurred to me that a small office in Ramsgate would not be secure behind a 16-digit access code," he said.

But even a 16-character code isn't safe against modern crackers, explains Paul White, product development manager for business telephone systems at Panasonic UK. "There are plenty of free utilities off the internet that will do that for you," he says. "Most passwords are cracked by software that literally tries 1 through to 9 and then a1, a2, a3 and so on. If they have something that does that, then it is only a matter of time until the system is compromised." The only sure way to secure a modern digital exchange is to lock it down so that it can only be maintained remotely by an engineer calling from a single phone number that the host system has already been told about, says White. "If somebody is determined enough, then they can crack passwords because [engineers] do not secure anything completely."

Many maintenance engineers do not seem to know how to properly secure exchanges, and their customers do not know about the potential vulnerability. If you have a maintenance contract with a company, then it should specify which party will foot the bill if the security is cracked.

And the tools abound. Digital code crackers can be found with an internet search; so can the Panasonic PBX remote management software. It is perfectly legal to download either; a crime is only committed when someone tries to make a fraudulent call.

BT says that it regularly monitors suspicious call patterns, and reported those it spotted on the Whirlwind system."Mr Bradley owns the equipment which is not a BT supplied switch and it is, therefore, his responsibility to ensure its security," a spokesman added.

(4)

As for Bradley, the experience has left a sour taste. "It feels as though BT is withholding evidence and the police are more interested in balancing their books than preventing crimes. It stinks."

By Michelle McCallum of the Remark Group Published on Tuesday 6 September 2011 13:42

The on-going phone hacking scandal has made me nervous about the vulnerability of my own business – what steps can I take to protect it?

WE’VE all seen the escalation of the phone hacking scandal in recent weeks – with the revelation that it’s not just the rich and famous who have been affected.

Even those out of the headlines are at risk of falling foul of the fraudsters, and none more so than local businesses.

You may be familiar with a recent news story about a company in Essex that had its automated switchboard hacked into through its answer phone message.

The result of the hackers’ actions in using the phone line to make worldwide calls was a phone bill sent to the company for £3,000! However, there are a few simple but effective steps you can take to protect your business against this kind of fraud.

So, how do they do it? Well, phone hackers know exactly what they are doing, and look for weaknesses in a company’s telephone system to enable them to hack into it and use it for their own gain.

As you would expect, this normally happens during the night or at a time when it is less likely the telephones will be answered. When the phone rings through to a voicemail, they then hack into the password and use that line.

The general advice we offer to businesses trying to protect themselves would be never to use the default password on a voicemail and to change your password regularly, this applies to individual and group mail boxes.

As an IT and telecommunications company, we work very closely with some of the top name communication providers – who are able to pass on the very latest know-how to ourselves, and we in turn are able to advise the customers. Businesses can further protect themselves by asking their engineer or a company like ourselves to programme their voicemail to disable the dial out function.

Next week – Clare Eager from People HR looks at how working as a team can improve your performance.

If you have got a business issue you would like addressing by one of our panel, send it to john.kralevich@peterboroughtoday.co.uk Read via the internet....

PREMIUM RATE PHONE LINE SCAMS Non-investment fraud

Protect Yourself

Fixed line or premium rate fraud is when fraud is committed against telephone companies.

Fixed line fraud can be done in a number of ways. In some cases, fraudsters gain access to a switchboard and sell other people the

(5)

ability to make calls through the switchboard. This is known as Dial Through Draft (DTF) or Direct Inward System Access Fraud (DISA).

Fixed line fraud can include Premium Rate Service fraud, which is when fraudsters significantly increase the number of calls to a premium number so they can increase the revenue they receive from it.

Call selling fraud is another form of fixed line fraud. This is when fraudsters take out a phone service and sell other people the ability to make calls through it. The fraudster has no intention of paying the bill.

The final form of fixed line fraud involves fraudulent applications. In this type of fraud, the fraudster takes out a phone service in a false name and leaves a bad debt.

(6)

SUPPLIER ACCOUNT TAKE OVER FRAUD

An account takeover happens when a fraudster poses as a genuine customer, or supplier, gains control of an account and then makes

unauthorized transactions. Any account could be taken over by fraudsters, including bank, credit card, email and other service providers. This activity has now extended to supplier accounts.

 Organised criminals purport to be representatives of a genuine supplier company. The fraudsters send letters, facsimiles and/or emails to accounts payable staff and request that the current bank details for genuine supplier companies are changed to bank accounts which the fraudsters have access to.

 Following that change, genuine business payments to that supplier are diverted to the fraudsters. The genuine supplier companies are unaware and it is only after they make contact with businesses in relation to non-receipt of payment, that the fraud becomes apparent. Often by that time, the fraudsters have emptied the bank accounts that the monies were redirected to. The fraudsters target better known supplier companies, this is possibly as a result of tender documents or publicised creditor lists.

 Often email addresses on letters submitted use domain extensions similar to that of the genuine companies, but which are in fact operated by the fraudsters.  The fraudsters have called telephone switchboards of

target companies asking for contact names responsible for authorising payments in order that correspondence is directed to the relevant staff members.

 Supplier details such as telephone numbers have been requested, presumably to be added to the fictitious requests to add authenticity.

 There are examples of the fraudsters telephoning target companies to chase payment, in the hope that some checks might not be carried out.

 Company Secretary, Finance Directors and other authorized contact details (including signatures) are generally correct – almost certainly having been scanned from published information available from various sources including the Internet.

What can you do? (P.I.E)

 PREVENT customers from falling victim to these scams, keep them apprised of the fact that you will not be changing your account details; should the need occur you will correspond with them in writing and in person. Identify lead staff members

(7)

with whom they can confer and confirm any new information. Inform your staff of the ‘Supplier Account Take Over’ modus operandi; tell them to be alert to unusual e-mails or telephone calls; where necessary ask them to make a timely record of the event where they consider it to be suspicious. Publicly identify the nature of your business and where appropriate, the fact that you do not deal in certain goods.

 INTELLIGENCE – Scan the Internet, particularly websites that are used to sell goods or services your business provides. Ebay, Gumtree and Alibaba.com being examples. Actively pursue any information that a customer may pass on concerning

correspondence they have received & are anxious about.

 ENFORCEMENT – Insist on your staff / team adhering to these guidelines. Where you have been the victim of either an attempt or full scam take IMMEDIATE action to limit the effect. Apprise customers, put out a message on websites where they exist, utilise the ‘Action Fraud’ reporting mechanism and / or report the matter to the most appropriate Law Enforcement Agency.

The perpetrators of such crimes can have a very immediate effect on your business where payments are diverted from your legitimate accounts. More difficult to deal with is the scenario

where they purport to be your Company and carry on a

business without your knowing; something that can undermine your hard earned reputation. MAKE IT DIFFICULT FOR THEM AND THEY WILL LOOK ELSEWHERE.

Web addresses

Action Fraud http://www.actionfraud.org.uk/ Gumtree http://www.gumtree.com/

Ebay http://www.ebay.co.uk Alibaba http://www.alibaba.com/

References

Download now ( PDF - 7 Page - 93.81 KB )

Related documents

Quick Start Guide. manual gsm home alarm

A really great book writing service could make it read professionally manual gsm home alarm, as well as individually, eliminating errors of grammar and syntax and also color and

The Resistome of Farmed Fish Feces Contributes to the Enrichment of Antibiotic Resistance Genes in Sediments below Baltic Sea Fish Farms

Of the 364 primer sets; 307 primer sets were used for ARGs encoding resistance to the nine main classes of antibiotics (aminoglycoside, beta-lactam,

B-Series Temperature Switches

These standard designs perform well in applications where shock and vibra- tion could be a problem and should be used with Ashcroft thermowells for bulb protection and ease

Is all moral responsibility ultimately individual responsibility?

Whereas Young’s approach is individualistic, my account applies to individuals and to collectives as non-distributive responsibility holders in both the liability model and the

Designing the Human Resource Scorecard as a Performance Measurement of Human Resource

SDGD3HWD6WUDWHJLPHODOXLPHWRGH$QDO\WLFDO1HWZRUN3URFHVV+DVLOSHQHOLWLDQLQLGLSHUROHK VDVDUDQVWUDWHJLVGDQWHUGDSDWOHDGLQJLQGLFDWRUGDQODJJLQJLQGLFDWRU+DVLOSHPERERWDQSULRULWDVPHQXQMXNNDQ

Slider Crank Power Hammer Mechanism Project Report

In some embodiments, the power hammer assembly of the present invention can comprise a larger throat area and/or a larger die gap than presently available power hammers

Labor effort over the business cycle

Firms’ cost-minimizing behavior implies that effective labor input (that is, hours worked weighted by the unobserved intensity of work effort) also moves positively with output.. On

Opportunities of public transport experience enhancements with mobile services and urban screens

The intercampus shuttle service possesses several characteristics that make it an interest- ing setting to conduct passenger experience experiments. Firstly, the entire