A recent rash of IP phone hacking has left many Japanese businesses with huge phone bills for calls they claim they did not make. The attacks underscore the need for better security practices and more modern policy from regulatory agencies.
According to Japan Times, 101 complaints were issued last year to IP carriers NTT (News - Alert) East Corp. and NTT West Corp. for international call charges the customers claimed they did not make. It appears that hackers were able to access the customers’ switching systems and make numerous international phone calls. Entities in the countries receiving these calls would get a portion of the fees collected, thus giving the hackers their payoff.
Attacking IP phone systems is nothing new. The Los Angeles Times reported in 2013 on hospitals, emergency dispatch centers, financial firms, and schools being attacked. Unlike the attacks in Japan, these were attacks where a phone system is overwhelmed to the point of being unusable, similar to denial-of-service attacks made to websites. In one case, an unnamed hospital was attacked in this manner by an extortionist demanding money.
The effects of these attacks go well beyond costing companies money; they could cost someone their life. When hospitals cannot make or receive phone calls or a 911 call center is tied up, people who need emergency services or medical care are left unaided.
Customers can take several steps to prevent attacks like the ones affecting the businesses in Japan. Perhaps the easiest solution would be to contact the carrier to disable international phone calls. If that wasn’t an option, imposing a daily cap on international calling would at least limit the damage from hacking. Creating better passwords, using firewalls, and whitelisting IP addresses of remote callers are additional safeguards.
In the U.S., victims of phone fraud won’t get much help from the government. In spite of recent attacks, the FCC (News - Alert) has not responded with any policy proposals to protect companies that get hacked. Unlike credit cards that protect consumers from fraudulent transactions, there are no similar safeguards for IP phone customers when their systems are compromised. Until such policies are enacted, IP phone customers are on their own.
Edited by Maurice Nagle