In North America, VoIP and SIP revenue is projected to reach $10.3 billion by 2020, nearly triple the $3.2 billion earned in 2014. VoIP services are also fertile ground for hackers and fraudsters, who naturally follow where the money flows.
In its latest 2013 global fraud loss survey, the Communications Fraud Control Association (CFCA) found that PBX (News - Alert) and VoIP hacking fraud methods accounted for $4.4 billion and $3.6 billion in lost carrier revenue respectively. To make matters worse, fraud losses are actually growing faster than telecom revenues, representing 2.1 percent of total global revenues.
However, most PBX owners remain unaware of fraud until they receive a bill for thousands of dollars for services they never used, along with long legal battles with the phone company. Disputes between carriers and their customers whose PBXs were compromised have reached epidemic proportions.
But how exactly do fraudsters fatten their bank accounts? Let’s review one scenario, starting with an ordinary SIP phone that is popular with fraudsters. The first step is to elicit the SIP credentials from the phone, surprisingly easy once you know how:
- Search online for ISPs or companies that are delivering VoIP services.
- Check RIPE for likely IP address ranges and scan them for SIP phones.
- For each SIP phone you find, do a brute force search for extension numbers or usernames (might just be three digits, 1000 extensions).
- Send SIP INVITE to these extensions/usernames. The correct extension will trigger the phone to ring. When the user hangs up, the MD5 digest is revealed, and the smart fraudster can use brute force to find the password that matches this digest.
- Yes, some SIP implementations are harder to crack than others, but the fraudster only needs a small percentage of systems to yield passwords.
So, now the fraudster has a valid set of SIP account credentials and the ability to place calls at will from anywhere in the world. The fraudster can then buy an International Revenue Share (IRS) number and use a call generator to create or “pump” large amounts of call traffic from the hacked SIP phone’s extension to their favorite IRS numbers. Every call to one of these numbers costs the PBX owner an expensive premium rate, of which the fraudster receives a cut from the IRS number provider. The smart fraudster will be hacking a new PBX every week, and placing calls at weekends when network administrators are less likely to notice the attack.
The most common areas where SIP-based services are vulnerable to hacking, fraud and informational security breaches include:
- Service interruption: Due to its real-time nature, VoIP is more susceptible to denial-of-service (DoS) attacks compared with typical Internet data services. These Telephony DoS, or TDoS, attacks are often combined with extortion attempts.
- Service abuse: Includes the improper use of VoIP services such as toll fraud, billing avoidance or just plain old stealing from your employer.
- Interception and modification: Attacks where the signaling data or the content of a session is intercepted or modified.
- Spam over Internet Telephony (News - Alert): Known as “SPIT,” this involves placing unsolicited voice calls, normally recorded for telemarketing, phishing or fraud.
So how can wholesale and retail carriers protect themselves from fraud? While a complete security discussion is outside the scope of this article, here are some general best practices:
- Use long complex passwords – An effective password policy is critical because a typical system will have passwords for registration with a SIP provider, extension registrations, Web user and administration interfaces, and voicemail. But many professionals still create short and overly simple passwords that are vulnerable to hacking. Create long complex SIP passwords that combine special characters, numbers, and upper and lowercase letters (e.g., w#$*&b@!DoT).
- Change passwords regularly – Change passwords at least once every quarter to keep fraudsters on their toes, and NEVER leave default passwords in place.
- Protect your SIP servers – Physical access control, use firewalls, keep software up-to-date, put rules in place to prevent calls to unintended destinations, premium rate numbers.
- Deploy fraud protection software – Look for software solutions that are independent and seamlessly compatible with a wide variety of softswitches. Such solutions can better monitor, alert and protect against fraud and revenue loss. If an IP PBX is hacked, it won’t do much good if the fraudster disables the anti-fraud software that would otherwise send you a fraud alert. It can also be easier and often more cost-effective to deploy a single software solution rather than manage multiple systems.
Yes, there are some SBCs (Session Border Controllers) with anti-fraud capabilities. But most SBCs focus on their roots as a VoIP firewall with topology hiding and DoS attack prevention. SBCs do not work at the PBX application level, where telephony-based fraud often takes place.
Remember the battle against IP PBX fraud is ongoing and constantly evolving. It’s very difficult, if not impossible, to eliminate fraud entirely. But understanding how PBX fraud works – and implementing security controls, training programs, and policy recommendations to monitor and protect against fraud – can significantly reduce revenue loss.