PBX Fraud Detection
Author: iDH Staff
"I can't believe it. I passed your articles on hackers around the office just three weeks ago. Now I'm looking at our PBX and we're being hacked. What can I do?"
Let me tell you, a call like that wakes an editor up from his afternoon nap fast. The concern in Richard Deal's voice is evident. "They're hacking you now?" I ask, disbelieving.
"Yes. Now. They used our 800 number and got in through our mailbox. The mailbox people tell me 'no way,' but it's happening. I don't even know if our number is still out on some bulletin board service."
I look at the clock. Just after 3 p.m. on an otherwise normal Wednesday.
"Who's your long-distance carrier and what kind of system are you running on?" I ask.
Johnson Controls, Deal's employer, has a Mitel PBX, VMX mailboxes, and uses MCI as a long-distance carrier. I refer Deal to the Communications Fraud Control Association in Washington, D.C. (202-298-8900) as the best resource center. They keep tabs on purloined access codes and hacked mailboxes. If your firm isn't part of the CFCA, it probably should be.
Meantime, I volunteer to contact MCI's security people. By 3:22 Jack Van Wagner, MCI's senior manager of investigations, is taking details - sounding just like the former cop he is. Shortly thereafter, MCI's Atlanta investigators report that their own internal systems have alerted them to a possible fraud case because of the number of calls going from Alabama to area code 809 (always block the Caribbean from any PBX). Johnson Controls' outbound 800 lines are blocked.
VMX's distributor initially denies that the system is hackable. But at VMX's San Jose offices, Lisa French states that "It is always possible to hack any system. You design to minimize risk, but it can be done." The Johnson Controls case is another entry in VMX's ongoing program to collect anti-fraud data and send it to distributors and clients. Combine the powerful trunk-to-trunk capability of the PBX with the outdial capability of voice mail and call away.
In this case the hacker was doubly clever, recognizing the need to dial an access code for the Essx centrex service.
Will the bad guys be caught? "Odds of catching the perpetrators depends on where it came from," Van Wagner tells me the next day. "It probably came from 125th Street in New York where they have phone houses. On a scale of 1 to 10, odds are a minus-200. But if it came from a university in Wisconsin, chances are good." Whether calls were looped through two or three PBXs or whether more than one carrier is involved also are factors. Most LD carriers try to be proactive, but there always is risk in shutting down lines being used for legitimate calls and incurring customer wrath. VMX, meantime, has put together a package for users, available through its distributors. Much of the material is fraud prevention 101 (secure DISA ports, set up toll control). But it is amazing how many unsecured systems there are. Is yours one of them?
