Printer Friendly

How to prevent wily hackers from plundering your phones.

PBX security is like home security. If you make it tough for the bad guys to break in, they go somewhere else to do their dirty deeds.

Network crimes--like street muggings--can happen to anyone. Hackers strike when least suspected. Their targets are large or small firms, everyday names in the business world. Their "loot" is access to long distance service which they use themselves, often to make drug-related calls or remarket, at bus depots, college bars and prisons, to anyone who wants to make a cheap phone call.

This year, 54.8% of those answering the Communications Managers Association survey reported problems with viruses. Forty-eight percent said a hacker entered their system and 30% said someone stole PBX time. It costs big: 9% said they suffered data damage from an unauthorized user.

The PBX at the United Nations in New York got "hacked" for over $900,000 by enterprising log distance thieves.

A Southeastern financial institution was ripped off for $38,000 when its WATS code gout out and was passed around. "I think the whole U.S. Marine Corps had that number," the telecomm manager recalls.

Their solution included a mass re-issue of WATS, going from a four-digit to six-digit code, and availing themselves of an hourly monitoring service from their carrier.

The Tennessee Valley Authority lost $65,000. Philadelphia Newspapers Inc. lost $150,000 in one month. The Denver Post got hit for $ 10,261--the value of 11,000 minutes of 800-number time at 93 cents a minute. The Christian Broadcasting Network in Virginia got nailed for $40,000 in a single weekend.

However, Sears Technology Services Inc. has gone further with seminars to stress security and education of employees in all the divisions it serves. Sessions point out the need to make sure they have the services they should be getting--and no more.

Foster McDonald, Delta Com, was hit for a one-half million dollar fraud loss. He says, "We used only seven-digit codes and they were in sequential order.

"DISA codes are not long enough," he states.

He suggests lengthening access codes and blocking everything to area code 809, the Caribbean. That's also the area code where The Denver Post incurred most of its losses.

A Detroit manufacturer got hit through the DISA port for $50,000. It was especially vexing because the telecomm manager had just saved $250,000 out of his budget--only to see a fifth of it lost to criminal activity.

According to the Willoughby Law Firm, Columbia, South Carolina, victims should not assume they won't have to pay the bill, however outrageous and illegally incurred it may be.

AT&T states categorically that they will hold users responsible for long distance charges, although some fraud victims have negotiated a payment scheduled less the normal profit the telco realizes on such service.

"Some IXCs (interexchange carriers) have launched aggressive attempts to extract payment from businesses," Willoughby says.

In Chartways v. AT&T Communications, May 1991, the Federal Communications Commission held that the customer was responsible under AT&T tariff provisions for nearly $82,000 of unauthorized calls placed through the PBX's remote access.

What to do

If you are hit, report the problem immediately to your carrier's security division. They will work with the U.S. Secret Service (the same group that protects the President) on all toll fraud cases. However, they expect your agreement to prosecute if the crooks are found.

AT&T says many users fail to change the default password on their PBX's, usually something simple like 1111. AT&T suggests using a nonpublished number for remote access units and purchasing only calling bands required for a given geographic area if 800 service is used for remote access.

Although there is an extra fee for calling card calls, it may pay to evaluate credit cards vs. remote access.

Peggy Snyder, director of the Communications Fraud Control Association, in Washington, D.C, recommends the following steps:

* Assign authorization codes randomly on a need-to-know basis. Limit the number of calls using these codes. Never match codes with phone, station or badge numbers.

* Codes should be changed frequently and canceled if assigned to departing employees.

* Remote access trunks should be limited to domestic calling and shut down when not in use.

* Use a system-wide barrier code, followed by an authorization code with the most digits your PBX can handle.

* Use a delayed electronic call response (the same as letting your phone ring four or five times before answering).

* Monitor billing, call details and traffic for unusual patterns and busy lines during off-peak hours, such as late at night.

Some final words of advice from Ruth Michalecki, director of telecomm for the University of Nebraska: Do not allow mailbox numbers as authorization numbers, and do not allow "system authorization" to remain in force longer than 24 hours.

Lastly, do not erase criminal information you have discovered. Store it in archives for potential use as evidence.
COPYRIGHT 1992 Nelson Publishing
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Harler, Curt
Publication:Communications News
Date:Jan 1, 1992
Previous Article:Twin call centers provide 16-hour coverage.
Next Article:Meet and beat the ego-driven systems hacker.

Related Articles
Guard your PBX.
How two users fight fraud with call accounting.
The Many Faces of Defeat: The German People's Experience in 1945.
Who's on the line?
Halting the Hacker: A Practical Guide to Computer Security.
Guarding the virtual vault: businesses in all sectors now recognize the value of information. Unfortunately, so do criminals. Data theft has become a...

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters