IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Seven tips for avoiding VoIP Toll Fraud
Thu, 2nd May 2013
FYI, this story is more than a year old

Seven tips for protecting you and your customers.

Business customers are increasingly utilising VoIP technology, and for good reason.

By integrating their telephony within an IP environment, business customers are able to save a great deal of cost on both infrastructure and telecommunications.

At the same time, they can improve their business processes and customer experience by leveraging unified communications.

While the positives of moving to an IP telephony solution far outweigh the negatives, opening your phone system up to the Internet does increase risk.

Toll fraud has been a problem for a long time, but has increased exponentially since the growth of VoIP implementation.

If a fraudster gains access to your PBX, they can initiate multiple calls to high-priced toll numbers of which they share the revenue.

This is typically done at night with the calls being directed to numbers in island nations where the cost of telecommunications is high, meaning higher returns for fraudsters.

While VoIP providers do have systems in place to detect unusual activity, these systems generally discover problems after the fact, and not until serious dollars have been extracted - running into the tens of thousands.

And if you think your VoIP provider will reimburse the costs of fraudulent calls, think again. They have to pay someone those termination rates and the burden of that cost is on you.

With these issues in mind, Mako Networks have put together some useful tips on how to protect yourself and your customers when deploying VoIP solutions.

1. Apply a daily toll limit with your VoIP provider

This is possibly the single best (and easiest) thing you can do to protect yourself. Some providers will have this capability available from an online control panel.

If they don't, send them a toll limit request in writing and signed. This won't stop fraud, but it will limit its effect.

2. Use TLS protected SIP

Session Initiated Protocol (SIP) is a very flexible protocol and is used in the most popular implementation of VoIP today. Unfortunately, SIP by itself is not secure and relies on other standards to provide security.

If deploying SIP, always use the Transport Layer Security (TLS) protected variant, running over TCP instead of UDP.

All major VoIP providers should support this technology today, as should newly purchased VoIP equipment.

3. Employ a stateful firewall

A stateful firewall should protect the border of any business network, whether using an onsite PBX or not. Only use appliances that are certified by ICSA Labs for firewall security, meet the stringent Payment Card Industry Data Security Standard (PCI DSS) or both.

ICSA Labs ensures that the firewall itself has been independently audited for network security, while PCI DSS goes one step further by auditing all aspects of the vendors business, from software development and manufacturing, to help desk support and network operations.

4. Segregate your business network

Separate your data network from your voice network, either physically or by using VLANs. This means that you can apply a much more stringent security policy to your voice network while not disrupting business operations.

It also means that should one network get compromised, the other is still protected.

5. Encrypt your site-to-site calls

When connecting SIP calls from site-to-site, ensure that you are passing these through a secure VPN tunnel.

This is especially important because in a site-to-site scenario you cannot leverage your VoIP provider as a SIP proxy, meaning increased risk when sending these calls via the public Internet.

6. Use strong passwords

It seems obvious, but make sure no generic passwords or vendor-supplied defaults are used on the PBX or phone extensions.

7. Do not allow generic PINs

One common way fraudsters can compromise PBX systems are through the company voicemail system. Make sure employees have set their voicemail PIN and no generic PINs exist.

If possible, create a policy on the PBX banning the use of 1111, 1234 or other easily guessed combinations.

By implementing the above measures, you are creating a layered security approach that should give you peace of mind when deploying VoIP solutions.