Background
·
Toll fraud is an international problem that is
not as severe today as it was in the 1990s. (It is still a problem).
·
Toll Thieves are hard to catch and recovery is
rare. Courts have generally held that the user is responsible for paying the
bill.
·
Elements:
o
Theft of long distance service by call-sell operators
who invade private switching systems over incoming trunks and resell the service.
o
Theft of calling card numbers call-sell operators.
o
Theft of cellular service by thieves who copy cell
phone IDs.
o
Long distance calls made on company phones by technicians,
contractors or employees. (This is the largest part of the problem).
Call-Sell Operations
·
Some call-sell operations work out of banks of
pay phones in places like airports and train stations. They offer to set up
toll calls to anywhere in the world for a fee. Most calls are placed overseas.
·
How call-sell operators work, 4 primary methods
1.
Stolen calling card numbers:
Thieves lurk around banks of pay phones in airports and train stations. The
stolen number may be broadcast on a computer bulletin board or given to people
in a call-sell operation.
2.
Stolen cellular telephone ID codes.
Cell
phone ID codes are embedded in a chip at the factory. The ID code is transmitted
each time a call is set up. (The cellular operator uses the code to identify
the phone that should be charged). Thieves pick up ID codes over the air and
program them into their own phones.
3.
Unassisted transfer within the PBX.
This is a favorite target. Automated attendants are sometimes set to ask for
a “four digit” number. This tips the thief off and he’ll start with the assumption
that the PBX requires 9,1 to get an outside line. If this doesn’t work, there
are other techniques like using computer driven programs that try combinations.
Voice-mail systems are also vulnerable because they can allow the thief to dial
a transfer code and then probe for a code that allows him to make an outside
long-distance call.
4.
Unauthorized use of direct inward system access (DISA).
DISA
or remote access can allow users to dial a local number to access PBX resources,
including long-distance service. Some companies have made it easy for thieves
by assigning toll-free numbers to the DISA port so employees can call in from
out of town.
Ways to Minimize Fraud
Calling Cards - Be careful when making calls in public areas. Make sure someone isn’t hovering too close. Also if possible, shield the dialing pad as you dial.
Cell Phone Codes - Restrict the cell phone from placing calls long distance calls or restrict it to area codes and overseas areas you never call.
Unassisted Transfers - Voice-mail should be set up to block attempts to dial invalid extension numbers. Place restrictions on overseas calls or confine permission to a narrowly defined class of service. Consult with vendor to block every possible code combination that could let thief make an unassisted transfer to an outgoing trunk. Out-dialing features should also be restricted.
Direct Inward System Access - Disconnect the system and use calling cards. If DISA must be used, restrict knowledge of passwords and change them frequently.
Maintenance Terminal Security - his is a favorite target of thieves. Once in, he/she can dismantle the barriers to toll fraud. The maintenance port telephone number and password must be guarded and changed regularly. Use a dial-back modem to defeat attempts to hack the maintenance port or use a “lock and key” arrangement offered by several manufacturers.
Insider Fraud - Publish a company policy regarding under what conditions employees can use phones. A call accounting system could also be used.
Voice Mial Hacking - This is a situation where people find a voice-mail box to support their personal communications (exchange messages). Unassigned or disconnected mailboxes are a favorite target. To determine whether your system is being hacked, look at port usage in the middle of the night. High activity could indicate hackers. Set minimum password lengths, insist users choose nontrivial passwords and enforce regular password changes.
Switchboard Scams - This is a situation where someone calls into the company’s main switchboard and pretends to be an employee in order to get the attendant to transfer the call to a long distance number. Attendants should be instructed to ask for some kind of authentication (if they don’t recognize the person).
Toll Fraud Do’s and Don’ts
·
Develop a company policy on phone usage.
·
Keep equipment rooms locked.
·
Do not post passwords or access telephone numbers
where unauthorized people can see them.
·
Disconnect the DISA (Change password at least quarterly,
restrict calling range, review call accounting reports).
·
Restrict voice mail ports to internal calls, if
out calling required, restrict it to local numbers if possible.
·
Restrict unused dialing codes.
·
Eliminate international dialing (if possible) or
restrict to a narrowly defined class of service. (Or obtain from IXC the list
of frequent destinations for toll thieves and restrict these).
·
Restrict calls when the office is not staffed.
·
Require minimum-length passwords on voice-mail
and require frequent changes.
·
Alert attendants and users to not transfer calls
without authentication.
·
Instruct voice mail users to bring to your attention
any unexplained messages, etc. that would indicate hacking.
·
Make sure maintenance terminal numbers for voice-mail
and PBX are outside the company’s normal DID number range.
·
Monitor usage on toll-free trunks, voice mail ports
and toll-free bills outside business hours. Look for patterns of usage that
indicate hacking.
·
Destroy telephone bills that would include phone
numbers, calling card numbers, etc.
·
Use the company call accounting system as an early
warning system for toll-fraud.
·
Put hardware protection devices on maintenance
ports, PBX and voice-mail.
·
Disable voice-mail ports for disconnected stations.
·
Change default passwords of maintenance ports.
·
Program voice mail to reject any attempt to dial
an invalid extension number.
·
Disable trunk access codes, or limit their access
to a narrowly defined class of service.
·
If system is connected by tie lines to a remote
PBX, make certain incoming calls cannot transfer to tie lines through voice
mail.
·
Disable trunk to trunk transfer features if possible,
otherwise use trunk class of service feature to prevent calls from DID or toll-free
lines from reaching tie lines.
·
Test every dialing combination (0, 00, etc.) and
every trunk access code to ensure calls cannot transfer through voice mail or
automated attendant to reach an outgoing trunk.
·
Block international calls on cellular phones.
Restrict long-distance on cell phones if it’s not needed.
·
Train calling card users to shield the dial when
dialing.
·
Change password on maintenance port on PBX regularly.