If your business was the victim of telecoms fraud, would you know? How would you know? How quickly? We read every week about Denial of Service attacks and the theft of personal data, but internet telephony attacks seem somehow less newsworthy. Do they also happen?
Well, according to the Communications Fraud Control Association, the top 5 telecoms frauds cost over $26 billion [1]. So yes, they do happen. The UK is the third most targeted country in the world; toll fraud costs UK firms £1.2 billion a year.
It’s not only about toll fraud, however; hackers exploit Internet traffic for different ends. Their purpose may be to steal information such as company strategy or intellectual property. Alternatively, they may seek to harm the reputation of a competitor by publicising sensitive information such as personal data. Here we take a look at the risks from telephony attacks and the steps a business can implement to mitigate those risks.
PSTN, ISDN and VoIP
Firstly, we need to take a brief look at life before VoIP. When telephone calls were made using PSTN, firms placed less emphasis on security. PSTN was still at risk though, as a hacker using specialised equipment could still eavesdrop on a conversation by tapping into the wires. Today, a PSTN call will probably be carried over the internet for part of its route so it is still not secure.
ISDN (eg a T1 or T3 line) was more secure as the line was private to the business, although the endpoint could be tapped into.
VoIP is rather more susceptible to hacking as it is carried over public lines. The voice audio is broken into data packets in the same manner, whether the data is mundane or sensitive. If the data is not encrypted, hackers can intercept and reassemble the packets into the original conversation.
BT has announced that it will be switching off its PSTN and ISDN network by 2025 [2], moving solely to IP. It’s essential, therefore, that all businesses recognise the risks and protect themselves now.
What are the risks?
Toll fraud is a financial risk to businesses using VoIP. While some of the top 5 telecoms frauds are targeted at operators, two are targeted at businesses: International revenue share fraud (IRSF) and Premium rate services.
– IRSF involves a fraudster working with a rogue network service provider. They make long calls at a high charge that are terminated by the provider. The business receives an excessive change and the profit is shared between the fraudster and the provider.
– Premium rate services generate revenue when staff call premium rate numbers. However, hackers can also divert traffic onto premium rates.
Eavesdropping – there are several opportunities for interception of a call, either on the line, or close to an endpoint when using company internal Wi-Fi or a Wi-Fi hotspot. These can result in financial risk, breaking of regulations such as GDPR, HIPAA, or SOX, or loss of reputation to the business. As an example, the payment card PCI standard requires that cardholder information is encrypted during transmission over the internet.
Denial of service is a risk to productivity and business reputation whether the service is a web page or a VoIP call.
How can technology help to secure my wholesale VoIP termination?
Encrypting VoIP is essential. Given the risks of intercepting close to an endpoint, the encryption must be applied end-to-end. Protocols such as SRTP and TLS are used to encrypt the call.
Secure real-time transport protocol (SRTP) is a cryptographic method of encrypting data, including replay attack protection and message authentication. SRTP uses the advanced encryption standard (AES). Both ends of the call must be enabled for SRTP. Depending on hardware, this will show a padlock icon.
Transport layer security (TLS) is used to encrypt call metadata such as the phone number, but also protects against eavesdropping and tampering.
IT must follow good practice, such as:
- Analyse call and access logs, check for large numbers of failed attempts to access your service
- Keep firmware up to date on VoIP phones
- Use secure passwords on mobile devices and enable remote wiping
- Purge voicemails regularly
- Encrypt internal Wi-Fi
VoIP provider
Choose the right VoIP provider. Of course, they need to offer good value, excellent service quality and reliability. For global businesses, they need to provide connectivity worldwide. Critically, however, they need to be trustworthy and they need to fit into your secure VoIP solution.
Here at IDT, we have a proven track record in deploying VoIP solutions. By providing a unique level of call quality monitoring, we can spot unusual patterns in our Platinum clients’ calling records, warning of possible fraud. Why not contact us to learn how we can help you with secure, high-quality VoIP.
[1] https://gdpr.report/news/2017/05/29/telecommunications-battle-fraud/
[2] https://news.openreach.co.uk/pressreleases/openreach-to-consult-communication-provider-customers-on-switch-to-digital-phone-services-by-2025-2507133