Forwarded From: plexor <plexor@dhp.com>
http://www.keytel.com/tfac.htm
TOLL FRAUD FACTS
Toll Fraud - The Crime of the 90's
Toll fraud costs our companies billions of dollars every year. From the
perpetrators' view, toll fraud is enormously profitable and low risk.
Unless you are careless, the chance of being caught is negligible. If you
are somehow apprehended, chances are you will not be successfully
prosecuted. If you are convicted, chances are the time you serve will be
minimal. There are hackers who are in prison, in some cases for "crimes"
that are trivial. They don't belong there. However, law enforcement
organizations are frustrated by professionals who are rarely caught and
convicted.
Two types of toll fraud, cellular and calling card fraud, get all of the
publicity. But these types of fraud are less than half of the total
dollars lost. Cellular fraud and calling card fraud get attention because
they happen to individuals. PBX fraud occurs at companies who don't
publicly acknowledge the incidents.
Cellular and calling card losses are borne by the carriers. They take the
fraudulent calls off the bill. But the law says that the owner of the PBX
pays for all calls made from their system, legitimate or otherwise!
The local and long distance carriers seem to be shy about the subject of
fraud costs. Although their stance is improving, most of the costs of
fraud are borne by the consumer.
Telecom & Network Security Review reports that the cost of toll fraud was
$3.325 billion dollars in 1995 and is expected to increase by $395 million
in 1996. With so much money at stake, it is easy to see why hacking for
profit has become a serious business. We are not merely up against young
people, although formidable, who are out to prove their prowess on a PC.
We are confronted by professionals who are highly skilled and well armed
with the latest technology and tools. These thieves are not out to make a
few calls on your bill. There is a complete underground distribution
network for phone numbers and authorization codes with established
wholesale prices. One phone company representative told me that there have
been outlaw cellular phone sites operated solely for fraudulent calls.
The largest losses can occur when your company's PBX (Private Branch
Exchange) is compromised. Telecom & Network Security Review reports that
this type of fraud will cost companies $1.5 billion in 1996. The actual
costs extend well beyond the direct carrier charges.
A PBX is a sophisticated computer that is primarily used to route calls to
your internal phones and to outgoing lines. Once the numbers and/or
authorization codes are known to the perpetrators, they are sold to
"call-sell" operators. The operators then mass distribute the numbers
which are then used by people at the retail end.
There is so much money to be made that call-sell operators are
increasingly putting hackers on their payrolls. Frauds of this nature
often occur over a long weekend when the system administrator at your
company is not monitoring usage. Large frauds can occur over longer
periods of time. Southern Illinois University was hit in 1995 for $1.1
million.
Phone numbers and authorization codes are also very valuable to drug
dealers and other criminals. They are well aware that the numbers and
times they call can be used in investigations and don't want these numbers
on their bills or in phone company records that can be linked to them.
With access to your PBX, they call your system, call out to another system
and then to their final destination. Using this technique, called
"looping," they effectively mask the true locations they have called.
There are a number of ways your PBX can be compromised. One common method
is to crack the authorization codes for the remote access feature,
sometimes known as DISA (Direct Inward System Access). This feature allows
a caller to dial into the system, enter an authorization code and get an
outbound line. This is a convenient way for executives to avoid carrying
for calling card. It is a nice perk. Unfortunately the codes are usually
not well managed and are not difficult to crack. Do not use this feature!
Use calling cards instead. It may be more expensive, but, by law your
liability to fraud on your calling card is limited. If the fraud involves
CPE (Customer Premise Equipment) including your PBX and voice messaging
systems, you are liable for all long distance charges. Obviously,
reviewing your phone bills will discover the fraud, but by then it is too
late.
Another method of entry to your PBX is the remote maintenance port. All
current PBXs have a dial-in port that allows a remote user, including the
PBX vendor, to access the system for maintenance. The maintenance ports
have standard user IDs. The standard IDs are well known to the hacker
community. Passwords are variable and should be properly constructed and
maintained. The default passwords are also well known and must be reset
when the system is installed. Many systems are compromised using the
default passwords.
PBXs can be set up to disconnect after a predetermined number of invalid
access attempts. However, exceeding this limit may not shut down the port.
You can be hacked all day by re-dialing. Alarms can be set, but must be
monitored 24 hours a day to be effective. Reports are available that can
indicate attempts at hacking; however these require diligent daily review.
For these controls to be effective they must be specifically set and
monitored. To effectively prevent large losses, you need a contingency
plan.
What hackers want is a dial tone, an outside line. Once they obtain access
through the maintenance port they have the run of the system. They can set
themselves up with outbound access such as DISA, described above, and turn
off the control features. Hackers can get your maintenance port number in
several ways. They may find it by scanning using automated dialers.
Unfortunately, many cases of PBX fraud result from insiders or vendors who
disclose the phone numbers, IDs and passwords.
Most systems have a feature known as an Automated Attendant. An Automated
Attendant answers the line and invites the caller to enter the extension
of the person they called or enter zero to speak to an operator. The
perpetrator then simply enters 91 and the first two digits of the area
code he wants to call. The Automated Attendant switches to that extension,
but actually this may signify an outgoing call. When the caller gets dial
tone, he simply enters the remaining digits needed to complete the call.
An Automatic Call Distributor (ACD) is a system that queues and routes
calls to service departments. ACDs are often equipped with an automated
attendant and voice messaging. These systems are frequently compromised
if care is not used when installing features that allow and incoming call
to access an outgoing line. If a caller can get dial tone, you have a big
exposure to fraud.
Call forwarding to outside numbers can be unsafe. In some systems, if
'loop start' is used, when the call is forwarded and answered, the
perpetrator will say they got a wrong number or say nothing. When the
called party hangs up, the system briefly leaves a dial tone before
disconnecting. The perpetrator quickly grabs the dial tone and places a
long distance call. During a recent audit, my client was curious about
some late night calls made to their technical staff at their offices. Such
calls often are made by someone looking for a PBX with this weakness.
Call forwarding outside the system has other toll fraud possibilities. Any
phone can be forwarded to any outside number. Recently a client found a
phone in a locker room forwarded to a long distance number at another
company. Our guess is that someone forwarded the phone so that when they
dialed that extension, they were forwarded to a friend's company. Lobby
phones and conference room phones are also susceptible to this simple
"hack."
An Article in "2600, The Hacker's Quarterly" suggested that the best place
to start hacking was Voice Messaging Systems (VMS). VMSs are notoriously
easy to hack and often have the added benefit of toll free 800 inbound
access. Through an advertisement in 2600, I was able to purchase a
document on exactly how to hack voice mail systems. The well-crafted,
accurate document includes detailed information on most of the current
voice mail systems manufactured, the menu structures, the default mailbox
passwords and how many password attempts can be made before you are kicked
out of the system. They even give you a (then current) list of 800 inbound
lines to company's voice mail systems and the systems' manufacturers so
hackers can practice their techniques.
Some VMSs allow an incoming call to access an outbound line through the
PBX using a feature sometimes known as "thru-dial". When a hacker breaks
the simple password to a mailbox they can use this feature to get an
outbound dial tone. Also by using the call transfer feature of the VMS,
the hacker may get dial tone by entering the transfer code and the first
digits of the number to be called. An example would be *T91XX where T is
the digit your system has assigned for transfer, XX is the first two
digits and XX is the first two digits of the called number.
Hackers also can capture a mailbox and trade messages freely. The intent
is to find an unused mailbox and take it over by giving it their own
password, and using it for themselves. In effect, they establish their own
bulletin board system. They also frequently record their own greeting.
"Yes operator, we will accept the charges" as a greeting can result in
thousands of calls billed to your company.
Far worse can happen. If the hackers are persistent, they can get into the
system administrator's mailbox. From there they can listen to other boxs'
messages (on some systems), or change, add and delete mailboxes. If they
so desire, they can shut down the system! Hackers have published the
default system administrators' mailbox numbers. VMS's also have remote
maintenance ports. If they penetrate the remote maintenance port, which is
often less difficult to crack than a PBX, they will turn on "thru-dial"
and any other feature they want. They set up many of their own mailboxes
so they can make many outbound calls at the same time. In addition to
hacker use, your system could be used by criminals to trade messages.
Once you have closed the obvious holes in your CPE systems' security,
there is still work to be done. Many companies are hit again and again
after they thought they had solved the problems. No system is
invulnerable. Hackers are always finding new weaknesses to exploit.
Software and feature upgrades may create new weaknesses. Current or
ex-employees become disgruntled or desperate for money. To control your
systems, effective call reporting and monitoring must be in place. Most
equipment has some level of call reporting. Add-on systems can supply even
better information including calling patterns and trends that can indicate
fraud.
This document has covered the most common exposures and risks. "Social
engineering" practices and abuse of long distance privileges by employees
are other areas that require attention.
Why haven't companies audited their voice systems? Most are not aware of
the exposures, the risks and the sophistication of voice systems. This
document solves that problem. Second, although similar to traditional
computer systems, these systems are very different. The jargon and
acronyms are foreign to most business people and the learning curve is
steep! There is scant detailed technical information about the risks in
most vendors' systems.
As a practitioner in this area, I have to dig out the "golden nuggets" of
information from vendor manuals. But I know that the other people who read
the manuals are hackers, some are professionals. One piece of good news
for auditors: they can audit their company's systems from anywhere by
dialing in through the maintenance port. I often audit distant systems
this way.
Note: This document is not designed to provide an audit program of all
risks and features.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 09:00:41 1998