Is your VoIP phone system open to an attack?

We’ve all become familiar with customer data breaches and reports about online security problems at large retailers. The troubles of Sony, Target, and a number of other big name retailers are, unfortunately, too familiar. More often than not, there’s no one to blame for these data breaches than the companies themselves.

But it’s not just large retailers that are at risk. As more business move data, text, and voice to cloud-based services, new vulnerabilities open up for everyone. VoIP breaches are especially lucrative for attackers.

Aside from the troubling possibilities of what can happen when customer data ends up in the wrong hands, breaches also lead to a loss of customer confidence, eventually driving away business and revenue. It can take a long time to recover from this kind of bad reputation.

As attacks on phone systems become more frequent, cheaper, and easier than ever before, it’s up to companies, large and small, to put security best practices in place.

Protecting your business

Industrial-grade scanners are operating around the clock to find and exploit unsecured IP-PBXs and hosted handsets. Security issues and attacks such as call interception, spamming over Internet telephony, and denial of service attacks prevent networks and calls from functioning properly. To say these attacks can be devastating is an understatement.

Toll fraud is an ever-present threat to VoIP environments. Successful attacks of these kinds carry severe consequences that result in major financial implications for businesses.

Hackers have come up with a variety of techniques to compromise phone systems for making international calls. Some are able to hijack systems and push through charges that can total $2,000 an hour or more. In one instance, hackers broke into a firm’s phone network and routed calls from the firm to premium-rate numbers in Gambia, Somalia, and the Maldives — popular end-points for hacked calls.

When implementing a VoIP PBX system, any business can maintain a secure environment with a little due diligence, a few precautionary steps, and regular daily checks. This not only protects the customer but protects the company as well.

One of the most important measures any business can take is to store customers’ card data in a location separate from their AP or call center infrastructure. This off-site storage should include multi-layer protection that encrypts any stored card data, provides physical security with 24x7x365 surveillance, passcodes, and background checks of security staff.

If your IP-PBX has been compromised, any local policies you have in place to restrict calls will almost certainly be rendered useless. Therefore, it is important to work with your service provider to add an additional, external layer of protection.

Finding the right service provider

Similar to the system credit card companies use to monitor fraud, service providers can take a proactive monitoring role based on expected or historic calling patterns.

Many companies have little or no calling activity on nights, weekends, or holidays. Any sudden spike in activity during those periods may indicate fraud (especially if calls are placed to certain international locations). Other metrics that may be indications of fraud include a radical change in average call hold times (ACHT) or attempted calls per second (CPS).

While the U.S. is still the largest origination location for fraudulent calls, the most frequent termination locations (according to a 2013 CFCA survey) were Latvia, Gambia, Somalia, and Sierra Leone.

Precautionary steps may be the best approach to prevent fraud before it happens. Turning off international calling or limiting the number of available locations for calls are steps to take to stop attacks before they begin.

Businesses will be better-equipped to identify toll fraud early by partnering with a top-tier UC provider that takes a proactive approach to monitoring and analyzing real-time VoIP communications on a daily basis.

Planning for the foreseeable future

VoIP fraud and telephony security issues will remain a growing and critical concern for companies of all sizes.

IntelePeer is well-versed in security best practices and has a number of safeguards in place to help businesses like yours combat fraud. We actively support customer security through Fraud Alert network alarms and an active Operations Group.