Most don't think about their telephone system when it comes to securing their network, but VoIP is actually a common vector of attack.
Anyone in business knows Voice over Internet Protocol (VoIP) calling. Its low cost and flexibility means it has largely replaced the older wire-based public switched telephone system (PSTN) for most uses. But as the IP part of the name indicates, VoIP is an application running on the internet. It suffers the same vulnerabilities as other applications, but been a bit behind in developing security.
But because longer distance calls still involve the telephone system, there are a wide range of interesting VoIP frauds that target both businesses and telephone service providers (TSPs). The Communications Fraud Control Association (CFCA) attributed $38.1 billion in losses to toll fraud in 2015. Credit card fraud losses in this same period were less than half that amount.
What Are The Security Issues With VoIP?
VoIP faces many security threats, from VoIP spoofing phones that allow scammers to impersonate IRS agents to ‘vishing’, the VoIP equivalent of phishing.
But the big money is in various forms of toll fraud: the theft of telephone services for use, for resale, or to generate fees somewhere in the telephone system. This fraud falls into two main categories, which depend on who the victim is—that is, who bears the cost of the fraud.
Fraud Aimed At Subscribers
Toll fraud used to be limited by the number of phone lines. But with VoIP, once one extension has been compromised, extra channels can be replicated to make many simultaneous calls, running up large bills extremely quickly. The calls are often aimed at a premium-rate number, the kind used for things like sex chat or psychics, which somewhat surprisingly still exist. Cuba, Somalia, Bosnia, Estonia, and Latvia are particular sources of this fraud.
This type of attack generally happens at night or on a weekend, and a business that does not have the proper monitoring in place can be hit with hundreds of thousands of dollars in bills. There are currently no laws requiring reimbursement by the carrier for fraud, as there are for credit card fraud, but large carriers do often reimburse for fraudulent use of this kind. This can be a consideration when choosing a carrier.
Fraud Aimed At Telecom Service Providers
For an international call, VoIP packets are routed through a wide range of intermediaries, whichever is cheapest and most efficient at that instant. And those many intermediaries sometimes provide an opportunity for fraud.
The packets are switched by big TSPs, smaller regional ones, and others. Some countries are lax about doing due diligence on companies applying to provide telecom services. And because these calls cross a variety of international borders, prosecution is difficult.
A variety of agreements on revenue govern call routing, and many frauds have, as their ultimate goal, ways of manipulating or arbitraging the revenue from these calls. Routing calls through your own service earns you a small amount of money on each packet. The podcast Reply All had an interesting episode, The Case of the Phantom Caller, on one such scam, involving routing 8oo calls. Internationally there is arbitrage, bypass fraud, traffic pumping, CNAM revenue pumping...the list of possible frauds is fascinatingly long, and the potential profits large.
Since VoIP telephones are IP-based, for any business phone security should be part of IT network security’s area of concern. There are a number of specific things a business should do to minimize the VoIP security risks, in addition to the usual emphasis on passwords and proper procedures.
- Session Initiation Protocol (SIP) is the most common VoIP protocol, and nearly half of all VoIP attacks target SIP. Set up a SIP firewall to filter out suspicious packets.
- Improve access control. Often too many people have access to the system. Restrict the access to only those who need it. Also choose specific call forwarding rules, and ensure that the ability to forward is also restricted. Delete unused devices.
- Review call logs regularly to see if fraudulent calls are being made. A more advanced system can also use algorithms to detect changes in call patterns, based on historic data, and shut down callers or locations until legitimacy is verified.
It’s Not Just A Phone
Telephones are often treated more cavalierly than other internet-connected devices, because they have been part of daily life for so long. Businesses can substantially reduce the risks by recognizing VoIP vulnerabilities while taking advantage of its cost savings and flexibility.