Information security: Why organisations should think about how to tackle telephone hacking

​Increasingly, hackers are gaining access to corporate phone systems, allowing them to place long distance and international calls through major telecom networks using local systems.

Your organisation could be a victim of this type of fraud and would be responsible for all phone charges. Usually the owner of the phone system isn’t aware it’s happening until an enormous bill from their phone provider arrives. Having a properly secured telephone system is the best way to prevent telephone hacking and mitigate the potential damage and resulting costs to your organisation.

A private branch exchange – or PBX – makes connections among the internal telephones of a private organisation – usually a business – and connects them to a public telephone network via trunk lines, and incorporates telephones, fax machines, modems, and more.

Telephone hackers can infiltrate vulnerable PBX systems to make international and long distance calls, listen to voicemail, or monitor conversations. Victims of hacked PBX systems unknowingly allow the hackers to “sell” the use of their telephone system to others or provide the hackers with an opportunity to maliciously reprogramme their system.

Most PBXs today are software-driven and, when configured improperly, can allow hackers to access the system remotely. By controlling this PBX maintenance port, hackers can change the call routing configuration, alter passwords, add or delete extensions, or shut down a PBX, all of which can be disastrous for an organisation.

Some hackers call in on lines intended for customer use, some use stolen telephone cards, and some will even impersonate someone else to socially engineer their way into your system.

The better informed you are the better protected you are from the risks. You need to stay on top of the current threats, and establish and follow a policy on security for your system.

The principle aim of telephone security is to deter hackers from taking control of a telephone system, as fraudsters after free calls will usually move on to other PBXs if it takes too long to break into a system.

Organisations shouldn’t underestimate the difficulties that can be experienced with this issue. In 2006, the first cybercrime survey conducted by Information Systems Security Association found that 29 per cent of large organisations had fallen victim to telecom fraud at some stage.

In October 2011, the Communications Fraud Control Association reported the results of their 2011 Worldwide Telecom Fraud Survey which told us that estimated annual fraud losses are over £25 billion, and the top five countries where fraud originates include the United States, India, and the United Kingdom.

Some risks can come from, for example, maintenance ports on PBXs which hackers can easily exploit when the ports are left open and are protected by either weak or default passwords.

Organisations often use simple passwords such as 0000, 1234 or the same number as a particular phone extension, which hackers can easily guess to break into the system and run up large phone bills without the victim knowing until they receive their next bill.

You can combat this by installing systems that can bar access to premium rate numbers or even block international calls if the business doesn’t need them.