Portfolio Call Log Time Sheet Spreadsheets Scripts Web Apps Toll Fraud Prevention


Toll Fraud Prevention

Problem: A phone system that is not locked down can result in a security breach and tens of thousands of dollars in long distance toll fraud. The law makes the owner of the company liable for the charges as shown in this $90,270.89 example.

Solution: Identify any phone system breaches and prevent future breaches from happening.

Background: Phone accounts are set to automatically lock out after an incorrect password is entered too many times. Typically, three or less accounts need to have a password reset performed in a week. When many accounts were locked out on the same day, a system breach was suspected. Sorting the call log by the "Login Failed" result shown that the same inbound caller ID had been calling nearly every number on the roster and attempting to log in. Since these attempts were unsuccessful, they locked out the accounts associated with each number tried. Resorting the call log by this caller ID showed a successful login after many failures, then an outbound call to an international number.

The security hole was identified as the ability of a user to dial 9 while listening to their voice mail greeting to prompt the system to let them log in. The hacker systematically tried a number and guessing a password until locking it out, then another number until a password was successfully guessed. The purpose of the remote phone login was to facilitate checking for new voice mails while out of the office. Unfortunately, the phone system had no way to allow a remote user  to check for new voice mails without also allowing the user to place a call after logging in.

The solution was to remove the ability of every user to log in by pressing 9 during their voicemail greeting and creating a new protocol for logging in that would allow legitimate users to check their voicemail but prevent hackers from accessing the phone system. The new system used a single number that all users would call to log in remotely. This number would automatically hang up if called after 9 PM and before 7 AM (most of the hacker's attempts were between 1 AM and 3 AM). After calling, the users enter a multi-digit remote access code. Entering any of the digits incorrectly or waiting more than 3 seconds between digits resulted in disconnection. The remote access number and code can be changed at any time.

Now if a hacker attempts to penetrate the phone system, they will first have to identify the only remote access number, enter all of the digits of the remote access code correctly, then guess a user's extension before being able to guess the user's password even once...all during day-time hours. This greatly increases the amount of time a brute force attack would take. Additionally, all of the attempts are easily identifiable on the call log and the remote access number or code could instantly be disabled or changed when an attack is presumed.