Voicemail hacking is not just a problem for celebrities. According to the National Fraud Intelligence Bureau (NFIB) it affects an increasing number of businesses every year and the costs, much of which are borne by the business, are in the $billions globally. Clearly the so-called ‘controls’ built into PBX and voicemail systems are inadequate. As organised crime increasingly focuses on this lucrative revenue stream, Paul German, CEO, VoipSec calls on businesses to take another look at voicemail security.
Phone hacking is a multi-billion dollar criminal activity, with the Communications Fraud Control Association (CFCA) estimating that fraud losses due to PBX hacking are in the region of $4.4 billion. Indeed, it is the number one attack vector for security breaches – yet one far too few businesses even consider, until too late. Whether the goal is call jacking (toll fraud) or international revenue share fraud, the potential spoils are encouraging hackers to become increasingly creative.
And one key area of risk for businesses is voicemail hacking. While voicemail systems are, in theory, password protected, the vast majority of users never reset the password from the default – either 1234 or 0000. With the door wide open, it is easy for hackers to gain access to the voicemail, at which point it is a simple step to compromise the system to accept and make international collect calls. The business will only discover the problem when the next bill arrives.
Given the level of activity and cost associated with this activity, why have vendors been unable to help organisations lock down the voice network? In theory, voice and security providers have been trying to solve the voicemail hacking problem for some time, but the approach has depended far too heavily on policies that are simply not workable for the vast majority of organisations.
Clearly users should change voicemail (and other) passwords regularly – but few do. It may also make sense on paper to block all international calls to simply prevent any costly fraudulent international activity. (Although how many companies truly operate in a single country these days?) But what happens when an individual needs to contact a customer who is on a business trip abroad? Or track down a new supplier? The only option is to disable the international ban – at which point the entire system is wide open again.
Furthermore, such process led models are typically static and fail to address the fact that the threat landscape is constantly changing. Putting controls in place to protect against a specific hack is great – until the hacker tries something new. And this is where the voice security model needs to change and evolve fast from the hardware led, ‘implement once, update never’ approach, to a software model that allows continuous update.
Just as the AV and firewall systems are continuously updating to reflect and deflect the latest threats, software based Session Border Controllers (SBC) can adapt to support the evolving security risks affecting voice networks. For example, specific voicemail protection modules can be provided as part of a cloud based SBC to identify breach attempts, lock down the voice network and alert the organisation. In addition, the solution will log rogue numbers identified across the cloud based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.
Organisations need to recognise that voice networks are now a primary target, with attacks on voice networks representing 67% of all attacks recorded against UK-based services according to Nettitude. As criminals look to exploit every opportunity, from voicemail hacking onwards, the onus is on organisations to lock down the network not just today but to ensure it remains locked down against every threat that will without doubt emerge in the future.
[su_box title=”About Paul German” style=”noise” box_color=”#336588″][short_info id=’60222′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.