What is Toll Fraud?
To the Telecommunications Fraud industry, phone hacking is more commonly referred to as ‘Toll Fraud’. It is a damaging act of fraud that impacts Australian businesses and companies worldwide. The impact sustained by victims of phone fraud is not only associated with monetary losses but it can also cause reputational damage.
What is a hacker?
Hackers are fraudsters who are motivated by the thrill, notoriety gained, the challenge, or the simple matterof making money by gaining unauthorised access to your phone system, voicemail, VoIP or other communications systems. They are typically international hackers involved in organised crime.
Why do they do it?
Toll fraud can be a lucrative business for a hacker, who can compromise an unprotected phone system or gain access to SIP registration information through your modem/router/VoIP adapter. Motives for this fraudulent act include call selling operations by organised crime; often to overseas numbers and to premium rate services.
Is my phone system secure?
Hardware and devices that you purchase from us have already been configured with some security settings in place. However, since some of the devices we sell are not locked devices, it is possible that you may accidentally put yourself at risk if you make changes to the configuration. Hardware and devices we ship come with instructions and advice about what you need to do to stay safe. We have information about Internet Security on our website. The Australian Cyber Security Centre have setup a website (cyber.gov.au) with free and paid tools to keep you computers clean.
Is my account secure?
CallStream operates secure data networks that are designed to protect your privacy and security. We are constantly reviewing and improving our practices and policies. However, this security only extends to things that are within our control. If a hacker has obtained you account or SIP details from your unsecure device or computer, we have no way of preventing them using your account. We do however, have systems to limit the total cost of the fraud.
CallStream hass several features that can help you manage costs on your account. These include:
- Setting a limit on a single credit card transaction amount
- Setting a limit on the number of credit card transactions per 30 day period
- Restricting the number of credit cards that can be registered
- An international call cap
- Call Barring (block call category types; e.g. Block mobile calls, block international call, etc)
We have already applied some default settings on your account, but if you would like to change them or want to check what they are, contact us and our staff will assist you.
What should I do if I suspect someone is unlawfully using my service?
Contact us as soon as possible. We will help you to:
- Change your account username and password
- Change your VoIP password
- Block/Bar international calls
- Provide any details that you may need to give to Police or your Insurance company.
Who is responsible for the cost of unauthorised call charges?
Toll fraud results in unauthorised call charges billed directly to your telephone account. You are responsible for maintaining the security of your hardware. We strongly suggest that you read our information about Internet Security. If you need advice or information on security settings, please call our technical support team:
1300 225 578
In accordance with our standard agreement with you, you are liable to CallStream for all charges incurred on your account. As a customer of CallStream you are accountable for any misuse, fraudulent or otherwise, of your hardware.
Network & VoIP Security Tips
For anyone who has an internet connection, paying attention to your network security should be one of the most important things you can do. With a well maintained and managed network, you won't need to worry about viruses or compromising sensitive data and access. Here are some simple steps you can take to make sure that you are protected, and further information is available from State Police Departments: Queensland Police Wireless Security Article and South Australia Police Toll Fraud Prevention Tips.
1. Modem/Router Security
- Change the default 'admin' password - Your router is like your front door and the passwords are the keys. Default router passwords are well documented and widely available on the internet. So protect your network by changing the locks. Change the default ‘admin’ password and replace it with something complex. Once you have done that, document it and then store it in a safe place.
- Disable remote access - Remote access (or remote management) is a convenient way for users and technicians to manage and access routers over the internet. This same access can also be used by hackers to change settings and steal your VoIP login details. If you aren’t planning to use this, then make sure it is disabled. If you do, then configure your firewall to restrict access from trusted sources only.
- Wireless networks - If you don’t want someone using your internet and using up your monthly download quota, we strongly suggest that you:
a. Firstly, if you aren’t using wireless, then make sure that it is disabled. Not all routers will have it disabled by default.
b. Hide your Service Set Identifier (SSID) – This is the network name that shows up when someone looks for available wireless networks to connect to. If you hide it, then no one will know that it is there. If you can’t hide it, then change the default SSID to a unique and non-descript name.
c. Use WPA2 encryption – This is currently the most secure and recommended way of protecting your wireless network. It has improved on the weak security protection of WEP.
d. Use MAC address filtering – Using this you can limit access to your wireless network by adding trusted wireless devices to a permit list.
2. Configure and use a Firewall
Firewalls require some advanced configuration to work properly with some games and software, but it is well worth your time to configure and use them. Firewalls help protect against malicious software and prevent people from travelling through your internet connection to compromise your local network by limiting which ports can be used, from what source IP address, and what type of traffic. It’s recommended that you start with a block-all policy and then add rules to allow access from trusted or known sources.
3. Install and use a credible Anti-spyware, Anti-virus software package
Spyware can present a major problem, especially in the form of key loggers that steal your passwords so make sure that your anti-virus and anti-spyware definitions are kept up-to-date, and run regular full system scans.
4. Keep your Operating System updated
Updates are critical to the security and reliability of your computer. Some of these updates address bugs and potential exploits in your computer, so you should keep your operating system up to date to ensure you're have the latest protection.
5. Common threats
- Never open email attachments, email links or instant messages from people you don't know.
- Be careful about accessing your network from shared computers or public networks (wireless hotspots)
- Be careful when web browsing. Downloading torrents or unauthorised versions of software is one of the easiest ways to undo your network security.
6. VoIP Security
Protecting your computers from online threats is essential, as is protecting all devices that use and are connected to the internet. To make sure that your system is more resilient to network attacks and fraud, we recommend you do the following:
- Protect the administration and remote management interface by using a strong password and a non-standard access port. Treat them like credit card numbers and keep them confidential
- Use alphanumeric passwords and usernames, and make them different from your extensions; especially if you have remote extensions or Direct Inward Service Access (DSIA)
- Block outbound dialling from your voicemail system to prevent Dial Through Fraud (DTF)
- Only allow SIP authentication and inbound call requests from trusted IP addresses. Block all others
- Restrict the destinations phones can call by configuring dial plans, call routes, and user access
- Make use of an intrusion detection system (IDS) and actively monitor your calls
- Delete employee authorisation codes when they leave your company
- If you are selling or discarding your VoIP hardware, make sure that you factory reset it and check that all SIP authentication usernames and passwords have been removed
Failing to secure your PBX or VoIP adapter may result in the following:
- Toll Fraud – utilising your PBX or account details to make calls at your expense
- Obtain unauthorised access to your system resources, information, privileges and/or listening to your calls and voicemail (through fuzzing, sniffing, or brute force attacks)
- Denial of Service – disabling your voice communication using packet floods
These security steps are critical to ensure your protection against internet attackers. If you require assistance configuring or implementing any of these recommendations, contact a certified and credible IT professional or PBX system integrator.
By setting up your network properly and using reliable security policies and procedures, you can sleep more soundly and feel confident that your computers, network, and phones, are as safe as possible.
Asterisk Security - more info
Queensland Police Wireless Security Article - more info
S.A. Police 'Toll Fraud' Media Release - more info