Forwarded From: plexor <plexorat_private> http://www.keytel.com/tfac.htm TOLL FRAUD FACTS Toll Fraud - The Crime of the 90's Toll fraud costs our companies billions of dollars every year. From the perpetrators' view, toll fraud is enormously profitable and low risk. Unless you are careless, the chance of being caught is negligible. If you are somehow apprehended, chances are you will not be successfully prosecuted. If you are convicted, chances are the time you serve will be minimal. There are hackers who are in prison, in some cases for "crimes" that are trivial. They don't belong there. However, law enforcement organizations are frustrated by professionals who are rarely caught and convicted. Two types of toll fraud, cellular and calling card fraud, get all of the publicity. But these types of fraud are less than half of the total dollars lost. Cellular fraud and calling card fraud get attention because they happen to individuals. PBX fraud occurs at companies who don't publicly acknowledge the incidents. Cellular and calling card losses are borne by the carriers. They take the fraudulent calls off the bill. But the law says that the owner of the PBX pays for all calls made from their system, legitimate or otherwise! The local and long distance carriers seem to be shy about the subject of fraud costs. Although their stance is improving, most of the costs of fraud are borne by the consumer. Telecom & Network Security Review reports that the cost of toll fraud was $3.325 billion dollars in 1995 and is expected to increase by $395 million in 1996. With so much money at stake, it is easy to see why hacking for profit has become a serious business. We are not merely up against young people, although formidable, who are out to prove their prowess on a PC. We are confronted by professionals who are highly skilled and well armed with the latest technology and tools. These thieves are not out to make a few calls on your bill. There is a complete underground distribution network for phone numbers and authorization codes with established wholesale prices. One phone company representative told me that there have been outlaw cellular phone sites operated solely for fraudulent calls. The largest losses can occur when your company's PBX (Private Branch Exchange) is compromised. Telecom & Network Security Review reports that this type of fraud will cost companies $1.5 billion in 1996. The actual costs extend well beyond the direct carrier charges. A PBX is a sophisticated computer that is primarily used to route calls to your internal phones and to outgoing lines. Once the numbers and/or authorization codes are known to the perpetrators, they are sold to "call-sell" operators. The operators then mass distribute the numbers which are then used by people at the retail end. There is so much money to be made that call-sell operators are increasingly putting hackers on their payrolls. Frauds of this nature often occur over a long weekend when the system administrator at your company is not monitoring usage. Large frauds can occur over longer periods of time. Southern Illinois University was hit in 1995 for $1.1 million. Phone numbers and authorization codes are also very valuable to drug dealers and other criminals. They are well aware that the numbers and times they call can be used in investigations and don't want these numbers on their bills or in phone company records that can be linked to them. With access to your PBX, they call your system, call out to another system and then to their final destination. Using this technique, called "looping," they effectively mask the true locations they have called. There are a number of ways your PBX can be compromised. One common method is to crack the authorization codes for the remote access feature, sometimes known as DISA (Direct Inward System Access). This feature allows a caller to dial into the system, enter an authorization code and get an outbound line. This is a convenient way for executives to avoid carrying for calling card. It is a nice perk. Unfortunately the codes are usually not well managed and are not difficult to crack. Do not use this feature! Use calling cards instead. It may be more expensive, but, by law your liability to fraud on your calling card is limited. If the fraud involves CPE (Customer Premise Equipment) including your PBX and voice messaging systems, you are liable for all long distance charges. Obviously, reviewing your phone bills will discover the fraud, but by then it is too late. Another method of entry to your PBX is the remote maintenance port. All current PBXs have a dial-in port that allows a remote user, including the PBX vendor, to access the system for maintenance. The maintenance ports have standard user IDs. The standard IDs are well known to the hacker community. Passwords are variable and should be properly constructed and maintained. The default passwords are also well known and must be reset when the system is installed. Many systems are compromised using the default passwords. PBXs can be set up to disconnect after a predetermined number of invalid access attempts. However, exceeding this limit may not shut down the port. You can be hacked all day by re-dialing. Alarms can be set, but must be monitored 24 hours a day to be effective. Reports are available that can indicate attempts at hacking; however these require diligent daily review. For these controls to be effective they must be specifically set and monitored. To effectively prevent large losses, you need a contingency plan. What hackers want is a dial tone, an outside line. Once they obtain access through the maintenance port they have the run of the system. They can set themselves up with outbound access such as DISA, described above, and turn off the control features. Hackers can get your maintenance port number in several ways. They may find it by scanning using automated dialers. Unfortunately, many cases of PBX fraud result from insiders or vendors who disclose the phone numbers, IDs and passwords. Most systems have a feature known as an Automated Attendant. An Automated Attendant answers the line and invites the caller to enter the extension of the person they called or enter zero to speak to an operator. The perpetrator then simply enters 91 and the first two digits of the area code he wants to call. The Automated Attendant switches to that extension, but actually this may signify an outgoing call. When the caller gets dial tone, he simply enters the remaining digits needed to complete the call. An Automatic Call Distributor (ACD) is a system that queues and routes calls to service departments. ACDs are often equipped with an automated attendant and voice messaging. These systems are frequently compromised if care is not used when installing features that allow and incoming call to access an outgoing line. If a caller can get dial tone, you have a big exposure to fraud. Call forwarding to outside numbers can be unsafe. In some systems, if 'loop start' is used, when the call is forwarded and answered, the perpetrator will say they got a wrong number or say nothing. When the called party hangs up, the system briefly leaves a dial tone before disconnecting. The perpetrator quickly grabs the dial tone and places a long distance call. During a recent audit, my client was curious about some late night calls made to their technical staff at their offices. Such calls often are made by someone looking for a PBX with this weakness. Call forwarding outside the system has other toll fraud possibilities. Any phone can be forwarded to any outside number. Recently a client found a phone in a locker room forwarded to a long distance number at another company. Our guess is that someone forwarded the phone so that when they dialed that extension, they were forwarded to a friend's company. Lobby phones and conference room phones are also susceptible to this simple "hack." An Article in "2600, The Hacker's Quarterly" suggested that the best place to start hacking was Voice Messaging Systems (VMS). VMSs are notoriously easy to hack and often have the added benefit of toll free 800 inbound access. Through an advertisement in 2600, I was able to purchase a document on exactly how to hack voice mail systems. The well-crafted, accurate document includes detailed information on most of the current voice mail systems manufactured, the menu structures, the default mailbox passwords and how many password attempts can be made before you are kicked out of the system. They even give you a (then current) list of 800 inbound lines to company's voice mail systems and the systems' manufacturers so hackers can practice their techniques. Some VMSs allow an incoming call to access an outbound line through the PBX using a feature sometimes known as "thru-dial". When a hacker breaks the simple password to a mailbox they can use this feature to get an outbound dial tone. Also by using the call transfer feature of the VMS, the hacker may get dial tone by entering the transfer code and the first digits of the number to be called. An example would be *T91XX where T is the digit your system has assigned for transfer, XX is the first two digits and XX is the first two digits of the called number. Hackers also can capture a mailbox and trade messages freely. The intent is to find an unused mailbox and take it over by giving it their own password, and using it for themselves. In effect, they establish their own bulletin board system. They also frequently record their own greeting. "Yes operator, we will accept the charges" as a greeting can result in thousands of calls billed to your company. Far worse can happen. If the hackers are persistent, they can get into the system administrator's mailbox. From there they can listen to other boxs' messages (on some systems), or change, add and delete mailboxes. If they so desire, they can shut down the system! Hackers have published the default system administrators' mailbox numbers. VMS's also have remote maintenance ports. If they penetrate the remote maintenance port, which is often less difficult to crack than a PBX, they will turn on "thru-dial" and any other feature they want. They set up many of their own mailboxes so they can make many outbound calls at the same time. In addition to hacker use, your system could be used by criminals to trade messages. Once you have closed the obvious holes in your CPE systems' security, there is still work to be done. Many companies are hit again and again after they thought they had solved the problems. No system is invulnerable. Hackers are always finding new weaknesses to exploit. Software and feature upgrades may create new weaknesses. Current or ex-employees become disgruntled or desperate for money. To control your systems, effective call reporting and monitoring must be in place. Most equipment has some level of call reporting. Add-on systems can supply even better information including calling patterns and trends that can indicate fraud. This document has covered the most common exposures and risks. "Social engineering" practices and abuse of long distance privileges by employees are other areas that require attention. Why haven't companies audited their voice systems? Most are not aware of the exposures, the risks and the sophistication of voice systems. This document solves that problem. Second, although similar to traditional computer systems, these systems are very different. The jargon and acronyms are foreign to most business people and the learning curve is steep! There is scant detailed technical information about the risks in most vendors' systems. As a practitioner in this area, I have to dig out the "golden nuggets" of information from vendor manuals. But I know that the other people who read the manuals are hackers, some are professionals. One piece of good news for auditors: they can audit their company's systems from anywhere by dialing in through the maintenance port. I often audit distant systems this way. Note: This document is not designed to provide an audit program of all risks and features. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:00 PDT