Telecom Security & Fraud
Welcome to the Abilita Blog Advisor on Telecom Spoofing & Fraud topics. The information and comments posted here will assist you to better understand your telecom environment and how to respond to the changes that are taking place daily.
When it comes to creating and changing passwords, people make all kinds of excuses to themselves: If my password is too complicated, I won’t remember it. What’s the use of having a secure, complicated password if I have to write it down and someone could find it anyway? If I have too many passwords, I can’t remember them all. If I have too many passwords, I can’t remember which one goes with which site. If I can’t remember which password I used, I get locked out of the site for putting in the wrong one and then I can’t get in at all. I’m not rich, nobody wants my information…
Any of these sound familiar? Unless you’re an IT professional, extremely security conscious or a conspiracy theorist, they probably do. These are issues we all face, and it’s easy to justify… until something bad happens. The fact is, cybercriminals don’t steal passwords for fun, they do it to make money, and they’ve gotten very good at it. They know all our little excuses and they use them. They know all our tricks for trying to make passwords secure while still making them easy to remember, and they use those against us, too. They don’t care if someone is an average fellow with an average bank account — they’re perfectly happy to steal average amounts of money as long as they can do it a thousand times to a thousand people. They’re also happy to steal lots of money or sensitive data, whatever you have that they can use. This is why it’s important for everyone to give serious thought to how they select their passwords.
Given the recent statistics, there’s no doubt that it is very important. According to the new Javelin Strategy & Research Report, identity fraud rose in 2011 by 13 percent. This means that there were 1.4 million more victims of identity fraud in 2011 than in 2010. Furthermore, Javelin Strategy & Research’s findings indicated a 67 percent increase in the number of data breaches suffered by Americans and that those who had suffered a data breach were 9.5 times more likely to be identity fraud victims.
Microsoft’s Safety and Security Center gives several tips for creating strong passwords:
• Length: Passwords should be long, at least eight characters. Think about it this way: More secure digital locking mechanisms come with more numbers in the codes. The reason is simple: The more numbers there are the more guesses you have to get right. Passwords work in much the same way.
• Complexity: The greater variety of letters, numbers, symbols and punctuation you use in your password, the better. Avoid using letter-to-symbol conversions that are common, such as replacing “and” with “&” or “to” with “2,” as password hacking software checks for these automatically.
• Variation: This is possibly one of the hardest things for people to do. However, frequently changing passwords is what keeps them strong and effective. As much as many of us hate changing our passwords, it really does need to be done. To help you remember, set a reminder on your phone or calendar to change credit card, email and banking website passwords every three months.
• Variety: This is another tough one for many people. We tend to use the same password for multiple sites so that it is easier to remember, but this is very dangerous. It’s probably not the end of the world if someone hacks your password for your favorite forum, but what if you use the same password to login to online banking? It is incredibly common for cybercriminals to steal your password on a website with weak security and then use the same password on your banking website, or other more secure environments. No matter how secure your bank’s website is, if you use the same password on an unsecure website, your finances are still in jeopardy.
• Consider the Software: People aren’t just out there taking what they know about you and guessing your password. Cybercriminals decipher passwords using sophisticated tools. When creating your passwords, avoid repeated and sequential characters, dictionary words (regardless of language), abbreviations, common misspellings, words spelled backwards and personal information.
Another idea to consider is the purchase of an online password manager service. First, take a moment to write down every account or website on which you use a password. This will include email, banking, credit cards, social media, sites on which you make purchases (and not just big ones like Amazon, try to get them all!), work and education-related sites, forums, etc. Assuming you want your passwords to be as secure as possible and you plan to take all of the advice listed above, you are left with three options: exhibit amazing memorization skills, write the passwords on a piece of paper (the risks of this method should be obvious) or use an online password manager service.
At its most basic level, an online password manager service saves each individual password on a secure cloud server. You can then use a single password to access all your passwords from anywhere with an Internet connection. This allows you to have a separate password for every account you use, while only requiring you to remember one password. Many online password manager services provide an option that will create random passwords for you that are more difficult to break because they are nothing but a random jumble of characters. Some online password manager services sit idle on your computer until you enter a password and then it automatically saves the information.
There are a variety of online password manager services available, ranging from free to around $30 a year. Many of the paid services cost around $10 a year. Some online password manager services are RoboForm, LastPass, HandyPassword, PassPack and NeedMyPassword.
Regardless of how you secure you think your passwords are, it’s important to do this right in the cyber world we now live in. Even if you don't think your personal information would be of much use to cybercriminals, it is extremely valuable to you and deserves to be protected.
Abilita Telecom Consultants
Recently there was a comment from a consultant who had a client who was receiving recorded solicitations to their cell phone with a bogus Caller ID of 407-000-6938. I'm sure that many of you share my opinion that the spoofing of the caller identification information represents a gross misapplication of telecom technology and must violate some regulatory rules. I thought I would delve a bit deeper into this topic and offer my opinion on what is happening and what recourse might exist.
First, it is important to understand that the public switched telephone network is really comprised of two distinct networks - a voice network that carries the actual conversation, and a packet data network that controls call setup, tear-down and all of the data necessary for network features like Caller ID, Calling Name and 800 services. This data network is known as the SS7 or "signaling system 7" network. Originally, access to the SS7 network was limited to exchange carrier switches and databases (i.e., calling name database and 800 database) but was extended to PBXs in order to offer Caller-ID and other advanced signaling services to enterprise customers via an ISDN PRI trunk. The advent of voice-over-IP networking and the Session Initiated Protocol (SIP) has extended the visibility of the signaling information to any VoIP device with a proper connection to the network.
When placing a call, the originating switch will populate caller information in two distinct data packets that traverse the SS7 network. The first, and most critical, is the automatic number identification, or ANI. ANI identifies the true billing telephone number of the originating line, is not usually displayed to a called line and typically cannot be manipulated by an end user as it is populated by the serving CO switch. However, in the VoIP world it is possible to originate a call that has a user-defined ANI, which may be arbitrary. ANI information is sent to 911 centers (PSAPs) and can be delivered to PBXs over an ISDN PRI. The delivery of ANI to a called party is typically an option on an inbound 800 line to a call center operation, but it may also be visible to an IP device connected via a SIP trunk.
The second packet of number information sent with every call is the Caller ID. This is the number that will be displayed to the called party when the call arrives at the destination. The Caller ID (CID) can be blocked, either by invoking a feature code when the call is originated (per call blocking) or by subscribing to a privacy feature (per line blocking). However, neither feature actually removes the CID information from the call, but instead sets a privacy signaling flag that indicates to the terminating office that the CID is not to be delivered to the called party.
CID can be manipulated, changed, or spoofed by a switch that is connected to the signaling network. This can be a central office switch, a PBX with an ISDN PRI trunk, or a VoIP switch with a SIP trunk connection.
In the case of the recorded solicitations, the bad guys are most likely using their own VoIP switch that is SIP- connected, and inserting a bogus CID in each outbound call. The traditional local exchange carrier typically does not screen for valid CIDs and will not block them, and the VoIP carriers are even less inclined to impose any limitations on a user.
'Clearly the technology exists to create a spoofed Caller ID. However, the FCC does have an opinion on the blocking or spoofing of CID by telemarketers and addresses this issue very specifically at http://www.fcc.gov/cib/consumerfacts/callerid.html :
"Federal Communications Commission (FCC) rules prohibit telemarketers from blocking Caller ID information and require them to pass accurate caller ID numbers. FCC rules specifically require that a telemarketer:
- transmit or display its telephone number, and, if possible, its name or the name and telephone number of the company for which it is selling products or services.
- display a telephone number that you can call during regular business hours to ask to no longer be called. This rule applies even to companies that already have an established business relationship with you.
For violations of these rules, the FCC can seek a monetary fine. If the violator is not an FCC licensee, the FCC must first issue a warning and the telemarketer may be fined only for violations committed after the warning. "
From this, we can conclude that if the aforementioned calls are telemarketing calls, then they are in violation of the FCC rules.
Now for the seedier side of the deal. Those less scrupulous and less technical operators and individuals who want to spoof their CID can use a commercial third party provider. Here are four that you can readily find on the web: Spoofcard, Telespoof, Spooftel, and Itellas. All of these services, as well as Google, operate as call re-originators meaning that the spoofing service provider places the actual call to the desired target number, and bridges the outbound call to the originator's line. During the process they substitute a fake CID that is delivered to the far end. The originator either dials an access number and inputs his desired destination and spoof ID, or initiates the process over a web interface where the service provider places calls to both the originating and terminating line and bridges them together.
Unfortunately, spoofing CID in this way is not illegal - as long as it not done by a telemarketer. Congress has tried two or three times to introduce bills to outlaw all spoofing, but they have never been passed. Florida had passed a CallerID anti-spoofing act, but it was struck down in July of 2009 as being unconstitutional since it effectively regulated interstate commerce (read more here: http://www.prweb.com/releases/2009/07/prweb2681224.htm).
Spoofing does have its legitimate users, mostly law enforcement officers who want to disguise themselves during investigations or abused spouses who want to maintain privacy about their location.
So, what can you do about this situation when your home or business is being plagued by telephone solicitors who are spoofing their CID? Sadly, not an awful lot.
If you could identify a telemarketer who is spoofing their CID, you would have a clear violation of FCC rules, and possibly a violation of the National Do Not Call Registry. You could then file a complaint with the FCC or the DNC registry. However, it is unlikely that you will be able to clearly identify the bad guys here since anyone going to such lengths to disguise themselves is probably running a scam and is clearly not going to reveal their true identity during a conversation - if you can even converse with a human.
If the calls continue and can be classified as "harassing" then you could file a police complaint and involve the local telephone service provider in an attempt to identify the caller. You might consider using *57 to trace the call - but you will find that the results will be useless since this feature captures the inbound (spoofed) caller ID instead of the ANI, and will cost you between $1 and $5 per activation.
If the problem grows to larger proportions, the telco can enable a trap and trace feature on the line that will record all incoming and outgoing call information. This information will not be shared with you, but can be used by law enforcement. Unfortunately, many times the information gathered in this manner will indicate only a trunk group and not the actual calling party ID or the ANI, depending upon the level of sophistication of the LEC. Capturing the actual ANI requires an SS7 monitoring tool that not all LECs have available or will utilize for this type of complaint. If by chance the ANI can be captured, then it may turn up a third party spoofing provider (see the list above) or it may turn out to be a spoofed ANI. If the issue is significant enough, law enforcement can obtain a subpoena and compel a third-party spoofing provider to reveal the originating telephone number, but in the case of a spoofed ANI, identifying the bad guy gets a lot more complicated.
One other possibility is to utilize TrapCall; a service that unmasks blocked Caller IDs and, ironically, is owned by the same company that runs SpoofCall. TrapCall is primarily targeted at cell phones. In this scheme, an inbound call to a cell phone is forwarded to TrapCall, who unmasks the CID and then re-originates the call back to the called party, inserting the unmasked CID in place of a blocked ID. Since this service utilizes a standard 10-digit phone number and not an 800 number (see the TrapCall FAQs), it is most likely an IP-connected provider who is pulling the CID (or even the ANI) from the SIP signaling message. Privacy takes another hit from technology even though unmasking a blocked CID seems to violate another FCC rule http://epic.org/privacy/caller_id/fcc_final.html which says:
"No common carrier subscribing to or offering any service that delivers calling party number may override the privacy indicator associated with an interstate call. Carriers must arrange their CPN-based services in such a manner that when a caller requests privacy, a carrier may not reveal that caller's number or name, nor may the carrier use the number or name to allow the called party to contact the calling party. The terminating carrier must act in accordance with the privacy indicator unless the call is made to a called party that subscribes to an ANI or charge number based service and the call is paid for by the called party."
The hitch here is that this rule specifically prohibits "common carriers" from overriding the CID privacy indicator. Unfortunately the folks providing these services do not meet the strict definition of common carriers, so for the moment they can operate with impunity.
Bottom line - until the federal government enacts legislation to ban or regulate CID spoofing, and includes all providers, not just carriers, the problem will continue to exist and most likely grow more annoying.
Abilita Telecom Consultants
It’s late evening on a holiday weekend and the security monitoring system at your telecom provider has identified possible telecom fraud activity occurring at your site. This is no amateur operation, professional hackers are passing through your PBX voicemail system and routing international long distance calls on a large scale. In effect they are operating an outbound call centre at your company’s expense.
The above scenario actually happened to one of our clients! Thieves had broken into their PBX and Voice-Mail system and were placing calls as though they originated in the office. As their telecommunications advisor, I was notified immediately by the telecom provider and we were able to take action to shut the intruders out.
Yes, this can happen to you and it could be costly but here are some things you can do to protect your business from this type of fraud:
1. Know The Exposure
When hackers break into your phone system you are responsible for the bills resulting from the fraud. Someone is going to pay for those calls and it won’t be the telephone company. Understand where you are most vulnerable:
· Phone System
Intruders seek out passwords, authorization numbers and access codes by hacking into your system, snooping around offices, calling businesses and even rummaging through dumpsters. Compromised numbers are sold or traded in the phone fraud underworld with businesses like yours paying for the calls.
· Voice Mail
If your system provides dial-out or dial-through capability you are exposed to fraudulent calls. By transferring out of a system, intruders can place long distance calls. They will also look for default codes on mailboxes so they can change the codes and control the boxes.
· Call Forwarding Scam
You are requested by someone outside your company to dial a two digit code preceded or followed by the * or # key (such as *72), and then an 800 number. When you dial the number you are not connected to anyone. What has happened is you have actually programmed your phone to forward your calls to a long distance operator. The con artist then calls your number which is forwarded to the long distance operator, calls anywhere they wish and the bill goes back to you.
· Remote Access Port
The remote access port is used for administration and support of your PBX. An intruder will often start by trying manufacturers default passwords and if unsuccessful, they use computer-generated passwords until they find a password that works.
· Direct Inward System Access (DISA)
A DISA permits convenient access to a PBX from a phone outside the business via an 800 number or other special access number. This feature allows your traveling staff to make long distance calls through the PBX and have the call charged to the company. The DISA gives criminals the same opportunity, as well as the chance to set up a call-sell operation at your company’s expense.
2. Protect Yourself
Telecom fraud continues to increase and the cost of doing nothing is going up. Here are some things you should be doing to protect yourself:
· Change the security feature settings and passwords on your phone system from the default settings
· Change passwords on a regular basis and protect these passwords and access codes from unauthorized use
· Don’t publish the remote access phone numbers that connect callers to your voice mail system
· Program your system to terminate access after the third invalid attempt
· Remove mailboxes that are no longer in use
· Immediately deactivate the access codes and voice mail passwords of departing employees
· Monitor your monthly phone bills
· Perform regular audits of your telephone environment including privileges and restrictions
· Physical security – restrict access to equipment
· Establish policies and procedures to reduce your risk
3. Take Action
If you become a victim of telecom fraud:
· Shut your system down immediately
· Call your equipment supplier
· Advise your staff of the situation
· Call the police and report the incident
The telephone remains the lifeline of most small business operations today. Arming yourself with knowledge and implementing best practices is your best protection against intrusion to your business.
Doug Meades is Managing Consultant at Abilita Telecom Consultants.
Doug can be reached at (519) 432-1556 or firstname.lastname@example.org.
Abilita is a full service telecom consulting firm helping clients across North America achieve greater cost efficiencies and improved performance for all of their telecommunications needs - voice, data and wireless.