Tuesday, November 15, 2011

Term Tuesdays - PBX Dial-Through

Today's Fraud term is PBX Dial-Through
Dial-through fraud relies on a feature that exists on every PBX. This feature allows employees to call into the switchboard or their voicemail and make outgoing calls after inputting a password or pin. Now this is a very convenient feature and the reasons that it exists are legitimate: 
  1. Enable traveling or out of office employees to make work related calls without having to pay for the calls themselves.
  2. Enable people to return calls without having to write down or remember the number left in the message.
Although this feature may be turned off upon installation, hackers will try to break in and create their own mailbox, which will allow them to dial in and then make any calls they wish. (Next week we will discuss how they can get into the system  to do this.)

To protect your company you need to ask these questions - 
  • Do we need this at all?
  • If so does everyone (and all mailboxes) need it? Can you think of a reason why the server room, break room,conference rooms, or Lobby need a mailbox, let alone one with this feature?
  • For those who need it, can calling cards or dial back be used instead?
If the answer is that you do need it, then limit it to:
  • Selected people, and make sure that they use strong passwords (no 1111, 1234, or their extension). 
  • Specific times of day - do they need to make work calls on weekend nights?
  • Specific call types - do they need to make local calls, long distance calls, international calls, calls to Cuba?
Use a proactive monitoring tool like Humbug to monitor and prevent abuse.

Also, make sure that people are aware that the return the call feature on their cellular phone can be set to call premium numbers that can cost more than $2 per min.

In the end it is your PBX, and the phone company will expect you to pay for the calls so protect yourself.