Toll Fraud – Customer Obligations Explained

For users of Frontier Networks Legacy PRI or SIP Trunking Services we need you to understand the risks and obligations that you the CUSTOMER face regarding Toll Fraud.

What is Toll Fraud or PBX (Phone System) Fraud

Hackers can access your phone service and make long distance, even international calls, on your phone without your knowledge. If this happens all calls that are used will be billed and you will be expected to pay for them.

This is not fair and it is avoidable but it is far outside of Frontier Network’s control.

The company that sold you your phone system (known as an interconnect) needs to ensure that your set up and configuration are done is such a way that traditional ‘loop holes’ or ‘vulnerabilities are addressed.

IF YOU DON’T WANT THIS RISK THEN CONSIDER THE PURCHASE OF A HOSTED VOICE OR VOIP PHONE. THIS WILL ELIMINATE YOUR ON-SITE PHONE SYSTEM.

Toll Fraud Explained

Toll Fraud is the most prevalent type of fraud and the most significant threat to businesses that use a standard or IP PBX (Private Branch Exchange) phone system or voice mail. Hackers can gain access to your phone system and place long distance, operator and/or 10XXX calls directly from your lines.

Access to your system is most commonly gained through voice mail menus protected with only simple passwords (1111, 2222, 1234, etc.) or unchanged factory default passwords.  Access is gained on IP PBX’s through open ports (most commonly port 5060).  Once inside your system, hackers use the system commands to gain dial tone and place calls that appear no different to your service or equipment provider than any other call originating from your business. In some cases these calls can bypass your call logging, making them invisible to you.  Having a good password management and IP security policy and practice is a strong start towards protection. 

Subscription Fraud

Criminals can open a phone service account using your personal information; name, address etc. They use this account to run up long distance charges and you receive the bill. It is imperative to safeguard your personal information. Service providers must also put forward their best effort to verify the information that is collected for new subscribers.

If you think you are a victim of long distance fraud you should:

  • Immediately change your PBX and voice mail system passwords. Close all outside access to your IP Router until the method of access is confirmed.
  • Contact your equipment provider (Interconnect) to have them perform a system audit as soon as possible.
  • Request to have your long distance or international calling capabilities suspended if possible as a stop gap measure until the audit is complete.

Remember that you are responsible for paying for all calls originating from, and charged calls accepted at your telephone, regardless of who made or accepted them.

Industry best practices for protecting your phone systems

Below is a list of steps that you and/or your equipment provider should be taking to protect against toll fraud. Please note that Allstream cannot anticipate all possible fraud scenarios and taking these steps may not guarantee your phone systems against a fraud attack.

Learn about your telecommunications system:

  • Talk to your equipment provider about toll fraud and how they can help you to protect your system;
  • Know the safeguards, the inherent defenses and security features;
  • Determine the vulnerabilities;
  • Ensure your employees are educated on how to utilize the safeguards and avoid unintentionally disabling the system’s security features.

Know the access paths that could open doors to fraud:

  • IP routers
  • Voice-mail system
  • Direct Inward System Access (DISA)
  • Remote system administration (Maintenance Ports)
  • Direct Inward Dialing
  • Tie Trunks and Tandem Network Services

Monitor and analyze your systems information:

  • Study call detail records and review billing records (exception reports may provide a warning sign)
  • Know your employees’ calling patterns and analyze them
  • Review voice-mail reports
  • Monitor valid and invalid calling attempts whenever possible

Know the signs of a security breach:

  • Complaints that the system is always busy
  • Sudden changes in normal calling patterns such as increases in wrong number calls or silent hang-ups, night, weekend and holiday traffic, 800 and WATS calls, international, operator or 10XXX calling, and odd calls (i.e. crank/obscene calls)
  • Toll calls originating in voice-mail
  • Long holding times
  • Unexplained 900 (Chat Line) calls
  • High tolls for any unauthorized trunk extension
  • Hearing foreign voices when you pick up a line

Secure your telephony system(s):

System configuration:

  • Restrict access to specific times (business hours) & limit calling ranges
  • Block all toll calls at night, on weekends and on holidays
  • Eliminate call forwarding
  • Block all operator (0+) and 10XXXX calling from your PBX if this service is not necessary
  • Block, limit access or require attendant assistance to overseas calls
  • Establish policies on accepting collect calls and providing access to outside lines
  • Educate switchboard operators and employees about criminals who try to obtain calling access or transfers through a PBX
  • Secure equipment rooms (lock up all telephone system equipment and wiring frames)

Private Branch Exchange (PBX) and Direct Inward System Access (DISA):

  • Change default codes after installation of new equipment
  • Never publish DISA telephone numbers
  • Change your DISA access telephone number periodically
  • Issue a different DISA authorization code for all users and ensure DISA users do not write them down
  • Do not use sequential access numbers (1111, 2222, 1234, etc.)
  • Use longer DISA codes (minimum 7-9 digits) and change the codes regularly
  • Disconnect telephone extensions that are not in use;
  • Restrict DISA access at night, weekends and on holidays (prime time for fraud)
  • Block or restrict overseas access;
  • Program your system to answer with silence after five or six rings (hackers look for systems that answer with a steady tone)
  • Identify invalid access attempts to your DISA and route them to an operator
  • Implement DISA ports that drop the line when an invalid code is entered
  • Program your PBX to generate an alarm when an unusual number of invalid attempts are made, and to disable the port after a set number of invalid attempts

IP Routers:

  • Limit outside access to your router by blocking all unneeded ports (including port 5060)
  • Do not allow access to your router from outside your VPN
  • Ensure router passwords are changed from factory default and are made as complicated as possible
  • Ensure you know all security features of your router and maximize their use
  • Know that call logging features are often bypassed with an IP router hack. Station level (desktop phone set) recording will NOT capture calls that are placed from within the router itself

Voice-Mail Systems:

  • Establish controlled procedures to set and reset passwords
  • Change passwords regularly, at least once per month
  • Use maximum length passwords for system manager box & maintenance ports
  • Prohibit the use of simple passwords (i.e. 222, 123, your last name, etc.)
  • Limit the number of consecutive log-in attempts to five or less
  • Change all factory default passwords immediately upon being assigned a voicemail box
  • Block access to long distance trunking facilities, and collect call options on the auto attendant
  • Block or preferably delete all inactive mailboxes
  • Limit your out-calling
  • In systems that allow callers to transfer to other extensions, block any digits that hackers could use to get outside lines, especially trunk access codes
  • Conduct routine reviews of the status of your system and system usage

Remote Access Ports

  • Block access to remote maintenance ports and system administration ports
  • Use maximum length access codes and change them regularly

These recommendations do not contemplate every possible scenario but give you an overview of ways to secure your systems against commonly known types of toll fraud.

What does Frontier do to prevent Toll Fraud?

From our perspective toll fraud is very difficult to detect. This is due to the fact that the traffic appears to be authentically originating from the company’s users with the source IP, user account, user ID, and password all matching the company’s records.

For customers using Frontier Networks Provided SIP Channels

On a best effort basis we create internal alerts when a frontier provided SIP channel exceed your ‘typical’ usage patterns for 011 International calling or when multiple concurrent or sequential calls to high cost 011 markets are detected.

For customers using Frontier Networks Provided third party Analogue lines and digital Voice Channels (PRI, Megalink etc).

These products and related networks are third party and are outside of Frontier’s ability to monitor. It is imperative that the CUSTOMER takes the precautions noted above to prevent Toll Fraud.

With our service if you call El Salvador your first call with pass. By the third you will see action. Remember, when compromised this happens quickly we / you need to react at the same rate of speed.

IT IS IMPORTANT TO NOTE THAT WHILE WE LOOK CLOSELY AT INTERNATIONAL CALLING THAT THERE ARE HIGH COST TOLL MARKETS IN CANADA AND THE UNITED STATES THAT ARE DIFFICULT TO DETECT SINCE THEY ARE PART OF THE NORTH AMERICA NUMBERING SYSTEM.

EXAMPLES ARE:

NPA NXX Rate Country State / Province
907 309  $ 3.33648 USA AK
843 929  $ 0.34169 USA SC
867 875  $ 0.24315 CAN NT
867 370  $ 0.24284 CAN NT
867 927  $ 0.24257 CAN NU
867 876  $ 0.24184 CAN NT
907 485  $ 0.21728 USA AK
867 390  $ 0.21216 CAN YT
867 767  $ 0.21216 CAN NT
270 560  $ 0.16677 USA KY
907 652  $ 0.14989 USA AK
* Billed in each respective country currency