Focus on: How to combat toll fraud

Telemarketing, Nov 1995 by Aginsky, Alon

Another kind of voice mail hacking involves changing the greeting in an "orphan" mail box to a simple greeting, which may consist of 10 seconds of silence followed by, "Yes, operator, I will accept the charges." The hacker can then dial "0" from any pay phone, tell the long-distance operator he or she would like to call London, and charge the call to a "third party" which is "the hacker's" company at 555-4444 extension 777. When the operator calls that number and asks to be transferred to extension 777, his/her 10-second inquiry ("This is the long-distance operator. Mr. Joe Brown is calling London, will you accept the charges?") will be accepted by the well-timed, prerecorded fraudulent greeting.

Q: What can be done to combat fraud ?

A: The following are some basic steps you might want to consider adopting in the fight against toll fraud:

Education: First, get yourself and your immediate staff acquainted with toll fraud. Periodically remind all employees who have been issued authorization codes (DISA, voice mail, etc.) of the importance of keeping these codes secret and the need to change them frequently. Also, warn all employees about "shoulder surfers" and advise them not to write their codes in public or yell them out in a crowded area. Second, educate yourself with the many features of your PBX, voice mail and/or ACD. Shut down all of those not in use or not in service, and change your PBX passwords as frequently as possible.

Ports: Install a "dial back" modem on your maintenance port, and always have your service provider call you before accessing your PBX.

Block: Block access to destinations where your company does not do business. If circumstances do not permit this, at least block calls to some or all of the 10 most popular fraud destinations (i.e., 800 area codes, Pakistan, Egypt, India, the former Soviet Union, El Salvador, China, Colombia, Mexico and Ghana).

Voice Mail: Make sure your voice mail system is a "closed loop" and cannot be manipulated to get an outgoing dial tone. Check your valid mailbox list and delete any box that is no longer in service. Disconnect callers after three unsuccessful attempts at dialing their mailbox code. Instruct employees to change their voice mail passwords and delete "old" messages.

Codes: Choose random. lengthy passwords (10 digits or more) and change them frequently to make it harder for hackers to discover them. Keep these codes in a safe place and never write them on the wall next to the PBX.

DISA: Consider disconnecting DISA. If this feature is necessary, ensure that only those employees who have a real need for international calls will be allowed to use it.

Fee calls: Block all 900, 570 and other types of "toll" calls.

Call Accounting System: If you have a PC-based call accounting system, frequently run exception reports such as after-hours/weekend activity, long-duration/high-cost calls, short-duration incoming calls and "800" number usage to track "800" to "900" numbers. In addition, invest in a real-time toll-fraud detection system that will "learn" your company's calling pattern and alert you by pager/printer and audible alarm when a suspicious call occurs.