PBX toll fraud is not a new issue, however, with the advent of IP-PBXs, which are connected to Local Area Networks (LANs) and have access to the public Internet through the company’s router, hackers now have a new way to enter the PBX to cause damage. This is a complex issue and at Xorcom we take it very seriously.

In order to maximize protection there needs to be a collaborative effort between:

  • the PBX supplier and the reseller
  • the phone service provider and the end-user network engineer

This article is intended to prepare Xorcom Resellers to deal with toll fraud issues – before and after they occur. Below are some frequently asked questions about PBX toll fraud and the relevant Xorcom responses.

1) If the phone company expects full payment for calls not made by their customer, what arguments, if any, can the Xorcom Reseller provide the end user so the phone company can give their customer some relief on the bill?

Xorcom Response: As the phone company is the “service provider” for their clients, they should have safeguards in their Central Office to ensure that if they see an unusual increase in “minutes of use” (MOU) for their customers, they should shut down the phone lines, or at least inform their client!

Unusually high phone traffic should be treated by phone companies just like credit card fraud is treated by credit card companies. If a credit card begins to register unusual charges, the credit card company shuts it down and forces the client to call. The same rules should apply for long distance charges. Customers should be allowed to set a maximum MOU amount per day for their phone service.  If the specified MOU amount is exceeded, or there are many more international calls than normal for the client, then the phone lines should get shut down automatically.

PBX toll fraud is not a new problem and not doing anything about it in the network to protect customers from toll fraud is a lack of responsibility on the side of the service provider.

2) Should I be advising my clients to have insurance, if it exists, to protect them against PBX toll fraud and hacking?

Xorcom Response: We’re not sure an insurance policy exists to protect against toll fraud. However, the mere fact that the Sony Play-station network got hacked not once but twice shows how sophisticated hackers are getting.  Think about that – Sony gets hacked and over a million customers have supplied their credit cards through Sony play stations to get their games, and Netflix movies, and the Sony engineers could not keep it from happening a second time?  We believe Sony employs some pretty smart network engineers, but even they could not prevent hacking. So the answer is yes – if such insurance exist, recommend buying it.

3) What is Xorcom’s position on PBX toll fraud and/or hacking, with regard to taking responsibility?

Xorcom Response: We do our absolute best to prevent hacking by including software to detect bad logins, and highly recommend the use of strong passwords, etc.  But Xorcom, along with any PBX manufacturer, is not in charge of the client’s network or Internet services and cannot be responsible for damages incurred. We will provide our best efforts in technical support to help prevent fraudulent intrusion into the PBX.

4) What advice would Xorcom give the Reseller on how to respond, if the customer asks the Reseller to pay the bill?

Xorcom Response: We would give the same response we suggest our resellers give their customers (see question #3).  If you happen to be the person in charge of managing the customer’s router and firewall and providing Internet services – then see our suggestions in question #1, in order to prevent this kind of request from ever arising…

5) What proof can the Reseller offer the end-user, to demonstrate that Xorcom and the Reseller did everything reasonably expected to protect against hacking?

Xorcom Response: We are aware of security threats and post them to our blogs (see http://blog.xorcom.com/?p=381 for example), and inform our Resellers about this and how to take action to prevent hacking. We also added our own script files to enhance passwords, but hackers keep getting more sophisticated with password discovery software to break these codes.

Xorcom USA is now in the process of developing software that will measure minutes of use on the Complete PBX, since it seems that service providers don’t want to do it, where the customer can set a maximum amount of minutes of use per day and if the limit is exceeded it shuts down all trunks. We hope to have this done sometime during Q3/2011.

Additional Notes

PBX toll fraud is not a new issue, however, with the advent of IP PBXs, which are connected to Local Area Networks (LANs) and have access to the public Internet through the company’s router, hackers now have a new way to enter the PBX to cause damage.

This is a complex issue and at Xorcom we take it very seriously. In order to maximize protection there needs to be a collaborative effort between:

  • the PBX supplier and the reseller
  • the phone service provider and the end-user network engineer

Finally, installing a phone system on your local area network normally involves upgrading the elements of your network in order to properly facilitate new features like voicemail-to-email, fax-to-email, proper control and registration of IP Phones (which can be local or remote), and a Web-based operator panel.

Most large companies have already invested in high-end firewall appliances and routers with VoIP security capabilities, and rarely get hacked (even with all the protection they have, some still get hacked, but they plug the holes fairly quickly).

It is typically the small business owner that is the victim of toll fraud. Often, a new IP PBX is installed but the customer fails to invest in a proper firewall or router, mostly due to cost, and does not enhance the network to minimize hacking. These are the customers that need to be advised most strongly about the dangers of skipping these important steps.

For more on configuring your own VoIP System please see the Xorcom Configurator