|Combating Long Distance Theft - Your Defence Arsenal|
Learn your system
Know the access paths that can open doors to fraud
- Know its safeguards and security features
- Find out from your supplier if it has inherent defences.
- Determine its key vulnerabilities.
- Ensure staff are trained in safeguards and security procedures.
Monitor and analyze your system's information
- Direct Inward System Access
- Voice-mail System
- Remote System Administration (maintenance ports)
- Direct Inward Dialing
- Tie Trunks and other Tandem Network Services
Know the signs of a security breach
- Study call detail records - exception reports can provide early warning signs.
- Review your billing records.
- Familiarize yourself with calling patterns, and review them regularly.
- Review voice-mail reports and their analysis.
- Monitor valid and invalid calling attempts as often as possible.
Secure your system
- Sudden change in normal calling patterns.
- All trunks busy in or out - i.e. complaints that customers cannot call in because the system is always busy.
- Increase in wrong number calls or silent hang-ups.
- Increase in night, weekend and holiday traffic.
- Increase in toll-free (1-800 & 1-888) and WATTS calls.
- Increase in international calling.
- Increase in odd calls, i.e. crank and obscene.
- Toll calls originating in voice-mail.
- Long holding times.
- Unexplained 900 calls.
- High toll for any unauthorized trunk/extension.
PBX and DISA numbers
- Configure all systems to restrict access to specific times and to limit calling ranges.
- Restrict access to business hours only.
- Block all toll calls at night, on weekends and holidays.
- Block or limit dial access to overseas calls.
- Require attendant assistance for overseas.
- Never publish your DISA telephone number.
- Change your DISA access telephone number periodically.
- Issue a different DISA authorization code to each user - do not implement one code for all users.
- Warn DISA users not to write down their authorization codes.
- Use out-of-sequence access numbers.
- Use longer DISA codes, ideally nine digits.
- Change authorization codes regularly.
- Disconnect all telephone extensions the moment they are no longer needed.
- If possible, restrict DISA access at night, on weekends, and on holidays - prime time for frauds.
- If possible, block or restrict overseas access, or selectively allow access to only certain country and area codes.
- If possible, program your system to answer with silence after five or six rings. Most systems answer with a steady tone after two rings and this is what hackers look for.
- Quickly identify invalid access attempts to your DISA number - if possible, route them to your operator.
- Implement DISA ports so that entering an invalid authorization code causes this system to drop the line.
- If possible, program your PBX to generate a minor alarm if an unusual number of invalid attempts are made.
- If possible, program your PBX so that the port will disable itself after a set number of invalid access attempts.
Remote access ports
- Establish well-controlled procedures for setting and resetting passwords.
- Assign and change passwords regularly.
- Use maximum length passwords - at least six digits - for the system manager box and maintenance ports.
- Prohibit the use of trivial codes such as 222 or 123.
- Prohibit the sharing or posting of passwords.
- Prohibit the entering of passwords into programmable keys or speed dial buttons.
- Limit the number of consecutive log-in attempts to five or less.
- Keep time-out limits short.
- Change the maintenance password regularly and limit distribution.
- Block access to long distance trunking facilities.
- Block collect-call options on the auto attendant.
- Delete all inactive mailboxes.
- Limit access to company directories that give directions on how to get into the voice-mail system.
- Limit your out-calling.
- In systems that allow callers to transfer to other extensions, block any digits hackers could use to get outside lines, especially trunk access codes.
- Conduct routine reviews.
- Block access to remote maintenance/system administration ports.
- Use maximum length access codes and change regularly.
Foil dumpster divers
- Use maximum length passwords and change frequently.
- Eliminate three-way calling on all extensions used with modems.
- Disconnect modems that are not in use.
Practice vigilance in overall security
- Shred all call detail reports and records.
- Shred printouts and all other documentation.
- Destroy internal telephone directories.
- Secure equipment rooms - lock up all telephone equipment and wiring frames.
- Allow access only to authorized personnel.
- Require positive ID checks from supplier staff.
- Maintain an entry log.
- Do not use equipment rooms for janitorial staff.
- Secure all system documentation, including manuals, configuration records and system printouts.
Employee education and policies
- Restrict call forwarding to local calls only.
- Establish clear policies on the accepting of collect calls and providing access to outside lines.
- Always delete a code the moment an employee leaves your company.
- Do not assign a previous employee's code to a new employee.
- Ensure cards and passwords are returned when an employee leaves your company.
- Keep all telephone numbers private.
- Impress on your staff that your telephone number plan must never be discussed outside the company.
- If you use cellular phones, never give out access codes or Calling Card numbers over the cellular network.
- Protect your Calling Card number & PIN at all times.
- Retain, in a secure place, or destroy the back sheeting to which your Calling Card is attached when it's mailed.
- Brief all your staff on security policies and procedures and ensure they follow them.
- Develop a program to train staff on toll fraud detection - i.e. warning signs, alarms.
- Make a confidentiality agreement part of employment conditions.
- Warn your personnel about "shoulder surfing" and establish a procedure whereby they can immediately report it, if they believe their company Calling Cards or access codes have been compromised.
- Educate switchboard operators and receptionists about investigators, phone company reps, and telecom managers in an effort to get calls put through the PBX.
- Establish a procedure whereby staff can report possible security breaches or suspicious activities immediately.
- Review training programs and security procedures regularly.