1. Use Strong Passwords

 This point is quite obvious, but nevertheless, it is one of the most efficient fraud prevention measures. 

We recommend the following best practices for service passwords: 

•     Should not be the same as the account ID     
•     Should contain at least 6 characters, and preferably more     
•     Should not contain any of the following combinations: 123, qwerty, voip, password     
•     Should contain at least 3 unique characters such as !@#$%^&*     

Instruct your customers to use strong passwords for the self-care portal. The following simple rules can be useful: 

•     Create unique passwords that that use a combination of both upper- and lower-case letters, numbers, and symbols.     
•     Do not use your network username as your password.     
•     Don’t use easily guessed passwords, such as “password” or “user”.     
•     Do not choose passwords based upon details that may not be as confidential as you’d expect, such as your birth date, your Social Security or phone number, or names of family members.     
•     Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numeral to them, as well as punctuation at the beginning or end of the word (or both!).     
•     Avoid using simple adjacent keyboard combinations: For example, “qwerty” and “asdzxc” and “123456” are less secure.     
•     Some of the easiest-to-remember passwords aren’t words at all, but collections of words such that form a phrase or sentence, perhaps the opening sentence to your favorite novels, or the opening line to a good joke. Complexity is nice, but length is key. It used to be the case that picking an alphanumeric password that was 8-10 characters in length was a pretty good practice. These days, it’s increasingly affordable to build extremely powerful and fast password-cracking tools that can try tens of millions of possible password combinations per second. Just remember that each character you add to a password or passphrase makes it an order of magnitude harder to attack via brute-force methods.     
•     Avoid using the same password at multiple Web sites. While you may decide to re-use the same password at sites that do not store sensitive information about you (like a news website) don’t use this same password at sites that do contain sensitive information, such as online banking services.     
•     Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.     
•     Don’t store your list of passwords on your computer in plain text.     
•     There are several online third-party services that can help users safeguard sensitive passwords, including LastPass, DashLane, and 1Password that store passwords in the cloud and secure them all with a master password. If you are not comfortable entrusting all your passwords to the cloud, consider using a local password storage program on your computer, such as Roboform, PasswordSafe or Keepass. Again, take care to pick a strong master password, but one that you can remember.    

2. Set a reasonable credit limit for each and every customer

For your postpaid customers, it is important to limit their usage to help protect against fraud. Their credit limit can be set either upon the creation of a customer or for already existed customers. To define the credit limit for an existing customer please follow the steps below. 

•     On the Customer Management screen, choose the specified customer.     
•     Proceed to the Balance & Credits tab.     
•     Set the limit in the Permanent Credit Limit field.    

While the exact credit limit you set is your own decision, please consider an amount which is somewhat higher than their peak usage, but lower than the volume you might expect with fraud.  The benefit of setting a credit limit is that it places a ceiling on the number of minutes a fraudster can use.

3. Limit the amount of simultaneous calls for each customer 

We recommend that you consider limiting simultaneous calls for each customer. The ability to make simultaneous calls can be important in some configurations (e.g., in PBX or SIP Trunk setup), but this is usually not needed in others (e.g., in Calling Card, Pinless, Mobile or Residential services). An unexpected increase in simultaneous calls can be an indicator of a potential security breach. 

The limit can be shared between all accounts belonged to a customer or a group of accounts or set to each account individually. 

The customer level 

By default, all customer accounts share the limit defined on the customer level. If you define 5 maximum simultaneous calls, the customer will be limited to 5 channels. Each call above the limit will be rejected. To apply the limitation please follow the steps below. 

•     On the Customer Management screen, choose the specified customer.     
•     Proceed to the Service Configuration tab, Voice Calls section.     
•     Enable the Limit Simultaneous Calls option and set the needed limitation.    

Customer Sites 

Using the Customer Site tool allows you to define a limitation for a group of accounts. To apply the limitation please follow the steps below. 

•     On the Customer Management screen, choose the specified customer.     
•     Click on the Sites button.     
•     On the Customer Sites page, add a new site.     
•     Enable the Limit Simultaneous Calls option and set the needed limitation.     

•     Go through settings of accounts this site should be applied to and assign it under the Account Info tab.     

Fair Usage Policy 

Fair Usage Policy is an option on a product that allows you to define an individual limitation for every account that has the product assigned. To apply the limitation, please follow the steps below. 

•  On the Product Management screen, choose the specified product.     
•  Proceed to the Service Configuration tab, Voice Calls section.     
•  Enable the Fair Usage Policy option and set the needed limitation.     

 Overdraft Protection 

The Overdraft Protection option disables simultaneous calls for accounts (technically speaking, it locks all available funds of the account until the call is finished). If you enable the Overdraft Protection option, all accounts with this product will be able to make only one call at time. To apply the limitation, please follow the steps below. 

•     On the Product Management screen, select a product.     
•     Proceed to the Additional Info tab.     
•     Mark the Overdraft Protection checkbox and save the changes.     

Calls Per Second limitation (available in cluster)

This option allows you to define maximum rate of calls that can be initiated per second. To apply the limitation, please follow the steps below. 

•     On the Product Management screen, select a product.     
•     Proceed to the Service Configuration tab, Outgoing Calls section.     
•     Enable the CPS Limitation option and define the needed rate.     

4. Pay close attention to your customers’ tariffs 

Tariff configuration is a standard step in any billing configuration. Customer tariffs can be local (e.g., domestic calls only) or international. It is very important to make sure that your tariffs are configured properly to secure your customers. We recommend the following: 

•     Avoid wildcard destination | (pipe) in your production tariffs, as it can be very insecure.     
•     Avoid destinations that cover significant geographical region. For example, adding a rate for destination 1 will cover     calls inside North America, including potentially expensive Caribbean countries (e.g., Jamaica).     
•     Assign local tariffs to your customers by default. For example, for US-based PBX customers,use the local tariff by     default unless they explicitly request international calling. To enable international calling use the Tariff            Override option.     
•    Block expensive international destinations your customers normally do not call. The most popular fraud destinations at the moment are Cuba (+52), Somalia (+252), Bosnia & Herzegovina (+387), Estonia (+372), and Latvia (+371).    
•   Block premium destinations.     
•   Use Call Barring classes or the Tariff Override option to forbid your customers from dialing expensive destinations. Please note, the switching and billing solutions that Sagecom offers are important parts of your VoIP business, but they are not the only parts. Third party services, such as your VoIP Termination carriers, could also be compromised with fraud. Please contact each of your providers and discuss what type of fraud deterrents they might offer, and if you need to proactively opt in or configure them in some way. Being prepared in advance, before fraud occurs, is important. Sagecom is not responsible for any third party services which may be affected by fraud.     

5. Protect access to web interfaces

Please go to the following link to learn more about how you can safeguard access to the web interfaces - Recommendations for Web Interfaces protection

6. Secure your VoIP equipment

Your VoIP equipment security is an essential part of protecting your service as a whole. The devices store SIP credentials and sensitive information is usually not shown on the web interface, however some devices allow you to download the configuration file where credentials can be available in plain text. 

We recommend that you use remote provisioning. It will greatly simplify the phone management, and will provide added security and accuracy. 

We recommend the following guidelines to secure your VoIP equipment configuration.

•     Always set a web interface password, whenever you configure a phone manually or via remote provisioning. Do not use trivial passwords for the device web interface.    
•     Disable remote admin access (if the device supports it).    
•     Use encryption for IP device profiles. This way you can be sure that even if the configuration file for the device is stolen, fraudsters will not be able to obtain sensitive information from it.    
•    User names and passwords should be erased when phones are discarded. Log-on to the device's web page and remove this information manually. A factory reset is even better, as it also removes the call records.    

Please contact support to learn more about IP device profiles encryption.

7. Pay attention to third-party softphones with Push notifications

Push notifications can help save your end user’s phone battery life. If a softphone supports this option, you do not need to keep it in foreground or background all the time to receive an incoming call. Instead, when you close the softphone it notifies the Push server and the Push server registers instead of the softphone. When an incoming call is placed to the account, it will be received by the Push server, which in turn sends a push notification to the softphone. The softphone will be launched to receive the call. 

There is one drawback in this technology: in order to register instead of the softphone, the push server must know the account credentials. If you use third party softphones with Push technology, you actually send your credentials to a third party server. 

As an alternative, you can use our Sagecom Mobyx mobile softphone solution, which is fully integrated into our switch. Sagecom’s Push server is hosted by Sagecom, to help safeguard your information.

8. Perform a regular security audit

Admin users by default have access to all the information in your switching environment. Understandably, if an admin user’s credentials are compromised, it can be very serious. 

We highly recommend the following rules for your admin users:

•     Create individual user for every employee and avoid sharing credentials among multiple employees.     
•     Use secure passwords (check password-related guidelines for more details).    
•     Create limited ACLs (Access Control Lists) for your employees if they do not need access to everything.    
•     If you suspect unusual activity, change the web password of the user immediately. Our platform will terminate all web sessions of the user and log them out at all locations.      

9. Fighting subscription fraud

Sagecom’s SOAP Signup form allows your website visitors to easily sign up for your services. But fraudsters can use fake credit card info to create an account and utilize the Domestic and International Revenue Share Fraud, and other threats.

Here are several guidelines that can help to minimize subscription fraud:

•     Create all accounts in blocked state and manually review the configuration. This is our recommended option. Of course, it will require a bit more effort from your team, but it will help you to reduce fraudulent sign up attempts.    
•     Enable the limitation of the signup attempts from the same IP address within the day.    

Appendix A

What to do if you face Caller ID spoofing fraud? 

This type of fraud can be a threat to Pinless service and unfortunately it is difficult for you to investigate.  Here are some guidelines we recommend:

•  Block the compromised Pinless account immediately.    
•  Contact support as soon as possible. We will collect all the available technical information that will be used for investigation.    
•   This type of fraud can be efficiently investigated only by your DID provider. Our engineers will help you to compose a technically grounded request to the DID provider.    
•   If your company is based in the USA, you can file a complaint with the FCC: https://www.fcc.gov/consumers/guides/spoofing-and-caller-id