Security is a cornerstone of every VoIP service. Since 2002, Sagecom has helped our customers defend against fraud. According to published industry sources, the rate of fraud has grown significantly since 2013.
According to the Communication Fraud Control Association 2015 Global Fraud Loss Survey, the top five methods for committing fraud are:
$3.93B (USD) – PBX Hacking
$3.53B (USD) – IP PBX Hacking
$3.53B (USD) – Subscription Fraud (Application)
$3.14B (USD) – Dealer Fraud
$2.55B (USD) – Subscription Fraud (Identity)
The top five types of fraud are:
$10.76B (USD) – International Revenue Share Fraud (IRSF)
$5.97B (USD) – Interconnect Bypass (e.g. SIM Box)
$3.77B (USD) – Premium Rate Service
$2.94B (USD) – Arbitrage
$2.84 B (USD) – Theft / Stolen Goods
VoIP Vulnerabilities
Call Fraud
Fraudsters can send calls pretending to be someone else and can route long distance, international and premium rate calls. This can cause major financial loss in very short time. Fraud is a common problem across all industries, but it has become a major issue for VoIP users and providers.
PBX Hacking
Fraudsters who can exploit the vulnerabilities of the IP PBX and gain access to the system are able to generate a significant amount of traffic. PBX hacking is a common technique used with Domestic and International Revenue Share Fraud and Call Transfer Fraud,as well as other schemes. Revenue Share Fraud is where fraudsters profit by driving traffic to premium numbers for which they earn money for each inbound minute.
Phishing
Phishing is very common in the email world. Voice phishing is the criminal practice of using social engineering over the telephone to gain access to private personal and financial information from the public. It is sometimes referred to as vishing, a word that is a combination of "voice" and phishing. Voice phishing is typically used to steal credentials, credit card numbers or other information.
Caller ID Spoofing
Caller ID Spoofing is the practice of sending phony Caller ID to the recipient of a phone call. It can be used to fraudulently impersonate a trusted vendor(such as a bank), a law enforcement agency,or another subscriber. This type of fraud can also be used with Pinless services, when fraudsters can place calls to premium or expensive destination.
False Answer Supervision
By negligence or design, a misconfiguration of telco equipment can cause billing to start as soon as the call is placed, even if the called party is busy or does not answer. The cost is typically subtle but recurring, resulting in significant loss for wholesale providers.
Subscription Fraud
This involves signing up for a service with a bogus name, and no intention to pay. Use of fake credit card information in the signup form is also common. After signing up, Fraudsters usually utilize the Domestic and International Revenue Share Fraud.
VoIP Security Best Practices
1. Use Strong Passwords
This point is quite obvious, but nevertheless it is one of the most efficient fraud prevention measures.
We recommend the following best practices for service passwords:
- Should not be the same asthe account ID
- Should contain at least 6 characters, and preferably more
- Should not contain any of the following combinations: 123, qwert, voip, password
- Should contain at least 3 unique characters such as !@#$%^&*
Instruct your customers to use strong passwords for the self-care portal. The following simple rules can be useful:
- Create unique passwords that that use a combination of both upper- and lower-case letters, numbers, and symbols.
- Do not use your network username as your password.
- Don’t use easily guessed passwords, such as “password” or “user.”
- Do not choose passwords based upon details that may not be as confidential as you’d expect, such as your birth date, your Social Security or phone number, or names of family members.
- Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords. If you must use dictionary words, try adding a numeral to them and punctuation at the beginning or end of the word (or both!).
- Avoid using simple adjacent keyboard combinations: For example, “qwerty” and “asdzxc” and “123456” are horrible passwords and that are trivial to crack.
- Some of the easiest-to-remember passwords aren’t words at all,but collections of words such that form a phrase or sentence, perhaps the opening sentence toyour favorite novels, or the opening line to a good joke. Complexity is nice, but length is key. It used to be the case that picking an alphanumeric password that was 8-10 characters in length was a pretty good practice. These days, it’s increasingly affordable to build extremely powerful and fast password-cracking tools that can try tens of millions of possible password combinations per second. Remember that each character you add to a password or passphrase makes it harder to attack via brute-force methods.
- Avoid using the same password at multiple Web sites. It’s generally safe to re-use the same password at sites that do not store sensitive information about you (like a news website) provided you don’t use this same password at sites that do contain sensitive information, such as online banking services.
- Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.
- Whatever you do, don’t store your list of passwords on your computer in plain text.
- Several online third-party services can help users safeguard sensitive passwords, including LastPass, DashLane, and 1Password that store passwords in the cloud and secure them all with a master password. If you are uncomfortable entrusting all your passwords to the cloud, consider using a local password storage program on your computer, such as Roboform, PasswordSafe or Keepass. Again, take care to pick a strong master password, but one that you can remember.
2. Limit the number of simultaneous calls for a customer
If your business model does not assume per channel charges, please make sure to limit simultaneous calls for a customer. Theability to make simultaneous calls can be important in some configurations (e.g., in PBX or SIP Trunk setup), but this is usually not needed in others (e.g., in Pinless or Residential services). Simultaneous calls can leadto a potential security breach.
2a. Customer Sites
Using Sagecom’s Customer Site Tool allows you to define a limitation for a group of accounts. By default,all customer accounts have the default site assigned. If you define 5 maximum simultaneous calls for the default customer site,all the accounts will be included into a virtual group (site) and Sagecom Switchwill apply the limitation for the whole group.
To apply the limitation please follow the steps below.
- On the Customer Management screen, choose the specified customer.
- Click on the Sites button.
- On the Customer Sites page, add a new site.
- Choose Yes from the Limit Simultaneous Calls list.
Define the Max Number of Simultaneous Calls parameter to allow up to a specific number of concurrent calls for this customer's accounts.
2b. Fair Usage Policy
Fair Usage Policy is an option on a product that allows you to define an individual limitation for every account with the product assigned. To apply the limitation, please follow the steps below.
- On the Product Management screen, choose the specified product.
- Proceed to the Service Configuration tab, Voice Calls section.
- Enable the Fair Usage Policy option and set the needed limitation.
2c. Overdraft Protection
The Overdraft Protection option disables simultaneous calls for prepaid debit accounts (technically speaking, it locks all available funds of the account until the call is finished). If you enable the Overdraft Protection option, all accounts with this product will be able to make only one call at time. To apply the limitation, please follow the steps below.
- On the Product Management screen, select a product.
- Proceed to the Usage Charges tab.
- Mark the Overdraft Protection checkbox and save the changes.
2d. Calls Per Second limitation
This option allows you to define the maximum rate of calls initiated per minute. To apply the limitation, please follow the steps below.
- On the Product Management screen, select a product.
- Proceed to the Service Configuration tab, Outgoing Calls section.
Enable the CPS Limitation option and define the needed rate.
3. Configure Roaming profiles
End users’ credentials are vulnerable to hackers. There can be another way of securing your customers. Knowing the customer’s primary location and analyzing the origin of the call can be a very effective anti-fraud technique, for example to prevent a US-based customer account from being compromised by fraudsters in another country.
Consider the following example: your customer’s company is based in Madrid, Spain. You would like to protect this customer from potential fraud. Since the company is situated in Spain and its employees mainly make calls from Madrid and other Spanish cities, you should perform the fraud protection configuration so that calls made from Spain can be completed without restrictions, while at the same time, calls made from other countries will be considered suspicious and therefore, forbidden or screened.
Detailed step-by-step configuration instructions are available at: Fraud Protection Configuration Settings
4. Pay close attention to your customers’ tariffs
Tariff configuration is a standard step in any billing scheme configuration. Customer tariffs can be local (e.g., US calls only) or international. It is very important to ensure your tariffs are configured properly to secure your customers. We recommend the following:
- Avoid wildcard destination | (pipe) in your production tariffs, as it can be very insecure.
- Avoid destinations that cover significant geographical region. For example, adding a rate for destination 1 will cover calls inside North America, including potentially expensive Caribbean countries (e.g., Jamaica).
- Assign local tariffs to your customers by default. For example, for US-based PBX customers, use the local tariff by default unless they explicitly request international calling. To enable international calling use the Tariff Override option.
- If you want to provide “unlimited” plans, we still recommend to define some cap (maximum amount of minutes) with a fair usage policy.
- Block expensive international destinations your customers normally do not call. The most popular fraud destinations at the moment are Cuba (+52), Somalia (+252), Bosnia & Herzegovina (+387), Estonia (+372), and Latvia (+371).
- Block premium destinations. Please get in touch with support to get an upload-ready copy of known premium destinations.
- Use Call Barring classes to forbid customers from dialing expensive destinations (please check the configuration instructions below).
Please note, the switching and billing solutions that Sagecom offers are important parts of your VoIP business, but they are not the only parts. Third party services, such as your VoIP Termination carriers, could also be compromised with fraud. Please get in touch with each of your providers and discuss what type of fraud deterrents they might offer, and if you need to proactively opt in or configure them in some way. Being prepared in advance, before fraud occurs, is important. Sagecom is not responsible for any third-party services which may be affected by fraud.
4a. Call Barring
Call barring allows you to prohibit outgoing calls to specific destinations.
The main difference between Call barring and blocking destinations in a tariff is that the latter applies to all customers using a given tariff, while Call barring can be activated and configured for an individual account. Also, whereas only the administrator can manage a tariff, Call Barring can be provisioned by end-users themselves (e.g., parents prohibiting calls to a dubious premium number on their child’s phone or a small business owner blocking outgoing international calls).
When Call Barring is activated, as part of normal call authorization, the system checks whether a dialed number matches any pattern specified in the Call Barringclasses. If it does, and if Call Barring has been activated for that class, the call is rejected.
A Call Barring class covers a specific set of phone numbers to which the customer should be denied access. In this regard, a Call Barring class resembles a destination group. The difference is that while a destination group can only contain pre-defined destination prefixes, a Call Barring class operates with a mixture of patterns (e.g., 448% - any number starting with 448) and actual phone numbers (e.g., 44810010099). This lets you fine-tune Call Barring options without creating excessive destination prefixes.
Definitions of various Call Barring classes (such as “Mobiles,” “International,” etc.) are done globally in the Call Barring Classes tab of the IP Centrex screen. Barring a specific class can then be turned on / off for an individual account.
To add a new Call Barring class please follow the steps below.
- Click on the Dial Plan main menu entry and choose the Call Barring Classes tab.
- Click Add, enter the class name and choose the Matching Type (MatchesDenies calls to numbers specified in the Number Patterns column, Does Not Match – Allows calls to numbers specified in the Number Patterns column and denies calls to other destinations).
- Click on the Number Patterns link and add the needed patterns (you can use % to match any sequence of digits, _ or x to match one digit).
Mark the Barred by default checkbox if you want to add this barring class for newly created accounts with the Call Barring feature enabled.
To apply Call Barring class to an account please follow the steps below.
- On the Account Info screen proceed to the Service Configuration tab, Outgoing Calls section.
- Enable the Call Barring option.
- Select the needed Call Barring classes under the Call Barring tab and save the changes.
- If you want to apply Call Barring to a group of accounts, you can enable it in the product configuration (Product-> Service Configuration-> Outgoing Calls)
5. Limit access to the web interface for your Admin users and customers
Web portals are very convenient and useful, but they can provide a lot of sensitive information to fraudsters (VoIP credentials, financial information, calls history, etc.) A strong password is a must, but you can improve the security of the portals even further. If your admin users access the portal only from some predefined locations (home, office) you can define the list of IP addresses that are allowed to access the web interface. In this case the portal will not be available for unauthorized destinations.
To add the limitation, please follow the steps below.
Limitation for Users:
- Open the needed user and proceed to the Web Self-Care tab.
- Set the Allow login from option to Specific IP addresses/networks and define the allowed IP addresses or networks.
Limitation for Customers:
- Open the needed customer and proceed to the Notepad field.
- Add the restriction rules in the following format:
For a single IP address:
ACCEPT:1.2.3.4
DENY:1.2.3.4
For a subnet:
ACCEPT:1.2.3.4/28
DENY:1.2.3.4/28
To allow or to deny access from all IP addresses:
ACCEPT:ALL
DENY:ALL
The rules are checked one by one in the order they are specified in the Notepad field. If at least one rule is defined but the requesting IP address does not match anything, then the access will be denied. For example, to deny only a single specified IP address 1.2.3.4 and a subnet 4.3.2.1/28, the Notepad field should contain:
DENY:1.2.3.4
DENY:4.3.2.1/28
ACCEPT:ALL
6. Do not log into you Admin Interface from public computers
If you are using a public computer, the risk of compromising your login credentials is higher. The best advice here would be to avoid entering sensitive information into a public computer at all. We have prepared several general guidelines to help protect against casual hackers who use a public computer after you. But remember that an industrious thief might have installed sophisticated software on the public computer that records every keystroke and then emails that information back to the thief. Then it doesn't matter if you haven't saved your information or if you've erased your tracks. They will still have access to this information.
If you have to login from public computers make sure you follow these guidelines to ensure your safety.
- Never save login information in browser.
- Log out as soon as the work is finished.
- Clear the browser history (perform the complete clean to remove cached data and browser cookies).
- Don't leave the computer unattended with sensitive information on the screen.
- Watch for over-the-shoulder snoops.
- Use the browser incognito or private mode if it is available.
- Consider changing the password from a trusted computer as soon as you can. In this case even if your password was stolen, it will be not possible to use it.
7. Secure your VoIP equipment
Your VoIP equipment security is an essential part of the whole service protection. The devices store SIP credentials and sensitive information is usually not shown on the web interface, however many devices allow you to download the configuration file where credentials can be available in plain text.
We recommend that you use remote provisioning. It will greatly simplify the phone management, and will provide added security and accuracy.
We recommend the following guidelines to secure your VoIP equipment configuration.
- Always set a web interface password, whenever you configure a phone manually or via remote provisioning. Do not use trivial passwords for the device web interface.
- Disable admin access (if the device supports it).
- Avoid using insecure protocols (e.g., TFTP).
- Use encryption for IP device profiles. This way you can be sure that even if the configuration file for the device is stolen, fraudsters cannot obtain sensitive information from it.
- Usernames and passwords should be erased when phones are discarded. Log-on to the device's web page and remove this information manually. A factory reset is even better, as it also removes the call records.
Don't hesitate to contact support to learn more about IP device profile encryption.
8. Pay attention to third-party softphones with Push notifications
Push notifications can help save your end user’s phone battery life. If a softphone supports this option, you do not need to keep it in the foreground or background all the time to receive an incoming call. Instead of this when you close the softphone, it notifies the push server and the push server registers instead of the softphone. When an incoming call is placed to the account, it will be received by the push server, which in turn sends a push notification to the softphone. The softphone will be launched to receive the call.
There is one drawback in this technology: in order to register instead of the softphone, the push server must know the account credentials. If you use third-party softphones with push technology, you send your credentials to a third-party server. Sagecom cannot guarantee the security of those credentials if they are shared with third party servers.
Alternatively, you can use our Mobyx mobile softphone solution, which is fully integrated into Sagecom Switch. Sagecom hosts Mobyx’s push server, to help safeguard your information.
9. Perform a regular security audit
Sagecom Switch Admin users by default, have access to all the information in your switching environment. Understandably, if an admin user’s credentials are compromised, it can be very serious.
We highly recommend the following rules for your admin users:
- Create individual user for every employee and avoid sharing credentials among multiple employees.
- Use secure passwords (check password-related guidelines for more details).
- Create limited ACLs for your employees if they do not need access to everything.
- If you suspect unusual activity, change the web password of the user immediately. Sagecom Switch will terminate all user web sessions and log them out at all locations.
10. Fighting subscription fraud
Sagecom’s SOAP Signup form allows your website visitors to easily sign up for your services. But fraudsters can use fake credit card info to create an account and utilize Domestic and International Revenue Share Fraud.
Here are several guidelines that can help to minimize fraud:
- Create all accounts in a blocked state and manually review the configuration. This is our recommended option. Of course, it will require a bit more effort from your team, but it will help you to reduce fraudulent sign up attempts.
- Enable the limitation of the signup attempts from the same IP address within the day.
Appendix A
What to do if you face Caller ID spoofing fraud?
This type of fraud can be a threat to Pinless service and unfortunately, it is difficult to investigate. Here are some guidelines we recommend to follow:
- Block the compromised Pinless account immediately.
- Contact support as soon as possible. We will collect all the available technical information that will be used for investigation.
- This type of fraud can be efficiently investigated only by your DID provider; our engineers will help you to compose a technically grounded request to the DID provider.
- If you are a USA-based company, you can file a complaint with the FCC: https://www.fcc.gov/consumers/guides/spoofing-and-caller-id
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article