Combating Long Distance Theft - Your Defence Arsenal

Telus, 8/98

Learn your system

• Know its safeguards and security features
• Find out from your supplier if it has inherent defences.
• Determine its key vulnerabilities.
• Ensure staff are trained in safeguards and security procedures.

Know the access paths that can open doors to fraud

• Direct Inward System Access
• Voice-mail System
• Remote System Administration (maintenance ports)
• Direct Inward Dialing
• Tie Trunks and other Tandem Network Services
• Modems

Monitor and analyze your system's information

• Study call detail records - exception reports can provide early warning signs.
• Review your billing records.
• Familiarize yourself with calling patterns, and review them regularly.
• Review voice-mail reports and their analysis.
• Monitor valid and invalid calling attempts as often as possible.

Know the signs of a security breach

• Sudden change in normal calling patterns.
• All trunks busy in or out - i.e. complaints that customers cannot call in because the system is always busy.
• Increase in wrong number calls or silent hang-ups.
• Increase in night, weekend and holiday traffic.
• Increase in toll-free (1-800 & 1-888) and WATTS calls.
• Increase in international calling.
• Increase in odd calls, i.e. crank and obscene.
• Toll calls originating in voice-mail.
• Long holding times.
• Unexplained 900 calls.
• High toll for any unauthorized trunk/extension.

Secure your system
System configuration

• Configure all systems to restrict access to specific times and to limit calling ranges.
• Restrict access to business hours only.
• Block all toll calls at night, on weekends and holidays.
• Block or limit dial access to overseas calls.
• Require attendant assistance for overseas.

PBX and DISA numbers

• Never publish your DISA telephone number.
• Change your DISA access telephone number periodically.
• Issue a different DISA authorization code to each user - do not implement one code for all users.
• Warn DISA users not to write down their authorization codes.
• Use out-of-sequence access numbers.
• Use longer DISA codes, ideally nine digits.
• Change authorization codes regularly.
• Disconnect all telephone extensions the moment they are no longer needed.
• If possible, restrict DISA access at night, on weekends, and on holidays - prime time for frauds.
• If possible, block or restrict overseas access, or selectively allow access to only certain country and area codes.
• If possible, program your system to answer with silence after five or six rings. Most systems answer with a steady tone after two rings and this is what hackers look for.
• Quickly identify invalid access attempts to your DISA number - if possible, route them to your operator.
• Implement DISA ports so that entering an invalid authorization code causes this system to drop the line.
• If possible, program your PBX to generate a minor alarm if an unusual number of invalid attempts are made.
• If possible, program your PBX so that the port will disable itself after a set number of invalid access attempts.

Voice-mail systems

• Establish well-controlled procedures for setting and resetting passwords.
• Assign and change passwords regularly.
• Use maximum length passwords - at least six digits - for the system manager box and maintenance ports.
• Prohibit the use of trivial codes such as 222 or 123.
• Prohibit the sharing or posting of passwords.
• Prohibit the entering of passwords into programmable keys or speed dial buttons.
• Limit the number of consecutive log-in attempts to five or less.
• Keep time-out limits short.
• Change the maintenance password regularly and limit distribution.
• Block access to long distance trunking facilities.
• Block collect-call options on the auto attendant.
• Delete all inactive mailboxes.
• Limit access to company directories that give directions on how to get into the voice-mail system.
• Limit your out-calling.
• In systems that allow callers to transfer to other extensions, block any digits hackers could use to get outside lines, especially trunk access codes.
• Conduct routine reviews.

Remote access ports

• Block access to remote maintenance/system administration ports.
• Use maximum length access codes and change regularly.

Modems

• Use maximum length passwords and change frequently.
• Eliminate three-way calling on all extensions used with modems.
• Disconnect modems that are not in use.

Foil dumpster divers

• Shred all call detail reports and records.
• Shred printouts and all other documentation.
• Destroy internal telephone directories.

Practice vigilance in overall security
On-site security

• Secure equipment rooms - lock up all telephone equipment and wiring frames.
• Allow access only to authorized personnel.
• Require positive ID checks from supplier staff.
• Maintain an entry log.
• Do not use equipment rooms for janitorial staff.
• Secure all system documentation, including manuals, configuration records and system printouts.

General security

• Restrict call forwarding to local calls only.
• Establish clear policies on the accepting of collect calls and providing access to outside lines.
• Always delete a code the moment an employee leaves your company.
• Do not assign a previous employee's code to a new employee.
• Ensure cards and passwords are returned when an employee leaves your company.
• Keep all telephone numbers private.
• Impress on your staff that your telephone number plan must never be discussed outside the company.
• If you use cellular phones, never give out access codes or Calling Card numbers over the cellular network.
• Protect your Calling Card number & PIN at all times.
• Retain, in a secure place, or destroy the back sheeting to which your Calling Card is attached when it's mailed.

Employee education and policies

• Brief all your staff on security policies and procedures and ensure they follow them.
• Develop a program to train staff on toll fraud detection - i.e. warning signs, alarms.
• Make a confidentiality agreement part of employment conditions.
• Warn your personnel about "shoulder surfing" and establish a procedure whereby they can immediately report it, if they believe their company Calling Cards or access codes have been compromised.
• Educate switchboard operators and receptionists about investigators, phone company reps, and telecom managers in an effort to get calls put through the PBX.
• Establish a procedure whereby staff can report possible security breaches or suspicious activities immediately.
• Review training programs and security procedures regularly.