Meet and beat the ego-driven systems hacker

There are few guarantees in life. But if you are a telecomm manager--and your company has a remote access feature in your PBX--it is almost certain that someone, somewhere, at some time, will try to steal your service.

A few years ago, telephone card fraud was the major fraud issue, but that has changed. Today, PBX and voice mail fraud is so common that security departments such as Sprint's are advising current and prospective customers about this potential problem.

Many companies lose hundreds of thousands of dollars every year through PBX fraud. Some companies have lost as much as $2 million.

Computer hackers are a different breed. The thrill for hackers is to break into a PBX or voice mail system and distribute stolen access codes to fellow hackers and abusers around the world via an electronic bulletin board. Their trophy is your PBX remote access code.

These hackers are ego-driven! The computer is their social life. Generally, they are not in it for the money but rather the thrill. When caught, they often delight in recounting how bright they are.

There are also the greed merchants--street hustlers who sell stolen long-distance service. It is their business, and a vulnerable PBX or voice mail system is their livelihood.

Customers can take preventive steps to avoid PBX and voice mail fraud. And we let our customers know that Sprint will work with them every step of the way.

A good PBX security support program includes:

* PBX security presentations.

* Monitoring and selective analysis of all domestic and international inbound 800 and selected outbound traffic.

* Domestic and international bulletin board monitoring for compromised PBX remote access codes belonging to our customers.

* Notification of abnormal calling patterns and recovered remote access codes.

* Consultation by security staff members in addressing system vulnerabilities.

One recommendation we continually stress is that if you have Direct Inward System Access (DISA) in your PBX, you should either consider alternatives to using the systems, i.e., telephone credit cards, or take other steps to guard yourself from hackers.

Granted, DISA can save your company money. But DISA can also enable a computer hacker to open your PBX up to long-distance abusers.

If you use DISA, consider lengthening authorization codes. A four-digit code is easy, even for rookie hackers.

Change your codes often; avoid publishing them in internal documents.

Restrict after-hours and weekend access. Do you really need 24-hour access to your PBX?

Eliminate certain area codes. Extremely high toll fraud has been found to originate from the 212 and 718 area codes and terminate in the 809 area code. You can deter some abuse by simply blocking area codes.

Watch out for "Dumpster Divers"--people who delve into your trash to find passwords and other information about your telephone system.

Guard information about your telephone system. Many a PBX has been compromised by someone saying they were working on a telephone system and needed to know more information about the system.

No matter what steps are taken, PBXs and voice mail systems can be victimized by computer hackers. No system is 100% hacker-proof and managers who think otherwise are frequently taught a costly lesson.

The reality of PBX fraud is that you cannot wait for government or law enforcement agencies to take action. Unlike the social stigma against criminal drug activity, there's no real onus compelling hackers to stop. No huge governmental task forces have been formed to attack this type of fraud.

Businesses, however, can protect themselves against PBX and voice mail fraud by simply putting preventive procedures in place. Safeguarding a PBX or voice mail system can preclude a long-distance telephone bill containing thousands of unauthorized long-distance calls.

COPYRIGHT 1992 Nelson Publishing
COPYRIGHT 2004 Gale Group