Iron-clad security, blocks sophisticated VoIP toll fraud

Among the last remaining arguments against the tidal wave of voice-over-IP is the claim that IP systems are susceptible to fraud.

May 2, 2013

By Rob Lith, Business Development Director, Connection Telecom

Among the last remaining arguments against the tidal wave of voice-over-IP is the claim that IP systems are susceptible to fraud.

In reality, breaching VoIP security is a far more complex proposal than hacking a traditional analogue telephone system, and the South African VoIP industry has taken a highly proactive stance with safeguarding it further.

But let’s take a step back in time to see how phreaking, or phone hacking, began, and how it evolved to the sophisticated attacks we see today and the techniques used to stop them.

Phreaks in history
Phreaking, a contraction of the words ‘phone’ and ‘freak’, refers generally to the activities of telephony enthusiasts. In hacking terms it can involve using various audio frequencies to manipulate a phone system (Wikipedia).

Phreaking in the latter sense consists of illegal techniques to avoid paying long-distance phone charges, also called toll fraud. It goes back as far as the 1960s (Apple’s co-founder Steve Wozniak was a famous exponent in the 1970s) and various methods were employed, some very simple, including ‘switch-hooking’ (tapping a telephone hook to simulate pulse dialling).

Even more sophisticated phone systems can be easily circumvented. Modern-day distribution boxes can be bypassed with ultra-cheap tools, allowing neighbourhood phreaks to phone to their heart’s content (or simply explore phone systems harmlessly, though illegally).

And unlike VoIP systems, little can be done to overcome the vulnerabilities.

VoIP toll fraud
As with PSTN phone systems, SIP accounts provisioned by VoIP servers can be compromised and used to commit toll fraud.

Typically, fraudsters gain access to SIP accounts at the authentication layer (obtaining usernames and passwords by various means). Once account access is gained, they can register another instance of the SIP account to a softphone on a different computer and make multiple calls at once, racking up thousands of Rands in charges in a very short time.

What makes this form of fraud seem more of a threat to some is its sophistication, the wider ambit of attacks given the virtual nature of network resources, and the volumes of fraud that unprotected devices and accounts can be subjected to in a short time.

But as indicated earlier, this is no simple task, and much more can be done – and is being done – to protect SIP accounts than copper pairs in a neighbourhood distribution box or switch hooks on a pay phone.

  • The ISP Association (ISPA) has a proactive working group for Internet service providers that also provide telco services. The group monitors fraud and shares information with members on attacks and preventative measures. It enjoys the support and endorsement of senior industry members including regulatory expert Dominic Cull and ISPA secretary Ant Brooks.
  • Members of ISPA’s fraud working group contribute information gleaned from alerts set up in their telephony systems. For instance, any calls to out-of-the-ordinary destinations like Latvia, East Timor or the Cook Islands might trigger an alert to a cloud-based telco hosting PBXs on behalf of its customers. The telco might react by blocking the call and then consulting the customer, who might in fact have legitimate reasons for calling exotic climes.
  • Other tools alert users or telcos when there are more than three failed password attempts. Fail2ban, for instance, will block the IP address from where the spurious login attempts are coming.
  • On yet another level, prepaid-like account limits can be applied to post-paid accounts to ensure account balances don’t go through the roof.
  • Monitoring tools like Zabbix make it possible to track spikes in international termination rates, caused for example by multiple calls being made in parallel.

To combat more and more sophisticated attacks, additional measures are being proposed within the ISPA group, such as the establishment of honeypot SIP servers that masquerade as production servers but are merely bait.

Honeypot servers are relatively easy to crack and provide opportunity to monitor state of the art attacks, tools and origins of attacks without any threat to actual production servers.

Upping the ante
In truth, attacks are becoming more and more sophisticated. It is not unusual to see hacks being posted for new versions of products or operating systems within hours of their release and the sheer volume of attempted attacks require record levels of vigilance.

But used in conjunction, the aforementioned state-of-the-art security measures provide unprecedented protection against toll fraud, serving to counteract the danger of large losses occurring in a global Internet ecosystem.