Community-Driven Institute
  FACILITIES AND EQUIPMENT 

Protect Your Phone System from Fraud!
by Hildy Gottlieb
Copyright ReSolve, Inc.2000 ©

“I never thought it could happen to me.”

Isn’t that what all crime victims say?

Well that’s me - a crime victim who never thought it could happen to her. And the reason I’m writing this column today is to share that it not only happened, but that most people to whom this crime happens don’t even realize it is possible.

I’m talking about hacking. But not hacking into computers. Hacking into phone systems.

It happened over the long July 4th weekend, when no one was in our office to catch that something was going wrong. Hackers accessed our phone system and used our lines to place long distance calls.

The good news is that the fraud divisions at both Sprint and AT&T caught the calls, putting a stop to them after 2 days.

The bad news is that once those major providers halted our international service, they tell us it is likely the perpetrators started using our lines to access those 10-10 services you see advertised all the time.

Worse news is that the extent of the long distance calls placed from our phone system may be as much as $20,000 or more.

Even worse is the news that in at least the initial stage of this fight, the phone companies have said we are liable for those charges, and it appears some courts have backed them up.

But that's not the very worst of it.

The worst is that in those short 2 days, the calls placed from our system included a 16 hour call to Saudi Arabia, 6 and 8 hour calls to Yemen, Afghanistan, Pakistan, India and other countries the United States has on “watch” during this time of war.

From “Gotcha” to Fighting Back

As happens with any crime, first you feel violated, then you put things in order. And sometimes, depending on the crime, there is a next step – fighting back.

So the first thought running through my head when we learned of the problem was consternation: “There is a war going on, and my phone is being used to make long illegal calls to countries that are both directly and indirectly involved in that war.” It’s one thing to feel violated after a crime, but this went beyond that feeling, bringing home to me the fact that regardless of how each of us individually feels about it, the world is in a state of war, and the tools of war and espionage have absolutely changed.

But as we began to put things in order, learning as we went, those feelings of being violated were replaced by a different sensation. A single thought kept resonating louder and louder in my head:

“WHY ISN’T ANYONE TALKING ABOUT THIS?”

Even those of us in the nonprofit world who have come late to the technology party – those who are finally seeing the need for a website, or those who have finally grown accustomed to using email for much of their communication – regardless of how much or how little we know about technology, we know about virus protection and spam filters. We know these things because everyone seems to talk about them.

Then why is it not just as common knowledge that our phone systems could be used as tools for international crime? How did this happen?

How It Happened

From our crash course in phone security over these past few days, we’ve learned a few of the things that allowed this to happen.

First, let’s clarify that this applies more to multi-line office phone systems than it does to the single phone in your home. That said, there has been a dramatic increase in hacking of cell phones and Palm Pilot / other PDAs, as wireless technology makes that so easy. For the sake of keeping this article brief, let’s stick to office phone systems for now. (Although if my cell phone is hacked next week, I may be back with a Part 2 for this article!)

These days, modern office phone systems are little more than computer systems. Many of the cool new features on these phones allow not only remote access to your voice mail, but remote access to a dial tone. For example, your voice mail system may, for your convenience, allow you to “Press 3 to return this call”, even if you are away from the office when you check your messages.

Well, if you can make that call from your office system when you are not physically there, so can someone else. That feature may be a convenience for you, but it allows easy access for those whose intentions are less than noble.

Another part of the problem, though, is that our world places tremendous emphasis on keeping our computers safe, but we hear virtually nothing about keeping our phone systems safe. Even non-techies (such as myself) know enough about the Internet to know I want a firewall and the latest virus definitions, and that every so often I want my teenaged daughter to check my system for spyware and other evidence of foul play.

But my phones?

Which leads to a related piece of the puzzle: There haven’t been anywhere near the advances in protection for these systems as have been made for our computers. A quick Internet search regarding this problem found a Business Week article dating from 1991, describing the exact methods the thieves used to gain access to our system - 13 years ago! In a world where we are so used to techno-changes every few minutes, how is it possible my phone system has the same hack-potential it had when the buzz on the tech circuit was the latest version of DOS?

Until such time as there are more foolproof phone-hack-protection measures available, there are things you can do to protect yourself. The first is to contact whoever services your office phone system, to have them run through their own checklists with your system. There are a number of layers of protection they can add that will make your system harder to crack.

It is equally important, however, to simply be aware. If you don’t need the feature that allows a remote dial tone, turn it off. When employees leave the firm, change any passwords that employee might have known. Make those passwords as LONG as possible. Like the Neighborhood Watch programs that teach residents to make their house unappealing to thieves, make your system too much effort to crack, and they’ll head to an easier system.

Sprint has created an excellent tip sheet for how to protect your phones. They also have a great tip sheet for protecting yourself from what’s known in the lingo as “Social Engineering.” An example of Social Engineering (which I confess, sounds like some strange eugenics project, but actually has to do with your phone system) is when the people who want to use your phones for illegal activity will call and identify themselves as Sprint or AT&T operators who need your password to keep the system safe. This latter issue will be of particular interest to nonprofit organizations with volunteers answering the phones, and you may want to have a special phone security training session with those individuals.

We have posted both these tip sheets to a special section at our website. (See Below) We urge you to download them and provide them to all your organization’s employees.

FRAUD ALERT DOWNLOADS
YOUR PHONE SYSTEM
DON'T GET TRICKED
GET A FREE PDF READER HERE

To all who have expressed their concern for us, we thank you. We have filed police reports and are reporting the "theft" to our insurance company and will be protesting the charges with the phone companies.

But to us, this was a lesson. A lesson that says, “You never know.” And if you can learn from our lesson, then perhaps some good will come out of what is likely to become some long months of battles ahead.



Website Design by Dimitri Petropolis