As with most forms of cyber-crime, PABX hacking or ‘phreaking’ goes largely unreported, with many businesses unwilling to risk any damage to their reputation by admitting compromised security.
The Australian Federal Police estimate that phreaking afflicts hundreds of businesses annually, with a cost in the tens of millions of dollars. In the vast majority of cases, security failures are preventable at the user end. Here are ten simple measures you can implement to help prevent your PABX getting hacked.
1. DISABLE UNUSED FEATURES
If a feature is providing no benefit to your business, then it may as well provide no benefit to would-be hackers. Also, be sure to remove unused voicemail-boxes when staff leave.
2. SECURE DIRECT INWARD SERVICE ACCESS (DISA) NUMBERS
Only those staff that require DISA should have knowledge of those numbers. This feature can be disabled if unneeded.
3. CHANGE CODES FREQUENTLY
Change the authorisation and access codes and passwords as often as is practical (monthly is a good timeframe).
4. AVOID OBVIOUS PASSWORDS
Where possible choose longer alpha- numeric passwords and pins. Don’t use birthdays or terms related to your business. Never, ever retain default passwords (a great many hacked systems have retained default passwords).
5. KEEP SECURITY INFORMATION SECURE
Do not post security codes and login details in plain view, or in predictable hiding spots (i.e. under keyboards).
6. DISPOSE OF DOCUMENTATION THOUGHTFULLY
Make sure any documentation listing access or configuration information is shredded or otherwise safely destroyed.
7. MONITOR CALL TRAFFIC
The more familiar you are with your business’s standard calling patterns, the more quickly you will be able to spot anomalous call traffic.
8. BLOCK SPECIFIC NUMBERS AND CALL TYPES
It is possible to block, say, all international calls from your PABX. Most systems have the capacity to block particular countries, a useful feature if your staff only call particular countries. Many phreaking crimes are based around obtaining free international calls.
9. PERIODIC AUDITING
There are companies that provide the service of testing the security of your phone system, essentially by trying to hack into it. Once the holes in your system are revealed, it is much easier to block them.
10. USE CERTIFIED TECHNICIANS
Always source certified, experienced installers, who can answer all your questions. Dog and Bone is happy to assist with this.
Remember that the responsibility for your system ultimately rests with you, the user. Telecommunications providers may show some leniency in pursuing the colossal bills accrued by a phreaked account, but they still generally expect the bills to be honoured. It pays to know your own phone system.