Is your office telephone system as secure as your data network? Phone hacking can be as damaging to your business (or career) as computer attacks, but security often lags.
Phone hacking is not new. With a little knowledge of basic commands used in PBX – the exchange in most enterprises – attackers can set up toll fraud schemes on traditional office phone systems. In a recent case, a UK call centre agent set up an 0900 service and opened a call to the number from work for hours each day; he pocketed the incoming premium call charges until he was fired.
But Voice over Internet Protocol (VoIP) raises the stakes. “Could you tap a phone call? Probably not. Could you intercept a VoIP call? If you have a laptop, the answer is yes,” warns Howard Scoot, managing consultant at Avaya Global Services, the consulting arm of the telephony vendor. “VoIP is a data exchange and bad things can happen with data,” he adds.
Common attacks use VoIP phone ports to sneak access to the network, stealing voicemail messages or customer information, number re-routing and intercepting communications. Software available on the internet enables malicious users to track and record unsecured conversations.
But applying standard network security policies to phone systems can eliminate many risks. For instance, Avaya IP PBXs encrypt voice traffic. “Any unauthorised recording of a conversation just sounds like white noise,” says Mr Scoot.
Avaya also performs security audits for customers’ phone systems. “It’s not always the obvious that trips you up,” points out Mr Scoot, citing the case of a well-known credit card organisation. “We found quite a lot of things they were doing wrong. We showed them and fixed the problem.”
When the Bank of Ireland upgraded its phone banking service in 2003, it became the preferred banking method for many customers. Today, the service handles more than 13m calls a year from nearly 500,000 customers. But this meant increasing capacity at its call centres in Dublin, Kilkenny and the west of England. “This introduced lots more technology and equipment than they were used to,” says Mr Scoot. Aware of the risks, the bank hired Avaya to perform an initial threat assessment of traditional and IP phone systems as well as data networks. The security audit revealed the bank’s PBX, call management and IVR systems had weaknesses that could have led to security breaches and toll fraud. “We encountered the sorts of things you expect to see when using new technology. For instance, security patches on servers were not being installed in a timely manner,” says Mr Scoot.
A significant challenge for the Bank of Ireland was maintaining the same security standards across a multi-vendor data and communications architecture. Besides Avaya phone equipment, the bank uses kit from a wide range of suppliers for applications such as call recording and CRM. Avaya helps them manage a consistent level of protection. “They recently introduced a new server for increased throughput but it didn’t meet their security standards out of the box. We helped integrate the new hardware.”