Infiltrated dot Net

Who The Hell Loves Toll Fraud?
Written by sil   

Having seen my fair share of VoIP based toll fraud, I decided to speak out a bit on a VoIP related topic - “the cost of toll fraud and what it means to a carrier.” Because the company I work for is a Managed Service Provider with one of those services being an ITSP (Internet Telephony Service Provider), I get to see the effects of toll fraud first hand. When I wear my "VoIP Engineer" hat, I'm often tasked to configure and deploy VoIP based PBXs according to customer specifications. Clients are almost overjoyed at the amount of features that a VoIP based PBX offers over the traditional phone systems. "I can use my phone from home, a hotel in China!!!, implement find-me-follow-me?!", "I can send voicemail to email!?", "I can attach video!?", "well can I make the system turn on an application?!" I get strange requests.


VoIP based PBXs are certainly all the rage when it comes to keeping up with the times and lowering costs however, most of the times the glittery features associated with these PBXs cause many purchasers of these systems, engineers and management, to overlook the security of these systems. From the engineering slash architect standpoint, a client will usually request a PBX along with IP phones. Because of the low costs and high ROI associated with these systems, it is not uncommon for some clients to order extra phones for their homes, for workers who may need a snow day - to be able to appear as if they're home, since they can register and make calls outside of the office. The pros mostly outweigh the cons however, when those cons hit you, they hit you hard. Here is a story I would like to share with you about a possible client. (Remember, I said it is a story, take it with a grain of salt.)

Elite Client has three offices spread across three states with approximately 50 workers. At each location, they have an VoIP based PBX with 50 Snoms, each office is meshed with one another, with multiple ISPs in the event that one ISP goes down, calls re-route to the other ISP. In the event a PBX goes awry, each location has registrations for each employee. Failover is complete unless two PBXs AND 4 ISPs go down (remember there are two ISPs at each location.)

At Elite Office B, there is somewhat of a stubborn employee. This employee wants the PBX to perform a specific way. This is the type of person who likes to throw his or her weight around. "Let me know who I should forget to send the check to!" kind of gentleman (or lady). When the PBXs were configured and deployed, there had been minor problems with the ISPs which trickled on to the ITSP. Client's still don't seem to realize that if a provider is lousy, their VoIP service will be lousy as well. After resolving the connectivity issues (traffic shaping, separating data and voice), all is well for months on end.

Elite Office B's Gentleman starts to see some of the features available to him however, because of the mechanism necessary with the system, he is not given SIP passwords. This is the password used to authenticate to the PBX to place calls. The system was designed to solely use strong passwords. In fact, the passwords programmed where 16 character passwords with a MAC address appended to the password. The likelihood of someone bruteforcing the password or guessing it would be astronomical. Again, the system was designed for high availability along with security.

As an ISTP engineer/architect, we saw a rash of toll fraud which would call European numbers at a high cost. We quickly implemented a PIN system for international calls for our clients. What this means is, we tried to add yet another layer of security to our clients PBXs. Now if they needed to dial international calls, they would be asked to enter a PIN to place the call. Due diligence right? Wrong.

Elite Office B's "Gentleman" could not get the concept of this. After implementing this, testing it, having his colleagues verify that it worked, he begins again, his whiner, pounding on the desk: "Whose check do I have to withhold?!" spew. Case in point: Client gets what the client wants... Client is always right... Even though we managed his PBX, we know about the risks, we try to protect the client, we're at fault. We remove the PIN based authentication for international calls. Months go by without a hitch. Worst alert a PBX admin wants to see comes trickling down: "You got served..."

One of our carriers alerted us to some high level fraud they disconnected. Darn, go back on the system, re-lock things down. The damage is done. $21,000.00 plus toll fraud. So who's to blame here.


Angry child on a phone


The kicker outside of all of this was receiving an e-mail from an accountant of Elite Office B who stated:


    "There are many businesses that are engaging customers by prospecting, as well as profit-taking, based on the expectation of fraud; which is the reason why representations and agreement terms are written as they are. It is quite transparent that a company's prior experience with its customers justifies the approach with legal positions and defenses as shown. You then offer a discount and expect the customer to be happy making a lesser payment for fraudulent transactions.

    The real deceit is the knowledge of the numbers of pre-existing fraud claims made via a “system” against customers, whereby there is a failure to disclose the potential size of such fraud charges that previous customers have encountered. With that knowledge, customers would most likely be looking elsewhere for service providers."

This is an outright slap in the face to those who work very hard trying to keep things in order outside of what is seen by some whiny penny counter. Note the hint of arrogance and sarcasm at that statement? Should I in turn call someone out of place? So while there is no dispute to some of this clown's statements, the fact is no carrier wants to deal with toll fraud, at least none of the carriers I have dealt with. I could just image asking one of the ISP engineers: "Hey John, is it OK if you let a couple of million attacks brute force through your network and saturate you for a little while" followed by the email to the terminating carriers: "Hey do you mind if an attacker sends thousands of fraudulent calls which we will then dispute with you likely leading both of our companies into a court of law?" followed by the third email to the client: "Hey you got served give us money!"

I cannot begin to imagine which engineer, architect, admin, etc, likes to wake up to calls at 3:00am from alerts of fraud. To think that there is someone who actually likes having to leave the dinner table at Christmas to assess the damage, analyze traffic patterns to determine which are potentially legitimate calls versus which are to not have to complete disable a business, is insanity. Those who think that there is some conspiracy from some carrier cartel, I'd like to know who the conspirators are, so I can have some words with them myself.

Toll fraud doesn't work like this at least in the United States of America it doesn't work this way. The reality is, clients will always be responsible for what happens with their equipment which brings me to an analogy. Imagine you're the owner of an apartment complex. Inside of your complex you try to provide security for your renters. Because of a rash of robberies, you implement a new locking system to which a client threatens to leave if you DO NOT remove that lock immediately. You remove the lock as the "client is always right" and you don't want to burn any bridges. Months down the line, the renters apartment is robbed and the renter is now accusing you of sending the robbers. Imagine that.

Outside of this little analogy and rambling, I guess the CPA doesn't realize that toll fraud is a huge business and growing at a rapid pace:

“In June, the U.S. government announced it had broken up a $55 million toll fraud ring that was operating internationally and targeting enterprise PBXs”

“98% of hackers also hit businesses with Dial Through Fraud”

"Worldwide industry experts surveyed now estimate annual global fraud losses to be in the range of $72 - $80 billion (USD) up 34% from the CFCA Survey results of 2005. These fraud losses represent approximately 4.5% of telecom revenues, which is a 0.6% decrease from the 2005 survey."

Security in IT is never full-proof. Never has been and never will be for as long as the machine is networked. Add splashy features like "find-me-follow-me" - which is the ability for remote connections and there will be problems. These are problems the client is not likely to understand no matter how you explain it to them. At the end of the day, Elite Client came back around and told their vendor: "You have those locks!? Put them up. Put them up now!" The damage had been done.

So again I ask, who is to blame in this situation. The managed service provider for not laying the smack down: "You MUST HAVE these security implementations in place" rather than conforming to the wishes of an executive bully? The ITSP carrier for not swallowing the bill? The NSP who charged the ITSP for not swallowing the bill. At the end of the day, the fact is, a call is a call. As an ITSP we have to pay for the mishap however, with the evidence of the bully executive from e-mail correspondence we would be in a good position to show that we performed our due diligence.

My biggest gripe in this “story” situation is the audacity of an accountant lobbing accusations that are not only insanely stupid, but downright annoying. I never once met a carrier who wanted to be compromised. I never once met an architect, engineer or admin who wanted to wake up at 3:00am for incident response and damage control. I never once met a company who liked spending money on litigation not to mention a ruined reputation.

Although the customer is always right, technically they can be proven wrong and instead of being the typical "yes sir" providers, sometimes providers need to act like Doctors: "It's for your own good!" Had we given the client another refresher in his terms of service agreement, he may have been more reluctant to remove our security implementations. In a situation like this, where security is of the foremost concern, as a managed provider, we should have called his bluff, spoke to his management and perhaps made them sign yet another waiver. "We implemented security mechanisms to further prevent toll-fraud, by you removing these mechanisms, you agree that you will be responsible for any security mishaps associated with your managed PBX." May have worked, but it still would have had some clueless accountant coming back to state: "Conspiracy... You sought to allow random attackers from around the world accessibility in order for you to make money!" Hold your ground, at the end of the day, as an ITSP we have to swallow the costs because someone is charging us, solely because someone is charging them, ad-nausea.

Terms of Services mean little. Apparently clients don't like to read TOS, SLAs and so on. Prior to implementing systems, sales engineers should make a better effort to make companies aware of the risk. This alleviates the future headaches of: "You never told me!!!" Terms of Service agreements are lifelines which need to be spelled out in laymen terms. If it takes someone too long to understand a TOS, chances are, they never bothered to read it. In almost all businesses at the end of what a company will do, there is some verbiage with the words AS-IS almost always. While I do not necessarily agree with it, I do see the need for it. I believe from time to time, clients should be reminded of TOS agreements and perhaps prior to builds of VoIP based systems, managed service providers should implement security wording in these policies which are written in stone: "Any deviations from our current configuration and this contract is no longer binding."

From the common sense side, I've yet to meet any salesman come flat out and identify the risks associated with their products. For starters, they're salesmen not engineers and although they may be aware of an issue, they themselves may not fully understand it. Have you ever purchased an automobile to hear a salesman stop and say: “By the way, by purchasing this car, be advised that if you drove it in this particular fashion, you could be in an accident!” Ever hear a real estate agent tell you: “By purchasing this house, you're placing yourself in jeopardy since anyone can now target your house for a robbery!” Business doesn't work like this and to some degree, those looking at VoIP based systems need to assess risk on their own prior to diving right in.

I am not a lawyer (obviously) so these are some things I believe not only sales engineers, but architects need to take into consideration. "Does the client truly understand the risk?", "Is the client willing to accept this risk?" if these questions aren't answered, certainly there will be a problem in the event something happens: "You never told us..."


J. Oquendo