Toll Fraud Exploits

A company telephony system can be subject to toll fraud by company employees or by external people who try to find vulnerabilities in the system. The first group, employees, simply ignores policies, hoping that their activities will not be detected because it is difficult to differentiate between business calls and private calls based on the dialed number. The other group of people, the external callers, is more technically oriented. They try to find vulnerabilities in network devices, including IP telephony systems. Sometimes, they do not even specifically look for voice systems; they just exploit whatever system over which they can get control.

The main difference between these two groups is the way in which you can mitigate the "attack." In the case of external attackers, the key is to prevent unauthorized access to the system and its devices. For authorized users of the system, the administrator has to very carefully limit the technical abilities and features of the system without compromising the flexibility and efficiency of its users.

There are also some features in a telephony system that can be misused. These include call forward and call transfer settings and voice-mail transfer options. If the features that are commonly used for toll fraud are well protected, users might try to exploit the system using other features. As an example, if a user is not allowed to transfer an external call to another external destination, the user could try to set up a conference call for these two parties and then leave the conference.

Usually, an administrator has to accept the fact that toll fraud cannot be eliminated completely. The only way to achieve complete elimination would be to block all external calls and disable all features that would allow employees to place calls outside the company. This technique might be feasible for single-function telephones, such as public telephones located in a lobby, but is not desirable for telephones used by standard employees. Therefore, only those calls that can be clearly identified as nonbusiness calls will be blocked. However, in many cases, you cannot judge in advance whether the call being placed is business-related or private.

Figure 22-1 shows different types of toll fraud.

Figure 22-1. Forms of Toll Fraud

The following list explains these types of toll fraud:

Preventing Call Forward and Voice Mail Toll Fraud Using Calling Search Spaces

Категории