Tips on How to Avoid International VoIP Fraud

Posted by Jason Tapolci on April 8, 2013 at 10:17 AM
Jason Tapolci

With the rise in VoIP usage, so comes the rise in security breaches and risks. While the only secure server is one disconnected and buried 10 feet into the ground, there are several steps you can take to mitigate the destruction and frequency of these security breaches. Tim Linn, the VoIP Innovations Lead Systems Engineer, has written this article to serve as a guide for our customers on how to manage their security initiatives and avoid international fraud. This article can also be found on our Wiki where we offer articles that serve as a guide to using our services.

Tips on How to Avoid International VoIP Fraud

First, we need to go over where most of your “break-ins” occur, and how you can make sure that you’re doing everything you can to prevent them. This isn’t going to explain how to specifically configure your system and firewall to become immune to security threats. It is just meant to get you looking at these aspects and making sure you’re doing everything you can to secure your server.

User Extensions/Resources

One of the more common ways of breaking into a switch is the simplest. The ‘hacker’ somehow gets the username and password of a user/extension on your switch, and begins sending traffic.

The most prevalent root cause is insecure passwords. The great thing about SIP user passwords is that you should really only need to type it in once (during the customer setup). Using a password that you can remember is typically not the best thing to do. Especially if the password is the same as, or similar to the extension or username.

What we recommend is to use an online random password generator (or let your pet or children walk on the keyboard). This decreases the chance of the password being “guessed” by both a brute force attack and a possible social engineering attack. The Bitmill is example of a good random password generator. You may need to take out, or escape certain characters depending on what your system allows.

Another way of getting around this issue is to do IP based authentication. It’s much harder to correctly “spoof” an IP address to get service than it is to “guess” a username/password combination.

Reviewing registration logs also helps a lot here. If you see a sizeable amount of failed registration attempts coming from a certain IP address, it’s best to block that IP address until you’ve spoke to the customer and confirmed whether or not those attempts were theirs. Here’s an example of something that should throw a red flag in Asterisk:

[Apr 4 08:04:16] NOTICE[16717] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16651] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16706] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16753] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16735] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16675] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16698] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16722] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16722] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16673] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16673] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16696] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16696] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16737] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16737] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16785] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16708] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16708] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16708] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16708] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16775] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16770] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16770] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16770] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16735] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16727] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16772] chan_iax2.c: No registration for peer 'username' (from ip address)
[Apr 4 08:04:17] NOTICE[16727] chan_iax2.c: No registration for peer 'username' (from ip address)


Administrative Interfaces and Shell Access

Administrative interfaces (such as Webmin or FreePBX/Trixbox GUIs) as well as direct shell access (SSH or telnet) is another large security hole that needs to be tended to.

The easiest way of handling security for these is to block any and all outside traffic from getting to them (or disable them completely if they’re not used). Whether that’s through interface binding or firewall/ACL is up to you.

This does cause issues whenever attempting to manage/fix issues from on the road or at home, but they can be fixed by setting up a VPN (Virtual Private Network) to your internal network. At the very least, you should block everything and allow specific IP addresses that you frequently manage your system from into an “allow list.”

Regardless, if you are blocking these interfaces, you should also have a secure username/password for everything. These should include the standard uppercase, lowercase, numbers, and symbols. Since you may need to type these in multiple times, it will most likely have to be something that you can recall. Keeping a note on your phone, or a text message with the password (preferably with no label) is more secure than “password123”

In addition to all of these tips we are offering you, remember that only people who need to have access should have access.

Business Fraud

One of the overlooked issues in VoIP comes from actual business fraud. These are companies or people that sign up for service, use it, and file chargebacks or never pay.

Even if you have the most secure system in the world, you can still be a victim of someone “skipping out on the check.” The best you can do is observe good business practices. Offer prepaid services, or do credit checks for customers asking for terms.

There are also websites out there that have companies list customers that have outstanding debt that they’re refusing to pay, such as VoIP Fraud List. These are typically one sided accusations, so take them with a grain of salt.

Your customers

A chain is only as strong as its weakest link. Chances are, if you’re actively securing your network, that link is your customer. All of the security in the world won’t help whenever your customer’s extension 100 (password: 100) gets hacked and makes 50 calls to some satellite phone in the pacific at $5/minute.

So what do you do? The biggest thing is to KNOW WHAT’S NORMAL.

Does your customer normally call to international destinations? If not, give them routing that prevents them from doing so. If the customer doesn’t need to call international destinations, giving them the ability to is high risk with no return.

If the customer does call international destinations, try to only give them the destinations that they need. For example, if they do business in the UK and US, they probably don’t need routes to Thailand.

Once you’ve figured out what’s normal, you’ll need to know what’s going on. Find a way to monitor your traffic at all times. Creating something that will email you traffic abnormalities, or just something simple like a list of your customers and the number of minutes they’ve used today will go far in catching security breaches and mitigating their impact on both you and your customer.

Summary

Security is always in a struggle with convenience. Many changes that make systems more secure also make them less convenient. You’ll need to find a happy medium between secure and convenient, but always keep in mind what that convenience could cost.

As we stated in the opening, even if you take all of these precautions, your server is still susceptible to attacks. We hope this article will help give you direction to prevent a great deal of attempts, and mitigate loss if your security does fail for some reason.

There are some pentesting (short for “penetration testing”) programs and program suites that allow you to test your network and servers out there (including SIP specific ones). These could help you find exactly where you’re most vulnerable and help you direct your energy when attempting to secure your network. Using these programs on servers that are not yours is discourteous and can even be construed as a break in attempt. In the worst case scenario, it could also attract legal trouble.

Once your security is set, knowing what’s going on in your network is the next big part of the battle. At the very least, daily reporting on usage spread (it doesn't have to be too granular) can get you an idea of what is going on and will save you a lot of headaches in the future.

 

If you're looking for more information how a successful VoIP company should run, please download our white paper on How to Become an ITSP!

Download How to Become an ITSP

 

Tags: Entrepreneurship, Downloads

New Call-to-action

Subscribe to Email Updates

Recent Posts