Blocking Fraud at the PBX with Callista

In archery we have something like the way of the Higher Man. When the archer misses the center of the target, he turns round and seeks the cause of failure in himself.

Confucius, Will Durant, The Story of Civilization

International Revenue Share Fraud (IRSF) is one of those fraud prevention problems where the arrow of blame always seems to point to someone else in the call delivery and revenue protection chain.

But everybody: the PBX maker, retail operator, wholesaler, police — and customer — all share some responsibility for a problem that’s persisted for 15 years and has cost the telecom industry and its customers countless billions of dollars a year.

However, one company that’s delivering an effective and affordable fraud defense at the enterprise PBX point is The Callista Group, a tight band of PBX experts based in Auckland, New Zealand. Joining us to talk about that innovation and provide a detailed explanation of PBX protection issues is Roger Ansin, Callista’s chairman.

Roger, I’m curious how you first got involved building a product to block IRSF?

Well, Dan, we had been producing call account systems for 20 years or more. Then around ten years ago someone in our UK office said a customer needed help creating alerts to detect large fraudulent call volumes coming through PBXs.

So that was our first knowledge of IRSF. And we soon discovered this was a huge problem that was totally unmanaged. That caused us to develop some software to protect enterprises from the threat. So that’s the genesis of our Control Phreak product.

What’s the worst case you’ve seen of IRSF at the enterprise level?

Well, there was one customer doing thousands of calls a day, but they were losing GBP27,000 (USD40,000) per weekend. They just couldn’t stop the attacks. And they ended up taking down their voice mail system, the situation was so drastic. But at a big company, you can’t do that.

When they installed our Control Phreak, it all ended. We saw in the logs about 20 or 30 attempts to break in: they were all blocked, but we noted the fraudsters tried to break in again a few months later.

As is common in these cases, the damage was done over the weekend. The carrier sends alerts after a pre-determined threshold, but if nobody at the enterprise picks up their email, nothing is done. So when the manager came in Monday morning he found a stack of email alerts starting on Friday night. And, of course, the PBX owner has to pay the bill because a fraudster is making a chunk of money on the other end.

Does the type of PBX you have make a difference? Analog, digital, or SIP line?

To the phreaker, it really doesn’t matter what kind of PBX you have. The advantage they get with SIP lines is they can be used to pump out more premium rate calls per hour.

The phreakers are basically concerned with only two things: what type of phone system it is and how they can get the system to redirect calls. By the sound and response they get from the PBX, they can figure out what sort of PBX it is. And once they know the brand name of the PBX, they know the default password, maybe even the hidden factory-installed passwords in the system.

And, of course, VoIP has made it easier to hack into phone systems: the hacker targeting a U.S. business could just as easily be operating out the Philippines, for instance.

Don’t the PBXs know when dozens of attempts are made to call into the phone system?

Surprisingly, most PBXs don’t have that sort of control in them. However there’s one European PBX brand I know that allows three attempts to log in with a successful password, then it locks out the caller for some time.

But hackers have found ways around that. For instance, they would automate two phone calls to test passwords, then disconnect, then reconnect and try another two till they found the numbers.

Of course, it doesn’t matter how many days or nights it takes to break in because it’s an automated process running on someone’s PC. And a single PC can be running dozens of these processes at one time.

Can’t the business take some simple security steps like changing passwords?

Dan, changing the passwords is one of the most common pieces of advice you hear, but it’s actually not effective. Here’s why: the fraudster is not making the calls himself, he’s using a software program to break into your PBX. So all the fraudster does is run an automated brute force attack. If your password is 4 digits long, they just run through every possible combination till they break through.

In fact, a hacked PBX can be groomed to allow the passwords to be changed. So for all you know, your PBX may already be compromised: you just don’t know it. Then, one day it will be turned on and away it goes.

Now PBX engineers will tell customers, “We can fix that.” And what do they do? They get paid by the customer to come in and “secure” the phone system with some customizations. But a few weeks — or a few months later — it gets compromised again.

One customer of ours was hacked three times on the same PBX before they actually put in our product. In fact, 70% of our customers who run Control Phreak have been hacked before they buy it.

How do the hackers get paid for breaking into PBXs?

There’s quite an organization supporting this crime. Groups of phreakers sell the PBX numbers they’ve hacked into on the open market. Then the fraudsters lease a group of IRSF numbers and start pumping calls through those PBX lines.

Some of hacker web sites even offer the free download of a call generator, so they are very efficient and clever.

Of course, premium rate numbers look like any other phone number. Consultant Colin Yates has a list of 72,000 phone numbers he’s identified as fraud numbers, but that’s a horrendous list to keep up to date.

How much of IRSF fraud is coming through the PBX do you figure? What about the smartphone as an IRSF launch pad?

So far at least, the IRSF threat via smartphones is much lower because there are active limits and controls on making calls. We figure the PBX is still the primary gateway to IRSF.

And the PBX is useful to the criminals because it helps cover their tracks. A few years ago, AT&T broke up a big crime syndicate based in Spain and Italy. The fraud cost AT&T and its customers quite a few million dollars. The criminals were eventually found by tracking back calls through hacked PBXs.

Likewise, I’ve seen a number of investigations where a chain of five PBXs were used to make calls. When you do that, it becomes hard to determine where the originating call came from.

There was a case in New Zealand where calls were coming in from a PBX in Italy through Auckland and then finally out through Algeria. As you can imagine, the police authorities are hampered because so much of the problem is out of their jurisdiction.

So how does your PBX fraud blocker work?

Our Control Phreak sits on a PC and monitors everything that goes in inside the PBX. So if you pick up the handset of your office phone, it knows that. When you start to dial, it detects that. When a call comes in, it knows that, too. So it’s tracking in real-time everything that happens on the PBX.

Basically our system operates using three sets of rules:

  1. Incoming Call Rules allow you to block callers. For instance, if an ex-boyfriend is harassing one of your staff, you can block the numbers. Same goes for nuisance phone calls;
  2. Outgoing Call Rules control who calls who and at what time. PBXs do have this ability, but in a limited way. In our product, it’s more flexible: you can set exactly the rules you want; and,
  3. Divergent Call Rules is where we block the calls used for fraud. Our system can distinguish calls that you legitimately want to pass through to an internal extension versus those coming in from a fraudster.

Now the trick is to control the PBX without taking away the great convenience features that people expect from a modern phone system. Certain security solutions that the PBX manufacturers supply actually lock down phones, and that’s frustrating to customers because they can’t make phone calls out and use the features they paid for. But we’ve solved this issue so the PBX is both fully protected and its full complement of features is available. We have a video that explains how it works.

And what does it cost for an enterprise to be protected?

Dan, generally a company has one PBX per office. So the protection we sell is software for one PBX at a time and the cost is less than USD500. The solution is installed on a local PC that our specialists remotely load for the customer from here in New Zealand.

The PC at the company communicates with the PBX, but it doesn’t need to be a dedicated PC, just one that’s running all the time and is reliable.

Wow, USD500 for a life-time of protection sounds very reasonable. So what’s the catch? Why isn’t Callista a famous software brand already?

Well, unfortunately, our solution doesn’t work for all PBXs. We need the cooperation of the PBX companies to actually build the interface. Now manufacturers such as Panasonic and Alcatel-Lucent do work with us and we are fully certified with Panasonic.

But other PBX makers aren’t as willing to publicly admit there’s an issue: they’re not eager to advertise that their PBXs can be hacked. And that’s unfortunate because when you buy a PC, it’s well known that you better have virus and malware protection.

Now most of our sales are to PBX manufacturers and individual enterprises. But sometimes we get orders from carriers who buy a solution for their customer. To make a customer problem go away, Control Phreak is useful.

Thanks, Roger, for this fine education on protecting the PBX. Nice to know there a class act in New Zealand to complement Hayley Westenra.

This interview was originally published by Black Swan. It has been reproduced with their permission.

Dan Baker
Dan Baker
Dan is a founder of the Technology Research Institute (TRI), which has published studies about the telecom software market since 1994.

As a journalist, Dan wrote for B/OSS magazine and recorded webinars with VanillaPlus before launching his own publication, Black Swan Telecom Journal.