The potential for fraud to occur in voice telecommunications equipment is a serious threat. PBX's (Private Branch Exchange) are telephone switches used within state agencies to allow employees to make out-going and receive in- coming phone calls. These PBX's can also provide connections for communications between personal computers and local and wide area networks. Security measures must be taken to avoid the possibility of theft of either phone service or information through the telephone systems.
The following information is provided as a guideline to advise of and prevent fraud situations that could occur when a PBX is left open or unprotected from potential fraud operations.
The Dial-up Maintenance Port is a system through which regular/emergency maintenance or system repair can be done on a PBX. This activity is usually performed via a dial-up modem on a communications port.
GUIDELINES. The following steps should be taken to protect the dial-up modem maintenance port from unauthorized access.
1. Change the default or manufacturing password which comes with the system to one known only by maintenance personnel.
2. When possible use alpha-numeric passwords of at least eight characters.
3. Change the password periodically, especially after a loss or change in personnel.
4. Shut off the modem maintenance port when not required or use dial-back modems.
5. Monitor standard maintenance port activity reports for any abnormal usage.
6. Require the use of system maintenance records and monitor the correspondence between port activity and such records.
Direct Inward System Access (DISA) is the ability to call into a PBX, either on an 800 number or a local dial-in, and by using an authorization code, gain access to the long distance lines and place long distance calls through the PBX.
GUIDELINES. If Direct Inward System Access is allowed through a state owned PBX, the following steps should be taken to avoid unauthorized usage:
1. When possible use alpha-numeric authorization codes of at least eight characters.
2. Never use easy or obvious codes, such as sequential numbers, birthdays, names of family members, etc.
3. Use combination codes which consist of a concatenation of a fixed system portion, a unique organization identifier and a portion unique to each authorized employee. Periodically change the fixed system portion of all authorization codes.
4. Always cancel codes for employees that have transferred or terminated employment.
5. Eliminate default codes and test codes.
6. Monitor standard system reports of switch activity such as CDRs (Call Detail Reports)
a. for invalid attempts on codes,
b. for attempted use of deleted codes, and
c. for codes of abnormally high usage.
7. Route Call Detail Reports to all organization supervisors (identified by organization identifier in authorization code) for verification.
Calling can be restricted at the long distance carrier level as well as at the PBX. This can limit exposure should unauthorized access to the long distance network be gained through a state owned PBX.
1. any location out of state,
2. specific area codes, such as 212, 718, 516, New York, or
3. all Canadian area codes
1. Block international calling from the PBX to sites where employees have no need to make international calls.
2. Block all 900 and 976 numbers. These numbers always have a charge associated with them.
3. Block 950-XXXX carrier codes when possible. These numbers provide calling card access to other carriers.
4. Block 10XXX carrier calls. This will disallow calls going to carriers other than to the one of choice.
5. Block all 0-Plus calls to operators. This prevents operator assisted long distance calls.
Voice mail may be used to receive and retrieve messages when employees are unable to answer their telephone. This communications device is usually connected to the PBX through call routing via extensions and the potential for unauthorized message receiving or fraudulent calling can occur.
GUIDELINES. The following steps should be taken to minimize fraudulent use of voice mail.
1. Never allow external incoming calls to be transferred to outside lines.
2. Never use easy or obvious passwords and change them often.
3. Unassigned mail boxes should be deleted.
Communicate with your PBX vendor and long distance carrier providers about options that are available for security and prevention of unauthorized use of voice mail.