International toll fraud continues to be a huge source of risk and uncompensated costs to Communication Service Providers (CSPs) and Enterprise in 2023.
It is reported that in 2021, International Revenue Share Fraud (IRSF) and other toll fraud cost the communications industry $6.69 Billion. (Well, it cost a part of the industry that much, other parts of the industry profit from ongoing IRSF, but that is a post for another day).
Fraudsters are clever, and have a seemingly endless bag of tricks for engaging in fraud. Many are based on stealing SIP credentials – and there are many ways to do that.
One thing criminals have been doing recently is buying used VoIP phones (for example, from eBay) and then simply using the phone’s management screen to get SIP username and password, proxy IP, authentication realm, etc.. Unless the the CSP / Enterprise has been scrupulously removing ex-users from systems (which, in my experience, is rare) then the bad guys get to make international calls right then and there. Even if this particular phone has been removed from the system, the information can give a hacker information about the formats and policies of the VoIP service – what do usernames and passwords look like, how they are structured, how long they are, etc. Hackers can then greatly reduce the search space they need to scan to find other vulnerable accounts.
Insecure home routers/gateways are another source of stolen credentials – a hacked router is used to monitor traffic to the VoIP provider, and any (usually) weak password can be decrypted in a relatively short time.
So what can CSP’s do? It is crucial to stay abreast of Best Practices here.
- Use long and complex usernames AND passwords. Never use credentials that contain, or are based on, the phone number or short extension numbers. An 8 character password could get decrypted by a modern GPU (at 100 trillion hashes per second) in minutes. A 16 character password comprised of every symbol will take billions of years. There is no reason for these passwords to be human-memorable – copy and paste them and don’t store any master list, re-generate it if you need to. Use some terrifically complex string as the username, such as a UUID.
- Do not allow international calling at all. 99% of people don’t need to do it. The 1% that do, can call from their cell phones. Or, as is more often the case these days because of international costs, set up a Zoom or Google Meet. Or, only allow international calling to low-cost destinations such as the UK, Germany, Japan. Never allow high cost calls to the Caribbean, or South Dakota.
- Use ACLs to whitelist the IPs that should be allowed to connect to the service. If you provide service only to your own ISP customer base, restrict VoIP to those IPs only.
- Proactively block IP addresses that are outside your country. There are lists of IPs you can get to explicitly and permanently block China, Russia, etc. There is almost never a reason for most CSPs to allow SIP connections from anywhere except their home country.
- Utilize some kind of Two-factor authentication to allow calls to high-cost destinations. The good old 6-digit code texted to your cell phone, or entered at the start of an international call, will greatly increase the complexity of a hacker’s credentials search space.
- Be methodical about permanently destroying credentials of ex-customers or ex-employees. Never re-use credentials. If you resell old equipment, ensure the equipment is wiped.
Yes, this is work. Yes, this is maintenance. Yes, this will cause you some periodic issues with end-users you will have to address.
It’s that, or a $100,000 and up toll fraud bill that AT&T etc will insist you pay even though they know it’s fraud.