Let’s imagine you provide phone service to local residents and local businesses.
Let’s imagine that you provide some kind of web-portal where a subscriber can log-in and update the settings on their lines.
I’m guessing most of you are nodding along – this isn’t hard to imagine, because it’s reality. But let’s see how this thought experiment can turn dark.
Imagine that one of your subscribers set an easy password on their account. Or perhaps one of your CSRs set an easy password – perhaps just on a test line for training?
Let’s imagine this happened – and now the subscriber with phone number 2015551234 has a password of “1234”. And let’s imagine that a hacker was able to figure this out through a brute force attack (in other words, by guessing the password a lot of times until he/she finally gets it right).
I’m going to call our hacker Rose, in an effort to un-perpetuate the stereotype of the 300lb guy in his Mom’s basement.
What might our hacker do next?
I’ve heard about a few of these scenarios over the years, and this is what usually happens.
- Rose may stop the brute-force attempts for a few weeks, to lull you into a false sense of security.
- She will wait for an inconvenient time. Something like 1am on Sunday morning – a time when no-one is watching any statistics and your reaction will be slow. A holiday weekend is even better.
- Rose will log-in (successfully) to the web-portal and set up unconditional (immediate) call forwarding to Trinidad.
- And of course, Rose won’t just choose any number in Trinidad, she’ll choose a premium rate number, where the called party gets paid for receiving calls.
- Now Rose can place a call from a US-based line to your 2015551234 number (at low/zero cost) and that call will be forwarded to the premium rate line in Trinidad.
- Now of course Rose will leave that call up for hours and hours, which is bad enough, but she’s not done yet.
- Why stop at one? Rose places another call to your same number – at the same time – and there’s a good chance that this call is also forwarded to Trinidad.
- She repeats again and again.
- Does your switch limit the number of simultaneous calls a line will forward? If not, you can bet that she’s going to set up A LOT of simultaneous long-duration calls through your switch.
Why Trinidad? Because Trinidad (along with many Caribbean countries) is part of the North American Numbering plan – i.e. the country code is +1. So a call to Trinidad may not even show up as international. (I picked Trinidad at random from the so-called “World Zone 1” countries.)
How long would it take you to notice the problem?
If it starts at 1am on Sunday morning, would you find out before breakfast? Or might it be Monday?
Or would you only find out when your subscriber submits a trouble ticket to say they’re not receiving calls?
Who is going to pay for all these premium international minutes?
Certainly not Rose. Maybe your subscriber (do you think they’ll be happy about that?), or maybe your LD carrier (yeah, right…), or most likely… you.
Don’t let this happen!
The good news: this is not inevitable. You can stop it happening through a combination of techniques. At a high-level you want to:
- Lock down the security holes (i.e. no weak passwords).
- Limit the impact (limit international calling, limit simultaneous calls, limit call duration).
- Implement fraud monitoring solutions that identify and block suspicious traffic patterns.
For Metaswitch users, you can get started by visiting the Security Centre (yes, they’re British, so they spell it that way) on the Metaswitch Communities website where there’s a lot of helpful documentation.
Alternatively, if you have better ways to spend your time, we offer a service where we can implement twenty of these best practices for you, so you can sleep at night knowing your switch is secure. Contact us if that sounds interesting.