VoIP Security: What the New York Times got wrong

Posted on October 24, 2014 by

This week one of our customers called in to cancel his account because he’d just read the New York Times article, “Phone Hackers Dial and Redial to Steal Billions” outlining several instances of unsuspecting businesses getting hit with very large phone bills as a result of toll-fraud. Having read the article, I can hardly blame him for being concerned and reaching out. The magnitude of potential loss could be catastrophic for small (or even large) businesses. But the article completely missed the primary issue: Large, traditional telecommunications carriers are not the solution, but are a huge part of the problem.

VoIP-security-VoIP-fraud-new-york-times-illustration

Educating the business community about the financial risk associated with unsecured phone systems is helpful. Filling the article with sensational anecdotes, and offering little guidance regarding protective strategies is not helpful. Because of the blended data network-based nature of modern phone systems, it isn’t reasonable for businesses to put full responsibility for their security solely on their carrier. With the right planning, and the right partners, businesses do prevent these types of attacks every day.

VoIP is the future of business communications:

Frost and Sullivan predicts that the North American VoIP and SIP trunking services market will grow almost 25% year over year to reach $9.35 Billion in revenue by 2019. IP telephony is a modern day business necessity. Technologies like Unified Communications and WebRTC are powerful tools changing the face of enterprise communications, and improving enterprises performance.

But what about the ‘hackers’?

Toll-fraud schemes such as those highlighted in the NYT article pose a real threat. But it only becomes a realistic threat because some users assume their carrier is responsible for monitoring their account. Which is kind of like believing Ford is on the hook when you leave your keys in your unlocked car overnight. Or that they’ll buy you a new Explorer when yours is taken. Imagine the price of Explorers if that was the case. Now imagine the cost of AT&T phone service if they didn’t go and replace every stolen car…

Writing off the cost of these crimes does nothing to thwart this large threat and them doing so has not in any way reduced your risk of this happening again, in fact, it becomes more enticing. We all need to work to make toll fraud much harder to perpetuate, and less rewarding.

We’ve written extensively about VoIP security and VoIP fraud. We will continue to talk about it frequently because businesses need to how to be vigilant. There are a number of steps your business can take to secure your phone system – starting with the provider you choose.

VoIP security at the provider level:

Two weeks ago, we identified a number of vulnerable systems on our network and notified customers. Many of these customers immediately corrected the situation, but some didn’t. Last week our platform automatically identified unusual traffic patterns in a group of accounts, so we temporarily disabled the accounts to block any fraudulent calls. After helping these businesses resolve their vulnerabilities and get them back into operations, we reenabled the impacted accounts.

Where the New York Times applauds companies like AT&T, I point blame. Not only are they inflating prices to cover these losses, by continuing to offer unlimited postpaid access, and paying for the fraudulent phone bills, they are making it very lucrative to be a phone hacker. Any carrier prioritizing the protection of customers from toll-fraud would invest in the tools to proactively thwart hackers.

The customer that wanted to cancel his account because of the article said, “I’m not falling victim to a $200,000 phone bill.” With a competent SIP provider businesses are protected without reverting to old technology or traditional carriers. Good SIP providers provide account level controls that can limit outbound toll rates, restrict calling to designated geographic areas, and only allow calls from known IP addresses.

Your security is your success:

As a business owner, I have tremendous sympathy for the businesses that have experienced telephone (or any) fraud. Our mission at Flowroute is to help our customers avoid this misfortune. All carriers have a responsibility to secure our networks and help our customers understand how to secure their phone systems, and the importance of securing their network. When we all band together, these fraudsters will have no one left to rob.