What is it?

Hacking or phreaking is fraud that arises through unauthorised access to “dial through” functions on a telephone system that does not have sufficient security measures in place. 

This document is intended to make you aware of the potential risk and steps you can take to reduce the risk and stop unauthorised third parties from accessing your telephone system to make calls (usually to overseas destinations).

As a guideline, the security you have in place for off site storage of your data is at a level at which you should replicate for your telephone system. Likewise, the security in place for your premises needs to include your telephone system in order to prevent access by unauthorised third parties.

It is important to ensure that the level of security is high and that it is reviewed and checked periodically. Telephone systems and voicemail platforms contain inbuilt security; but this is dependant on the operators of the systems using and managing the security features adequately.

How does it occur?

Most telephone systems have a facility called DISA (Direct Inward System  Access) which allows remote maintenance to be carried out. An outside caller could potentially access the system but will only cause problems if the call breaks out onto an outside line; this is known as ‘breakout.’

There are legitimate occurrences of breakout, for example some home workers may be able to dial into the system in order to make an international call or the system maintainer may be able to remotely dial in to repair or reprogram the system. Both of these examples increase the risk of an unauthorised third party being able to dial in and make a ‘breakout’ call that will be charged to the customer.

Customers should review their DISA arrangements regularly to ensure that they are not being abused and that security is tight enough to ensure that misuse is non-existent.

Another vulnerable area is voicemail or voice messaging systems, which have the ability to forward messages onto another number. As the messages are forwarded over the public network there is the risk that an unauthorised third party would be able to manipulate this situation to their advantage by remotely gaining access.

What measures can we take?

There are number of measures that can be taken to ensure that your system is more adequately protected:

1. Ensure that the number of personnel that have remote access is restricted and that each individual has a different access code. If the individual leaves the company, then ensure that their access code is disabled immediately.

2. Never use common default access codes for systems; ensure that they are changed after install. Ensure that the access code uses the maximum number of digits that the system allows. Change the access codes regularly, choosing random numbers so that a pattern cannot be found.

3. Treat all information related to the access codes as top level security. Store the information securely and only give staff access to it on a need to know basis. Those members of the team that do have access to the information should be aware of its importance and the risks involved if they divulge it.

4. Never use a telephone number or extension as an access code as this will make it easier for the hacker to decipher the code.

5. Where possible always use call barring or other restriction codes. If at all possible, control the destinations for break out calls. Never allow DISA to ‘breakout’ from 0800 numbers or any other non-geographical numbers as this will make it easier for the hacker to decipher the number.

6. Regularly monitor the system activity to check that no hacking is taking place. Review your itemised bills for any unusual traffic and check call logger reports. Give these jobs high priority to ensure that they are carried out on a regular basis.

Please contact us if you need any assistance in setting up your access codes.