In response to this recent New York Times article on VoIP fraud
Sadly enough, there will always be people looking to exploit security lapses in technology for their own personal gain. Stories about millions of credit card numbers being stolen from large retail organizations and big banks are recent examples. And VoIP is no different. There are always people looking to exploit lapses in security in the VoIP space. Luckily, with a hosted PBX solution such as OnSIP, one can mitigate many of the security challenges that plague other industries.
Our team has been aware of these malicious hackers for quite some time. These attacks commonly occur with in-house/premise based PBXs utilizing SIP Trunking, most often when the user has weak password security and/or unpatched software.
Unwanted international dialing is a typical scam that exploitative hackers will try to use on unsuspecting VoIP users. Once the hackers identify a vulnerable PBX on the Internet, they will try something on the order of 1 million passwords per day (or about 10 per second) until they find an extension with a weak password. Once the passwords are cracked, they are able to make calls via the compromised PBX to premium international numbers, racking up significant undesired charges for the owner of the PBX.
With a hosted PBX solution, we can address these perils with maintenance and guidance. To this end, we disable international dialing for OnSIP customers by default. The credit card holder on the account must enable international dialing by filling out our Extended Dialing Form.
By default, none of our customers can make a call to an international number that costs more than 2.9c per minute without further administrative approval. Most customers keep these international dialing features turned off. We strongly recommend keeping it that way if you never make international calls. For the modest international calling some customers need, a calling card works quite well.
Also, Hosted PBX customers should keep phones/devices behind a router and on our boot server. Our boot server changes the phone's preset default password. But even after this, phones are still vulnerable to brute-force attacks. So it's best practice to never attach a phone directly to the Internet.
It is important to always remember, as the NYT Article states, to treat your phone as a device connected to the Internet. That means good password management and reasonable network controls. On the positive side, much like Google is able to see SPAM e-mail trends in aggregate, we can see and stop many of these attacks before they can affect our customers.
For more information, here is a link to our VoIP Security document in our Knowledgebase.