Saturday, December 3, 2011

How much could PABX fraud cost your business?

I recently came across this article discussing PBX security issues:

This is so true. Many of our customers constantly refer letters to me that they receive from their phone line providers that state the following:

"An unsecured PBX system can be compromised via an insecure voicemail system (or similar), that allows incoming callers to dial extensions directly and sometimes even outside lines. Hackers have targeted these systems, across the world, sometimes resulting in a large volume of international calls being charged to the PBX user’s account."

When I get alerted to this, my normal response to our customers is:

"VadaXchange PBX is configured with the best security measures in mind. The passwords generated on the system are secure. The system is patched against all known vulnerabilities as a part of your SLA with Vadacom.

The only step you need to ensure you follow is when creating new log-ins on the VadaXchange system to use "generate" button to generate secure passwords as opposed to make passwords up yourself."

I'd like to elaborate more here on security of telephone systems.

If you own or manage a phone system there are two types of attacks that you need to defend:

  1. Attack from the telephone line that exploits the ability of phone system to relay calls via voicemail and interactive voice response systems.
  2. Attack from the internet where computer based telephony is hacked in order to make calls.

The interesting thing is that both security risks affect both traditional TDM systems and the new IP systems.  This is contrary to many statements made by old-school telephone sales people, who don't often understand IP phone systems and have even less understanding of IT security. Last thing you want to do is seek IT security advise from a telephone sales person.

I need to establish my own credentials here. Although I would not call myself an IT security expert, I do have a background in IT security, having (a) a tertiary qualification in IT and (b) having run a business before who's principal product was a firewall and service was looking after business computer network security.

To defend yourself from both types of vulnerabilities you do need to follow the guidelines that were provided by Telecommunication Carriers' Forum:


Voicemail and Direct Inward Systems Access (DISA) passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.


Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.


Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.


Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.


Make sure you have the right terms and conditions reflected in your contracts with your PBX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.

At Vadacom we provide regular security patches to our customers. We monitor vulnerability advisories. We also provide tools for generating secure passwords.


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.

  3. This comment has been removed by the author.

  4. Thanks for sharing such a nice blog with meaningful information
    ip phone systems

  5. Indeed, IRCTC has made an agreement with the travel company Make My Trip. Under this, Make My Trip will provide the live status of the train to the passengers. That’s also via Whatsapp. Now passengers can Check PNR Status & Live Train Status through WhatsApp.