The NY Times did a great job of highlighting the problem of phone system hacking, but didn’t go deep enough to help understand how to prevent it. The implementation details will vary by PBX but here’s a few more ideas:
1) Set up toll restriction – block international calls whenever possible including the Caribbean (which is dialed like a domestic call but billed like international). If you can’t block all 011 international, only allow countries you need.
2) Don’t allow forwarding from your voicemail system. Lets face facts, users pick bad voicemail passwords, so voicemail should be treated as insecure. Disable forwarding from the voicemail system whenever possible.
3) If you’re using a VoIP PBX, get a SBC (session border controller) like the Pika uFirewall, which can block dictionary attacks on your PBX that most general purpose firewalls won’t recognize. Also pick your ipPBX wisely – some rotate authentication keys and secure their phone config files, others leave their info exposed.
4) Make sure your admin passwords are strong. This should be obvious, but the best of plans can be easily foiled by a hacker with admin access.
5) Limit access whenever possible. Don’t open your PBX to the world, require VPN access to your PBX if needed outside your office. If you need to open up ports to the outside world, limit the source IPs when possible.
6) Ask your carrier how they can protect you. Any good carrier can restrict calling access or set various toll fraud monitoring.
7) Keep your system up to date – modern vendors are patching flaws and putting in stronger tools to prevent fraud. An outdated system is an invitation to hacking.
8) Order “validated account codes” from your carrier for international calls. This will require a caller to dial a special code to complete an international call. This can also be done on some PBXs rather than the carrier. Make sure your codes aren’t short or obvious (i.e. don’t use 1234). Another layer of security can often be enough to get a hacker to move along.
You may need a few hours of your phone system vendor’s time to set these up, but what’s a few hundred bucks of prevention vs tens of thousands of fraud?