Is your PBX an ATM for Hackers?

Ka-HackChing is rallying online criminals to benefit from the high returns of PBX hacks whether they are located onsite at a corporation, in the cloud or outsourced to a third party. In every case, the hacker finds routes to cash in while damaging a company’s financial position. They access the company’s PBX and then sell minutes, dial 900 high cost-per-minute numbers, steal proprietary data, access voicemails, or gather company intelligence to be used for a multitude of nefarious acts.

How bad is it? According to the Communications Fraud Control Association (CFCA), an industry group financed by carriers and law-enforcement agencies to tackle communications fraud, it is a $4.73 billion business globally up from nearly $1 billion in 2011. In 2015, the FBI indicted multiple hackers including Noor Aziz Uddin and Farhan Arshad, working out of Pakistan and Bangkok engineering massive PBX fraud within American organizations. Uddin, according to the FBI, is responsible for a lucrative PBX and phone hacking scam cashing in on $50 Million over a 4 to 5 year period.

Enterprise’s Reliance on PBX

PBX has been a core of business communications for simple employee dialing plans, conference calling, voicemails retrievals, calls to mobile phones and the ability to forward calls to other extensions or mobile phones. The value of a PBX far surpassed its cost for an enterprise since its inception in the 1960s to its expansion with the introduction of IP PBXs in the late 1990s. More recently, with mobile phones taking over corporate communications, mobile phones are exponentially stimulating the growth of Bring Your Own Device (BYOD), Voice over IP (VoIP) cloud computing, unified communications and outsourcing. The impact of these solutions integrated with PBX has enabled companies to reduce cost while improving productivity. However, at the same time, this change has opened the enterprise to PBX hacking with criminal intent.

How can Enterprises Continue to Benefit from PBX without the Associated Risks?

How can companies harness the productivity and cost reductions of PBX without damaging a company’s future? First of all, a security audit of a company’s communications infrastructure by an IT consulting firm or PBX vendor should be done to determine vulnerabilities. Additional important steps you can take:

Change default passwords like 1234 (happens all the time!)
Prevent or limit call forwarding and outbound calling from the voicemail ports
Block international call access to countries you don’t do business with (I am sure a few come to mind!)
Ensure your PBX admin is secure (policies, restrictions, firewalls etc.)
Encrypt mobile to PBX communications, shutting down the ability to listen in to calls, voicemails, speed dialing and recording information
Limit or prevent calls after business hours
Disable the system features on PBX that can be accessed via cell or desk phone
Audit call volume especially weekends, after work hours and public holidays

KoolSpan Enterprise TrustBridge provides secure communications between mobile and PBX. TrustBridge addresses PBX hacks whether it’s onsite, in the cloud or outsourced. We’d be happy to assist in reviewing your options for securing your PBX and mobile phones.

John Puente

KoolSpan's Regional Sales Director for Latin America and the Caribbean, John has 22 years of experience launching and scaling 6 emerging growth IT wireless and software companies into Latin America and the Caribbean, including two filings of Initial Public Offerings.