VANCOUVER – Saying it’s detected an increase in voice-mail hacking recently, Telus is urging customers to protect themselves from attempts to use this scam to make long distance calls at customers’ expense.
While businesses are usually the prime target for this type of fraud, residential customers should also take precautions, said the company.
"In a nutshell, fraudsters attempt to hijack the system by exploiting people’s tendency to use simple passwords and leave the default manufacturers’ passwords in place on their voice mailboxes," said Gene McLean, Telus chief security officer. "They try to make overseas calls using voice mail systems’ through-dialing feature, which is designed to allow the mailbox’s owner to dial in from off-site to make calls from their work line. A few simple measures, such as ensuring employees change default passwords and disabling the through-dialing feature if it is not required, can go a long way towards protecting yourself from this scam."
The Telus corporate security fraud management centre detected almost 200 incidents of voice mail hacking in 2005 by scanning for sudden abnormal or unusual calling patterns. When voice mail fraud is suspected, Telus’ fraud analysts contact the affected customer and work with them to shut the fraud down. The company says the centre saved customers a total of $1.5 million in fraudulent calls due to this scam alone in 2005.
The scam artists most often call a business after-hours and use its automated answering system to troll for vulnerable mailboxes. Experienced fraudsters sometimes recognize the system they are calling by its prompts and know that system’s default passwords, allowing them access to mailboxes with unchanged passwords. They also try simple passwords such as 1234 and 1111.
Businesses with voice mail systems should take several steps to protect themselves:
* Ensure employees change manufacturers’ default passwords.
* Program voice mail systems to require passwords with at least six characters.
* Encourage employees not to use easily-guessed passwords such as their phone numbers, local number, or simple number combinations.
* Never set passwords to a telephone’s local number when assigning a phone to a new employee.
* Program voice mail systems to force users to alter their passwords every 30 – 90 days.
* Remove unassigned mailboxes.
* Consider whether through-dialing is needed, and if it should be disabled. Through dialing allows employees to call their mailboxes from offsite and dial long distance on their work line. If this feature is used, generate and monitor daily through-dialing reports to ensure mailboxes are not being hacked.
