VoIP Fraud Tools and Best Practice information to help mitigate risk:
The following tools are in place within the VoiceHost customer control panel to try and help reduce your exposure to fraudulent calls, however, we cannot guarantee to stop calls placed by IP phones or PBX systems that are not authorised, not expected, not within normal calling patterns, or placed by compromised deployments to high-value destinations. As such, this is a guide with recommendations for secure deployment and features that may be configured from within the customer control panel and the reseller portal.
In the event that your PBX or device is compromised we cannot guarantee to stop fraud.
Please use ALL the tools and guidance we provide to ensure you stay safe. Our aim is to help you to help yourself.
Hosted Voice Platform:
- Randomly generated strong passwords (non-user configurable but can be re-generated from the control panel)
- Call restrictions are opt-in, not opt-out, i.e. you have to explicitly enable the destinations for seats, SIP trunks and NTS Destinations
- No break-out dial facility from our hosted voicemail service or hosted conferencing service
- Automated phone provisioning
- Automatic fraudulent call filtering via publicly available lists and high-risk destinations
- Two concurrent outbound calls limit per hosted extension (allows 3-way calling)
- Access from non-UK IP addresses banned by default (IP addresses for networks abroad can be whitelisted on request)
- Outbound Time and Day call restrictions available
- Number type restrictions (UK landlines & UK mobiles, other UK non-geo calls, international destinations, Directory Enquiries via 118xxx numbers)
- In addition to all of the above, SIP Trunks can be locked to a single IP address so that other IP addresses cannot make calls using the SIP Trunk credentials
- All outbound calls require SIP credential validation by default unless configured for IP authentication
Guidance for secured deployment of hosted PBX or SIP trunking for customer sites:
The above tools provided on the VoiceHost customer control panel must be actively configured for each customer in order to limit the exposure to potential telecommunications fraud, however, it will not completely eliminate this and you must not be complacent in fully relying on the VoiceHost platform to completely mitigate telecommunications fraud originating from customer deployments.
When configuring seats or SIP trunks, please pay attention to the following specific points:
Configure the seats/trunks to only be able to dial out when the customer is actively using the seats/trunks to make calls. If the customer only uses the phones between 9am and 5pm Monday to Friday then only enable the Outbound Time Restrictions so that the customer may dial between 09:00 and 17:00 on weekdays, and disable weekend calling.
- Configure the seats/trunks to only be able to dial certain destinations. If the customer only dials UK numbers and does not require UK premium rate or UK DQ access then only enable UK landline, UK mobile and UK other destinations, and leave UK DQ and International Calls un-ticked.
- If the customer requires the ability to make international calls use the Outbound PIN feature under Call Restrictions for international calls, as this should only enable humans to dial to international destinations, and compromised systems will usually not be able to place the calls to the un-authorised or unexpected destinations.
- Most routers and firewalls allow configuration for locking down IP traffic by IP address ranges or subnets. Configure and lock down the firewall so that so that only VoiceHost traffic is allowed from VoiceHost subnets.
- Secure any external access (e.g. router/firewall administration, phone/PBX, VPN, fixed line dial-in) to devices on your network installation with strong usernames and passwords, and if available limit the access per MAC address so that no unauthorised devices are allowed to compromise your network.
- Do not enable a break-out dialling function on your SIP trunk-connected PBX within remote voicemail access or conferencing, this is usually how most systems are compromised.
- For SIP trunk connected IP PBX systems, local or remote VoIP extensions must be locked down with strong authentication credentials, additionally configure the extensions so that access is only granted upon successful authentication per specific public IP address for fixed remote extensions, and if possible additionally by MAC address for connected IP telephones. Extensions on SIP-enabled IP PBX systems installed at customer sites must not be allowed to be authenticated from any source with simple usernames and passwords (e.g. 100/100 as the username/password), as this is one of the easiest ways that fraudulent calls are carried out.
- Study the attached best practices document from the ITSPA
High Risk Telecommunications Fraud Country Dialling Code List: (last updated 01/01/2019)