VoIP Fraud Protection Tools and Best Practice information:
The following tools are in place within the VoiceHost customer control panel to try and help protect against fraudulent calls, however, this does not guarantee to stop calls placed by IP phones or PBX systems that are not authorised, not expected, not within normal calling patterns, or placed by compromised deployments to high-value destinations. As such, this is a guide with recommendations for secure deployment and features that may be configured from within the customer control panel and the reseller portal.
Hosted Voice Platform:
- Randomly generated strong passwords (non-user configurable but can be re-generated from the control panel)
- Call restrictions are opt-in, not opt-out, i.e. you have to explicitly enable the destinations for seats, SIP trunks and NTS Destinations
- No break-out dial facility from our hosted voicemail service or hosted conferencing service
- Per customer daily call spend to try and limit financial exposure (can be amended as required by our support team and by resellers for their customers via the reseller portal)
- Call spend limit alerts (via email and on new/active phone calls)
- Automated phone provisioning
- Automatic fraudulent call filtering via publicly available lists and high-risk destinations
- Two concurrent outbound calls limit per hosted extension (allows 3-way calling)
- Access from non-UK IP addresses banned by default (IP addresses for networks abroad can be whitelisted on request)
- Outbound Time and Day call restrictions available
- Number type restrictions (UK landlines & UK mobiles, other UK non-geo calls, international destinations, Directory Enquiries via 118xxx numbers)
- In addition to all of the above, SIP Trunks can be locked to a single IP address so that other IP addresses cannot make calls using the SIP Trunk credentials
- All outbound calls require SIP credential validation by default unless configured for IP authentication
- Scalable Channel Count limits and call attempts per second per SIP trunk used in combination with daily call spend per customer (both can be amended on the fly)
Guidance for secured deployment of hosted PBX or SIP trunking for customer sites:
The above tools provided on the VoiceHost customer control panel must be actively configured for each customer in order to limit the exposure to potential telecommunications fraud, however, it will not completely eliminate this and you must not be complacent in fully relying on the VoiceHost platform to prevent telecommunications fraud originating from customer deployments. It is also important to bear in mind that it is very easy to configure seats and SIP trunks to be able to dial any number at any time with a high daily call spend (also referred to as a wide-open setup) but this significantly increases the chances of your system being compromised overnight when you do not know about it.
When configuring seats or SIP trunks, please pay attention to the following specific points:
Configure the seats/trunks to only be able to dial out when the customer is actively using the seats/trunks to make calls. If the customer only uses the phones between 9am and 5pm Monday to Friday then only enable the Outbound Time Restrictions so that the customer may dial between 09:00 and 17:00 on weekdays, and disable weekend calling.
- Configure the seats/trunks to only be able to dial certain destinations. If the customer only dials UK numbers and does not require UK premium rate or UK DQ access then only enable UK landline, UK mobile and UK other destinations, and leave UK DQ and International Calls unticked.
- If the customer requires the ability to make international calls use the Outbound PIN feature under Call Restrictions for international calls, as this should only enable humans to dial to international destinations, and compromised systems will usually not be able to place the calls to the unauthorised or unexpected destinations.
- Most routers and firewalls allow configuration for locking down IP traffic by IP address ranges or subnets. Configure and lock down the firewall so that so that only VoiceHost traffic is allowed from VoiceHost subnets.
- Secure any external access (e.g. router/firewall administration, phone/PBX, VPN, fixed line dial-in) to devices on your network installation with strong usernames and passwords, and if available limit the access per MAC address so that no unauthorised devices are allowed to compromise your network.
- Do not enable a break-out dialling function on your SIP trunk-connected PBX within remote voicemail access or conferencing, this is usually how most systems are compromised.
- For SIP trunk connected IP PBX systems, local or remote VoIP extensions must be locked down with strong authentication credentials, additionally configure the extensions so that access is only granted upon successful authentication per specific public IP address for fixed remote extensions, and if possible additionally by MAC address for connected IP telephones. Extensions on SIP-enabled IP PBX systems installed at customer sites must not be allowed to be authenticated from any source with simple usernames and passwords (e.g. 100/100 as the username/password), as this is one of the easiest ways that fraudulent calls are carried out.
- Study the attached best practices document from the ITSPA
High Risk Telecommunications Fraud Country Dialling Code List: (last updated 01/01/2019)