Interview

Halloween Bill Shocker

Phone hacking is a subject that rarely makes the press, as those hacked are mostly reluctant to go on record. However, a recent High Court case involving channel supplier Voiceflex has taken the lid off what can be a very costly business for everyone except it would seem the hackers

Estimates of what phone hacking, or phreaking, costs the UK economy vary but many observers liken the value of losses to those of credit card fraud – over £100 million a year.

Paul Taylor, Sales and Marketing Director of Voiceflex knows more than most as his firm has just been on the receiving end of a high court judgement that sent down a verdict in favour of their client, Leicestershire based Frip Finishing, a customer of theirs for around six years.

The case centred around a hacking incident over the Halloween weekend of October 2011 when internet hackers infiltrated Frip’s telephone phone system using it to make more than 10,000 international phone card calls. The company was presented with a bill of £35,000 and refused to pay Voiceflex who then took the matter to court.

The telephone system router at the Frip’s Manchester office was used to make 10,366 calls, most of them to a premium telephone number in Poland. At its peak there were 167 simultaneous calls going through the system despite this being far in excess of what it was designed to carry.

Voiceflex’s legal team argued the service had been provided to Frip subject to clearly drafted terms and conditions and the refusal to pay the bill in full amounted to a breach of contract.

However, in dismissing Voiceflex’s claim, Judge David Grant rejected arguments the company had failed to adequately maintain the security of its network and the integrity and confidentiality of its username and password.

On the court’s interpretation of the contract, Frip was only obliged to pay for calls that it had actually made.

Paul Taylor of Voiceflex said, “The telephone phone system router had a fixed user name of ‘admin’ and that the end user had set an 8-digit password, which the judge considered sufficient to meet our contract terms. The judge also said that our contract did not specifically state that users were liable for fraudulent calls and as result we lost the case.

There are many lessons to be learned here for the channel and for our part we have re-drawn our terms and conditions to include all calls whether fraudulent or otherwise.”

This hacking incident occurred two and a half years ago and in the intervening period Voiceflex has developed and now deploys its own fraud detection application known as ABBA, which stands for Advanced Behavioural Based Analysis.

Taylor says that network providers cannot simply rely on resellers and end users to adequately protect systems against fraud.

“ABBA registers IP addresses and if changed then a flag on the system is raised. If there’s a strange pattern of IP addresses associated with the system, say foreign IP addresses then the account is suspended. ABBA learns what is happening and if it sees numbers being repeatedly dialled will block the calls. On our portal you can see high volume calls, set a financial limit against them which if then reached activates the account being suspended immediately.”

According to Taylor, despite this being a standard feature of his service many users and resellers do not activate it.

“Today, for every SIP Trunk deployed on our platform we carry out a check on the router, check the IP address and try and push our way in to the system via an open port. We then advise the reseller of the outcome. There are of course instances where a voice reseller installs the PBX and an IT reseller installs the router so we go back again and check that the ports are closed. If we find a port open we inform our client for immediate action as otherwise the service will be disabled.

The over-riding message here is to not let these instances get to court in the first place but take precautionary steps to prevent hacking. The court system is a lottery based on the opinion of the judge who may in essence be considered, technologically speaking, as a layman.

This court ruling means that suppliers must look at their contracts. Ours, at that time did not protect us – it does now.”

Taylor concludes, “Everyone knows this hacking is fraud but it comes down to who pays the bill.

Our advice to resellers is to check your contracts and those of your SIP suppliers. Find out from carriers what their fraud policies are before you ask them about the costs of their services – it’s far more important. It is you the reseller that is responsible for the call bill and it may take you months to get the funds from your end user customer.

Finally, it is worth noting that the police are not really interested in any such fraud case under £100k in value and that £35k frauds are occurring every week in the UK. Make sure you protect your customers and yourselves.”