I was recently hacked. Not in my computer system, where our very good IT department continually and (so far) successfully battles intruders. No, not in my computer but in my phone.

Someone had broken into my phone account and started forwarding my incoming calls to an automated service selling (doubtlessly bogus) mortgage refinancing. This went on for a few days, and I assumed that the lack of phone messages was just due to the late summer lull. Only when my daughter tried to reach me repeatedly at work, and e-mailed me about the problem, did I discover the issue and (easily) had it fixed.

A pretty mild hacking, I must say. (And who would ever respond, I wonder, to such an obviously suspicious scam when they were trying to reach me?) But after talking to our phone system provider and doing some research, it’s clear that I had gotten a taste of a far more serious problem.

Modern office phone systems are, basically, computer systems, very different from even slightly older systems. Features like voice mail, remote access, and call forwarding make them great tools for productivity. But they also make them vulnerable to hacking.

The most typical trick appears to be routing long distance calls through your company’s phone systems. Here’s how it’s done in many cases. The hacker calls your company and, through the directory, gets to a user’s voice mailbox. (The call is usually made at night or on the weekends, so no one is likely to pick up the phone.) The hacker chooses the “Change Password” button, and then tries guessing passwords.

And here’s the rub. While most users know to set up unique passwords on their PCs, many people either leave the default (usually something like 1-2-3-4) or change the password to match their phone extension. As a result, a few tries often gets the hacker into the system.

Then the fun begins. Typically, the remote user dials international numbers, and uses or rents out the set-up for multi-hour conversations with family in Uzbekistan or Sierra Leone – with charges going to your company.

What if the provider blocks international calls or requires a specific dialing sequence to authorize them? Then the hackers use one of the widely advertised ten-ten numbers to forward the call through a third party in the country. Either way, the practice can add hundreds, even thousands to your phone bill, with little chance of getting your hands on the culprit.

So how do you protect yourself? We talked with Peter Eisengrein, in charge of operations at Evolve IP, our phone provider.

His recommendations:

1. Determine who has the managerial responsibility for the phones in your company. The phone system often falls between the IT department and the operations department. In small companies it is one of many duties for a busy manager or the CEO. As a result, no one feels full responsibility for safeguarding it.
2. Work with the phone system provider. Find out what protections they have for your system (such as the ability to detect suspicious behavior, extensive off-hours use, trying lots of passwords, suspicious overseas calls), and take action fast (closing down sessions, banning certain callers). As these attacks usually happen during non-business hours, staffing and software tools at the provider level become critical. And it’s also important that they communicate with you about any suspicious activity, successful or not.
3. Set up precautions with the provider. For example, you might cut off international calls entirely, or allow them only for certain extensions, or certain times. Set up protection against 900 and 1010 numbers. You can also set up an allowed number of password tries.
4. Educate. Make sure every employee is aware of the problem and is motivated to set up a hard-to-crack password. That means: 1) not the default, 2) not a simple numeric sequence, 3) not the extension number, and 4) at least five or six digits (the longer the safer). This may seem obvious, but many employees (myself included) are unaware of the threat and have other things to do.

Tags: Evolve IP, hacking, phone calls, phone system