An unsecured PABX system can be compromised via an insecure voicemail system (or similar), that allows incoming callers to dial extensions directly and sometimes even outside lines. Hackers have targeted these systems, across the world, sometimes resulting in a large volume of international calls being charged to the PABX user’s account.

To help ensure your business is protected against this type of fraud, we advise you check your PABX system is secure and it is adequately configured to maximise your security. 

Who’s at risk?
Any PABX system users who are not following recommended standard security measures, particularly regarding the use of a PIN for remote access, may be at risk from this threat.   

Minimising your risk
We strongly recommend you take action now and review and follow the below security measures as soon as possible. If you want to be sure you have the correct security configurations in place please contact your Gen-i client manager.

As part of our service to our clients, we do constantly monitor voice traffic activity and act on anything that looks out of the ordinary. To further minimise the risk of costs incurred, we recommend you take the attached steps to ensure your PABX is secured.

If you have any questions about this, please contact your Gen-i client manager.

Guard against PABX hacking – some practical steps

1. Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used, consider using strong authentication such as smartcards/tokens.
2. Restrict any destinations that should not normally be dialed: for example, premium rate, international, operator and directory enquiry numbers.
3. Review your PABX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
4. Bar voicemail ports for outgoing access to trunks if possible. Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
5. If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
6. Lock surplus mailboxes until allocated to a user.
7. If DISA is not used then disable it completely.
8. Restrict access to equipment eg. your comms room and master terminals.
9. Only give the appropriate and minimum level of system access required to carry out a task.
10. Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
11. Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
12. Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers. Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
13. Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
14. Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.
15. Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.