Phone system security and fraud prevention

My recent post, “How virtual phone systems help start-up success” was kindly mentioned today on Twitter by a frequent follower of ours, @GemLThompson. This led to an interesting comment from another user which read:

always worth making sure the SIP company will cover loses incurred by PBX hacking.. happens frequently with SIP

Now, I can only assume that the user was referring to instances where a company installs an IP-PBX on their own network, as opposed to using a hosted telephone system such as ours. If I am incorrect in this assumption then I apologise, but surely anyone who chooses to expose their own equipment to the outside world assumes responsibility for maintaining the security of that equipment and in turn for any losses that may arise as a result of doing so?

If I decided to run my own web server on my home PC and unknowingly exposed myself to hackers due to a lack of knowledge or an oversight on my part, would I look to my ISP for compensation? No. If I left my house in the morning with the door open and returned to find everything in it missing, who would I blame? Ignoring the issue of whether I should be able to leave my door open all day; myself.

So, if I am a small business and I want a web site, I will find someone to host it for me. If I want a business phone system… you get the picture.

With a hosted telephone service, the IP-PBX is hosted by the provider and will be protected by multiple layers of security, so network intrusion is extremely rare. That provider will usually also have additional measures in place to protect against telephone fraud. At Sipcentric we provide the following protection as standard:

Call Barring

Customers have the ability to set flexible call barring rules themselves via our customer portal, or we can add them on their behalf. Calls can be barred to any number prefix and from any number of individual extensions (or from all of them).

Credit Limits

Normally, calling credits are added on a pre-paid basis, so calls can only be made to the value of the credits purchased. However, in the case of post-paid accounts, a monthly call limit is agreed and if this is reached, no more calls can be made until we have agreed with the customer to increase the limit.

Calling Pattern Analysis

We have a very effective fraud management system in place which monitors all traffic and prevents (and immediately alerts us to) calls which reach pre-defined limits based around:

• Cost
• Duration
• Volume
• Call Rate
• Destination

The system also monitors the usage patterns (such as time of day, average call length, frequency of calls etc.) of each account and alerts us to any exceptional conditions.

I hope this helps to clarify the issue of IP-PBX security and the difference between hosting the equipment yourself or having someone else host it for you. If I’ve missed something, feel free to leave your own comments below.