Monday, 18 October 2010

Bastards!

Big rise in VoIP hacking lately. We can usually pick up on it and stop it. This is not automated (yet).

Sadly one of my customers was hacked, and we are charging him hundreds for the calls.

What really pisses me off is that, in an effort to help customers, if a call cannot route via one call carrier we fall back to another. Sadly in this case the other carrier cost us way more.

In fact, whilst we are charging our poor customer a few hundred, we expect to be paying nearer £15,000 for the calls.

I am not a happy bunny :-(

P.S. Nagios is getting quite a few more alerts added.

16 comments:

  1. Where were these calls to?

    ReplyDelete
  2. Caps?

    Can we not have an alerting system - with a human in the link - to say - woah! More in a day than in the last month?

    If a customer who pays around £50 a month suddenly racks up 3,5,10x that alarm bells should be ringing.

    I would like a hard cap on all my services so I can't make a big mistake.

    ReplyDelete
  3. Extra precautions and checks in place our end.

    We don't have hard or even soft caps on per user charges (yet). We may do something soon.

    I am just so pissed off right now.

    ReplyDelete
  4. That is really annoying... Can you restrict the VOIP to only certain countries (maybe just the UK), giving the option of de-restricting upon request? Or you could restrict it to their fixed IP addresses, with the possibility of adding more through their control panel, or de-restricting altogether (with plenty of disclaimers and warnings).

    ReplyDelete
  5. Only accept calls from ip addresses registered by the user ie their a&a account.

    Cap outbound calls at prearranged values - this allows the customer to limit their risk.

    Analyze call volume and alert the customer via SMS if it's out of the norm. Give them the option to immediately block further traffic.

    Use a SIP server that's been through the wars already and had vulnerabilities patched.

    Block calls to Nigeria, Morocco etc. Sorry but Nigeria, Morocco etc are known fraud endpoints and unless your customer specifically wants to call there (prearranged?) block them.

    Andy

    ReplyDelete
  6. Locking down IPs would not help - the user was hacked, not us.

    We do cap outbound calls - these calls were cheap (and we make profit on the normal carrier. It was the fallback to other carrier that was a mistake).

    We are picking up high call volumes now :-)

    The SIP server was not hacked, the customer's was.

    These were Palau or some place, and one hack we saw was Spain of all places.

    ReplyDelete
  7. In summary - never as simple as it sounds.

    ReplyDelete
  8. I would personally block premium rate and international by default, then de-restrict when requested (tick box within your control panel)?

    As a business to business provider I'm guessing most calls are to mobiles and landlines?

    ReplyDelete
  9. Having slept on it, i'm not entirely sure why I felt the need to add a question mark to my first sentence, i'm almost questioning myself.

    All I can say in my defence is that it was a very long day yesterday (technically it was the same as any other day, but it felt that way).

    ReplyDelete
  10. The problem is many international destinations are the same cost as national. I think we might even pay less to call the US than local numbers, or something damn close anyway. So crazy not to allow the cheap ones.

    We already block the silly expensive ones, well, when routed via the normal carrier. This loophole was numbers that were cheap normally and falling back to expensive. That is fixed too.

    ReplyDelete
  11. Probably isn't appropriate for business use but for my person void is be happy to prepay say 10 pounds of credit and be able to top that up and to be disconnected if it runs out, reducing the risk to everyone.

    ReplyDelete
  12. How on Earth can someone spend £15grand on phone calls???
    I suppose it isn't someone phoning home, but selling the stolen phonecalls to others and raking in the profits.
    Is it not possible to trace the source and drag them into court?

    ReplyDelete
  13. That should say voip and generally make a lot more sense. I shouldn't post from phones

    ReplyDelete
  14. You could perhaps presell units as with broadband?

    ReplyDelete
  15. HDRW - normally it's calling premium rate numbers controlled by the attacker, which are generally set up in other countries where the regulations aren't as strict as in the UK (in UK you can get the money back if it's clearly fraudulent etc).

    ReplyDelete
  16. @HDRW

    It's probably a call shop, walk in prepay/calling card make a call. It's quite common. If they found a route they'd just use it as much as they could until it stopped working.

    ReplyDelete