*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -=[SD]=- Sepulchral Darkness -=[SD]=- presents : How to use SMDR Records to detect PBX Fraud Brought to you by : ---=[AZTECH]=--- Sepulchral Darkness '95 All Rights Worth Shit *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- OCTOBER 14TH, 1994 TOLL FRAUD EPIDEMIC Irvine, California: If your company has been a victim of toll fraud and/or internal phone abuse, or if you are afraid it will be, them welcome to the club. Every day hackers gain access to phone systems and steal thousands of dollar's worth of calls. Often times these charges are incurred in a single day or night of unauthorized access. USING SMDR "FILTERS" There is a unique way to combat the toll-fraud artist and internal phone abusers. Station Message Detail Records can be "filtered" as they are received from PBX SMDR output ports. These "filters" through which all SMDR records must pass can be created to match the format of any PBX's SMDR data strings, and using logical operators, a myriad of toll-fraud and internal abuse calls can be monitored. If your PBX system includes DISA (Direct Inward Switch Access), a common means of "phracking" is accomplished by short repetitive calls which constitute attempts to hack access codes and receive access to outside lines. To monitor this type of activity, the SMDR "filter" would monitor short, repetitive after-hours voice mail calls with a maximum of 15 seconds each; after a user defined limit of these calls has been counted, an internal alarm is tripped and real-time notification can be employed. INTERNAL PHONE ABUSE MONITORING Another common form of internal abuse (or if malicious PBX access has been gained) is lengthy international calls being placed after hours or calls placed to countries in which the respective company has no interests. In these cases, all calls beginning with "011" can be monitored; countries which normally receive authorized PBX traffic can be excluded. A common filter monitors any international call placed after business hours, or any overseas call of more than N-minutes in duration. Internal monitoring via SMDR data is very flexible. The "filters" set for internal purposes might include repetitive calls to area codes in which the respective company has no interests. There have even been instances of "filters" being set to match a competitors phone number to enable notification of any internal contact with rival companies. REAL-TIME DETECTION AND NOTIFICATION In the case of malicious access to PBX outside lines, real-time notification is of the essence. If the filtering device incorporates data recording and a modem for remote polling, the modem can be programmed to dial-out to an alphanumeric pager as soon as the designated alarm is tripped. When the pager has been notified, the PBX supervisor can dial-in to the device via any terminal emulation and poll all calls which tripped the alarm (or poll all SMDR data stored) and take appropriate measure to avoid fraudulent charges. Other forms of notification include audible alarm at security center or sending a report to a local or remote PC or printer. In any case, with an internal modem in the device, supervisors are able to contact the unit from any remote location to view the offending call records and enact preventive measures such as changing access codes or disabling the DISA feature. Remote access to the filtering device is also password protected. SMDR RECORDING AND POLLING If SMDR data is being used also for the purpose of traffic analysis, the real-time notification can be incorporated to inform the supervisor (via pager or terminal) that the SMDR storage device is X% full and needs to be polled in a given time period to avoid over-write or loop-back of recorded station detail records. -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=-