Prevention is Better than the Cure
was kindly sponsored by Yealink
The agenda was as follows: 1) Telecoms/VoIP Fraud – the current state of play and how bad is it?
2) An outline of three specific types of fraud and what to do to tackle it - PBX Hacks - Accessing SIP credentials - Identity spoofing
3) ITSPA work with Law enforcement and the plan ahead in tackling this problem
4) Panel Q&A – How to prevent fraud, spot fraudsters and adhere to best practice
The workshop was both well attended and informative, containing a great deal of valuable information in a session of just over an hour, with demand for more follow up at a future event. The event began with Simon Woodhead, CEO of Simwood, outlining the theme of the workshop and explaining his and Simwood's recent work to raise awareness of the seriousness of VoIP fraud, including their own 'honeypot' as well as the analysis that Simwood have provided. He concluded by making the prediction that attendees would not act on the advice contained in the session, and challenged them to prove him wrong.
David Cargill then provided a omprehensive section on PBX hacking and CLI spoofing. David outlined what PBX hacking is, explaining the growing nature and damage caused by the problem, and then explained 5 key recommendations that should be followed. He also pointed out that ITSPA has produced two documents that provide excellent advice regarding this issue: 'The Recommendations for secure deployment of an IP-PBX' Best Practice document and the recently published 'Recommendations for Provisioning Security' Best Practice document. A summary of CLI spoofing then followed, with scams such as 'vishing' and 'swatting' being outlined before a number of steps on how to combat these problems were raised. David also provided a summary of ITSPA's on-going work to tackle this problem through collaborating with law enforcement agencies.
In his presentation Steve Watts of Yealink focused on security from a SIP end perspective. A great number of security procedures were outlined by Steve, which fell under the categories of: provisioning security, network access security, conversation security, privacy and application security. In conclusion, he summarised that a multi-faceted approach would be the best path for attendees to take. Colin Duffy's presentation provided an outline of Voipfone's own fraud experience, principally focussing on a standard hack as well as credit card fraud. Colin provided a detailed and highly useful run through of Voipfone's recent experiences of fraud and the steps that it has taken to combat the hack attempts. He also recommended that attendees read the relevant parts of Europol's recent report on Internet crime which is available here.
The session concluded with Simon Woodhead returning to the stage to provide details of a range of no cost solutions that could be adopted (including using a carrier with realtime billing, using the 'honeypot' data and being cautious when using auto-provisioning) before then initiating a question and answer session with the audience. The afternoon was highly constructive for all those that attended and there was demand from the audience for a further session to explore the issues raised in further depth.