Now, there isn’t really a huge amount you can do here as a customer that isn’t just a repeat of all other advice, the fix has to come from the industry (next page).

But as a consumer

  1. Make sure accounts are secure, your VoIP Provisioning/Billing portal and your email accounts, use strong passwords etc.
  2. Don’t store passwords in non-secure methods (if you use Gmail, this may have stored your password for your VoIP Provisioning portal in plain text)
  3. Check your bills each month for changes (this can be bypassed, so not a silver bullet)
  4. Periodically check for services that have been applied to the extensions that are high risk, so your accounts department, office admin, all the people who would generally talk to your financial institutions.
    • Call Recording
    • Call Listen/Call Barge/ Silent Call Barge
    • Call Notify
    • Calling Plans
    • Call Redirect services
    • CoS (Class of Service)
  5. One thing you may not know you need to do is when you set your accounts up, so we will cover this one in a bit of detail

Common mistake people make, they keep all emails!

So, when your VoIP extensions, Groups and Enterprises are set up, what you will likely find is that an email is generated to the users, this then has the link they need to click to access their online VoIP account for various levels, it prompts them to reset their passwords.

The reset password link is not usually the problem, it will usually expire if not used in a certain amount of time and once used it cannot be used again, however, what this tells me if I access your emails is who your VoIP provider is, what the username is and what the URL for the provisioning server is.

So, I can then go to the provisioning server and use that to reset your VoIP account password via your email address using a ‘forgot password’ functionality.

But beyond that there is not a huge amount you can do specifically relating to the VoIP Provisioning portal, there are things you can do when picking a provider, specifically

  1. Do they have provisions in place to notify you of the above services being manipulated on your accounts?
  2. Do they have provisions in place to notify them (the VoIP provider) if one of these services is manipulated for the first time on your accounts?

So that would be an important thing that we need VoIP providers to have going forward, which we look at on the next page.

Previous PageNext Page

Back to How I Would Commit Cyber Crime