Toll Fraud Security and DISA

By: Ralph Willett
Submitted: 2007-01-17 12:48:44
Print this article | Tell a friend | For publisher |

Rating:

 

Most businesses Telephone Systems have a feature called Direct Inward System Access or DISA for short. This feature allows authorized users to dial a special number into your telephone system and then either dial extension numbers directly or outside numbers utilizing your company’s less expensive long distance trunks and services.

A word of advice: If you are using DISA – Stop it!

There is a tremendous security risk associated with DISA that could cost your company thousands of dollars. As far as your long distance provider is concerned, you are responsible for the cost of any call originating from your telephone system even if the call is fraudulent.

Ideally, this is how DISA works:

An authorized external caller or employee needs to call a customer that would be a long distance call. Rather than paying for the long distance call on their bill, he or she dials into your PBX, enters a security code then dials his long distance call. The call then uses your long distance carrier and the caller does not have to expenses back the call. In most cases the call is cheaper this way also.

But in the real world it really works like this:

Someone finds or acquires your DISA number by one of several means: shoulder surfing, finding documents careless about or by one of several software programs designed to find such things. A working account code is discovered using the same methods. Once a valid number is found, the caller has nearly unlimited access to your long distance services.

Many times this information is used to set up "call centers" that will use your system to allow people to make calls to whatever county they like. These calls can add up to thousands of dollars in a very short period of time – even as short as a day or weekend your company is on the hook for the cost.

In this day and age we must also be concerned with terrorism. No one wants to be the medium that allows terrorist to communicate. But certainly that is a real possibility and the calls becomes more difficult for National Security to track.

Since the early years of my career, I have seen at least one case personally, and heard of many others, where a PBX technician set up a DISA number and authorization code and turned the customers PBX into his own personal long distance service. In this case, the cost may be minimal but you are still paying for the call.

Here are my specific recommendations for telephone system owners.

1) If you are using DISA - switch to prepaid calling cards or (and especially) if the user is making calls from his or her home office, offer a monthly stipend for long distance service. Residential long distance service can be found for as little as 1.6 cents per minute and cost of prepaid calling cards has fallen dramatically. Now the risk is limited to the cost of the card. You could also considering adding a VoIP line to the uses home for as little as $20 per month.

2) Have your telephone system service provider PROVE to you that DISA is not active. This means your technician must show you on the computer that this feature is either not available or that it has not been programmed for any reason. This should be checked at least once a year.

3) If your telephone system allows an outside line to be connected to another outside line without or without internal supervision, carefully consider why you need this feature. There may be perfectly valid reason to forward external callers to outside lines but you should closely evaluate your options. If you decide you do not need this feature, not only you’re your service provider disable it, but also work with your technician to have them prove to you it has been disabled. This may mean having the technician set the feature up, demonstrate how it works, disable it and demonstrate how it no longer works.

4) Be sure your Voice Mail system does not have a Class Of Service or Class of Restriction that allows it to transfer callers or even make outside calls. Some voice mail systems have the ability to transfer callers to outside telephone lines. Again outside transfers should be blocked. But also there is often requirements for voice mail to alert cell phones that a message has arrived in the users business telephone mailbox. If you use cell phone message waiting notification, be sure to verify with your PBX or key system service provider that all ports on the voice mail system only have the ability to call within your local zone. There is typically no reason for any port on a voice mail system to have the ability to make international or even national calls. Again, and I stress this, be sure to have your service provider prove these things to you.

5) Basic telephone system toll fraud security audits should be done at least once a year. Often, many different people will be programming in your system, activating and deactivating features. These individuals each come with varying degrees of skills and security concerns. It is imperative that you as a business owner or someone responsible for your telephone system verify that proper security measures have been take.

Remember this when asking for a new feature: even though you may not be aware of a feature that compromises your service, you are still responsible for the bills - even the fraudulent calls. Therefore always ask your service personnel if what they are doing may compromise security in anyway. Not only does this question help you understand the toll fraud security risk involved in what you are asking your technician to do, but it will also make your technician more conscience of the fact that you are expecting him or her to ensure security.

Ralph Nelson Willett is a Voice Telecommunications Specialist with over 20 years in the industry.
Visit http://www.aaVoicePro.com for more.

Article source: Expert Articles