Knowledge base VoIP security PLEASE READ THIS
Telephone calls cost money. They cost us money to route the calls and we charge you money. There are people who try to defraud you, or us, in to making calls and running up a bill. It is important that you take security seriously to avoid an unexpected bill.
What are the risks?
There are two main types of fraud. One is where calls are made for people that actually want to make phone calls. Some company or shop or some such may route lots of calls for people wanting to call home (expensive overseas numbers) and charge them. They may use compromised accounts to route these calls without paying for them. The other type is where a number provides some sort of kick back (like premium rate numbers), but these are typically expensive international numbers - where lots of calls are made for as long as possible to get revenue from the calls. There are, no doubt, other reasons for call fraud.
The key risks here are that (a) your VoIP equipment is compromised and someone uses it remotely to make calls via us, or (b) your VoIP login details are compromised, and someone uses us directly but with your credentials to make calls.
It is important to realise that, as per our terms, in most cases, if there is some sort of fraud then you have to pay for the calls that have been made, so please do take security seriously and use the options we provide to reduce risks.
How can we reduce the risks?
There are an number of steps you can take, and that we take, to reduce these risks. Please consider which are appropriate to your usage. Because people have a wide range of applications for VoIP, it is not practical for us to guess what settings you want, though we do try to set some sensible defaults.
- Picking a sensible password for your VoIP service. We pick a password for you, and whilst it may be easy to remember, it is long and has a lot of entropy. If you change it to a very simple password it is possible for someone to guess it.
- Don't disclose your VoIP password or your login details for our control pages or accounts pages to anyone, or put them somewhere that is insecure. It is your responsibility to make sure any password for any of our systems is kept secret. For avoidance of doubt, you are allowed to put your VoIP details in to our control pages for out SIP2SIM service if you have a SIM from us (thereby agreeing to all calls made from the SIM being charge to your VoIP account).
- We already have brute force attack protection where multiple attempts to login to any VoIP account with wrong details will lock out those attempts (even if they then get the password right). This helps ensure that a good password is not guessed. Obviously we cannot guarantee this is fool proof - it works on request made from the same IP address only and has various timeouts which could mean a very slow attack or one from multiple IP addresses may get passed.
- Limit types of calls - we don't allow normal premium rate numbers anyway, but we have a pence/min rate limit for national and international calls which are normally set to sensible limits. You can ask for these to be raised to allow calls to more expensive international numbers. This may be necessary to ring some international mobiles.
- Lock down your IP. We allow you to configure the IP address from which you will make calls. This only works for people that have a fixed IP installation rather than dynamic IP, or making use of VoIP from anywhere they like. It does however stop your VoIP login details being used from anywhere else. Bear in mind, this does not help if your own VoIP equipment is compromised.
- Ensure adequate firewalls and security on your VoIP equipment. VoIP phones often have a web interface and that can often give out the login details it is using.
- Set warning levels - we set these anyway, but you can set to a sensible limit for your expected usage. We aim to send a warning email if your un-billed usage exceeds a certain level. This does not stop the usage though, and is only checked around every hour, so can be way beyond the level you picked if lots of calls are being made.
- We aim to send a courtesy email when we see a new user agent or IP address use your credentials. You can disable this (not recommended) on the control pages, or just make it email when the user agent changes (if you often change IP). This can help flag up if your account is compromised. This does not stop calls being made.
- We try to track high levels of calls to international numbers and lock down accounts if there are lots of calls. This may help to reduce the cost of an attack if it follows the usual pattern. Obviously we cannot guarantee to spot every possible pattern of calls.
We are always working on new security measures, but we can never guarantee to detect fraud and stop calls as there may be no way to tell them apart from perfectly normal calls you are making. It is important that you play your part in ensuring your system is secure and your login details are not disclosed.
Please do keep an eye on our status pages and control pages for more security measures as we add them.
Whose risk is it anyway?
We want to be fair with our customers, but we also do not wish to be out of pocket if we have not done anything wrong. We explain the checks and security measures we can offer, and if they are not sufficient for your needs you should not take service from us.
If we have made an error and failed to provide the security we claim to (e.g. if the IP lock down allowed calls from outside the IP you specified, or somehow we disclosed your VoIP login details to someone else) then we would not charge you for the fraudulent calls that result.
However, we do expect you to keep the login details secure, and so if your login details are correctly used we expect you to pay for the calls. We'll consider any evidence you have to suggest we somehow disclosed your details or were otherwise negligent, but if not, then we have to assume the details came from you, or your equipment, and that you have to pay for the calls.
Where there is a clear case of some sort of fraud and a large bill we will also (a) reduce the cost of calls to our cost price, though this is often a very small reduction, (b) try to see if our carriers will reduce the cost if they can and pass that reduction on to you, and (c) try to come to an arrangement for payment by installments if you cannot pay in one go. We have no intention of making money out of fraud, but we don't wish to make a loss if we have not failed in some way.
So please, take security seriously.