Blocking Toll Fraud in BCM, Call Pilot, and Norstar Voicemail
Condition Certain vulnerabilities have been identified which allow malicious toll fraud through the automated attendants in BCM, Call Pilot 150, and Norstar Voicemail. Nortel is pleased to announce that new patches are now available to effectively block this vulnerability.
Problem recognition and recommended solutions 1. For sites that are not using centralized voicemail or centralized auto attendant for multiple nodes, please ensure the feature "enable network transfers" is set to "No". In BCM and Call Pilot 150, this option can be found under "Configuration" and "System Properties" within Call Pilot Manager. "Enable Network Transfers" is "No" by default in BCM and Call Pilot 150 and is not seen in Call Pilot 100 because it is always off by design. In Norstar Voicemail 4.1, Enable Network Transfers is "Yes" by default and we have a patch that allows you to turn off this option in Feature 915. This patch can be downloaded on our website under the product "Norstar: Messaging - Voice Mail". A link to the website is provided below. It is an executable program that makes a bootable diskette. 1. Double-click the executable and follow instructions to make the diskette. 2. When the diskette is made, shutdown the NAM and insert the diskette. 3. Power up the NAM and wait for the single beep indicating that the patch is done. 4. Remove the diskette and reboot the NAM. 5. Now the new option will be seen in Feature 915 and will show up under "Admin" as "Ext Xfer". 6. Feature 915 is the feature code to enter "Access Programming" on Norstar Voice Mail. The password is access2 (2223772) on the keypad of a two-line display set. On some Norstar Application Modules, the feature code for "Access Programming" may be feature 916, 917, 918 and so on. (There are various reasons that the "Access Programming" feature code changes which will not be discussed in this document.) 7. Change Ext Xfer to "No" on systems that are not being used for centralized auto attendant.
Note: If your Norstar Voicemail is version 4.0 or below, we recommend upgrading to version 4.1 and applying the applicable toll fraud patches.
2. On BCM, Call Pilot 150, and NVM 4.1 sites that are running centralized voicemail,"Enable Network Transfers" needs to be "yes" to allow functionality of centralized auto attendant. The feature "Enable Network Transfers" is intended to be used for "Private" MCDN (Meridian Customer Defined Networks) only. Using this feature for any other purpose than to transfer to a route with a "private" DN type can open your system to toll fraud and is not supported. For these sites, Nortel Networks has developed a patch that will only allow callers in auto attendant to dial destination codes that point to routes with a "private" DN type and blocks callers from dialing destination codes that point to routes with a "public" DN type. This will effectively eliminate any chances for toll fraud. This patch will be ported into the Call Pilot release 3.0 and BCM release 3.7 streams. For previous software versions, the patches are available at the Nortel Networks.com/support website under the "Software" tab of each product category (Business Communication Manager; Norstar: Messaging – Call Pilot 150; and Norstar: Messaging – Voice Mail). The required patches are named as follows: Patches for NVM : NVM_Toll_Fraud_CAA.exe NVM_Toll_Fraud_Non-CAA.exe Patches for CallPilot 150: CP_2.10.08.00_NAEnglishCanFrench.zip CP_2.10.08.00_NAEnglishLASpanish.zip CP_2.10.08.00_NAEnglishCantonese.zip CP_2.10.08.00_NAEnglishTaiMandarin.zip CP_2.10.08.00_UKEnglishAusEnglish.zip Please only use the appropriate CP language patch for your region. Patches for BCM: BCM_360.121_CTI.01.2004.exe www.nortelnetworks.com/support
Other Considerations in reducing Toll Fraud risks
Passwords: It is important to change all passwords on a regular basis. This includes telephony configuration and administration, voicemail, and mailbox passwords. This will prevent unauthorized access to the programming database where someone familiar with Norstar or BCM programming could make changes which would allow them to access your lines to make long distance calls. Below are parameters in programming related to potential toll fraud: Restrictions provide the flexibility to add dialing restrictions to prevent specific area codes, telephone numbers, and long distance calls to be dialed. These restrictions can be programmed on a per set basis, per line basis, or per line per set basis. Recommendation: Add toll restrictions to those telephones that should not be allowed to make long distance calls.
DISA (Direct Inward System Access) is a capability of the Norstar and BCM to automatically answer a line and provide dial tone so that the caller can then dial an internal extension number or access an outside line to make a call. This feature is often used in situations where off-site employees need to make business long distance calls and have the calls billed directly to the company. Auto answer lines answered with DISA and DISA DNs both provide stuttered dial tone which requires a COS (Class of Service) Password to be entered before any call can be made. Auto DNs give system dial tone and do not require any passwords too make a call. Recommendation: If using DISA, program it so that it answers with stuttered dial tone which requires a password to make a call out of the system.
COS Passwords are user definable 6-digit passwords that are assigned to employees and allow them to override any restrictions (see above) which are assigned to their telephone or lines, and to get access to tandem calling when DISA with stuttered dial tone (see above) is implemented. There are a total of 100 COS passwords that can be assigned.
Recommendation: Ensure passwords are more complex numbers than 111111, 123456, etc. to ensure integrity of the system. In addition to system programming capabilities, it is possible for a telephone to be call forwarded to an external line destination code. For example, if lines are pooled and assigned a destination code (for example, 9), a telephone could be call forwarded to "9" and then from off site, a call could be made to that telephone and the caller would hear external dial tone and be able to make a long distance call.
Recommendation: Ensure "Allow Redirect" is set to "No" in set programming on telephones that should not have external call forward capability. Recommendation: Program restrictions to lines and provide users COS Passwords that will allow them to make toll calls when in the office. COS passwords cannot be used off site when calling call forwarded telephones.
Recommendation: Program a line pool button on the telephones rather than giving out the destination code. When a line pool button is pressed, the system will automatically grab a free instead of the access code being manually dialed. Voice Messaging External Transfer from CCR: CCR (Custom Call Routing) is a feature of the voicemail which when enabled follows the automated attendant greeting and allows callers to transfer to an internal or external telephone number. The potential for toll fraud with this feature is that a hacker could get into the system and set up a CCR transfer point to access an external line and allow them to dial a number.
Recommendation: Ensure that the administration password for your voicemail system is changed to a password that is not easily broken by hackers (example: don't use 1111). Making the password less intuitive will increase the difficulty of unauthorized persons getting access. External Transfer from a Mailbox is a feature that allows users to set up an external number so that when a caller is transferred to their mailbox, they can press "7" and be transferred to an external number. If a hacker is able to get access to a mailbox, it could be set up to access an external line with no number, allowing the hacker to dial anywhere.
Recommendation: Mailboxes are password protected and the passwords can be 4 to 8 digits in length. Mailbox user administration can be accessed off site. Choose a password that is not easily broken by hackers (example: 1111). Making the password less intuitive will increase the difficulty of unauthorized persons getting access.
Additional Measures In addition, there are other options available to assist in reducing toll fraud infractions. Within the telephony configuration programming, there is a feature called Restriction Service. Restriction Service can be set up so that toll restrictions to lines and telephone sets will automatically come on after business hours. This will prevent unauthorized personnel that have access to the business after hours and on weekends from using the telephones to make long distance calls. For example, if business hours are 8:00 a.m. until 6:00 p.m. Monday through Friday, the system can be programmed to automatically implement toll restriction on all telephones (or only selected telephones) from 6:00 p.m. to 8:00 a.m. Monday through Friday and from 6:00 p.m. Friday to 8:00 am Monday. Any employees who work during these off hours can still make a long distance call by entering their COS password as discussed earlier in this document. If there is suspicion of toll fraud activities, CDR (Call Detail Recording) can be used on the BCM, or an SMDR (Station Message Detail Recording) unit can be used on a Norstar to record all outgoing calls made from the system.