A New Dimension of Security Concerns for Hosted Voice Service Providers

9 March, 2016

Hosted PBX Service Providers (and the end-users of the systems themselves) have understood security and the implications of breaches in two ways – toll-fraud and service degradation.  Each of these vectors ultimately cuts into the bottom line, albeit in different ways.  As VoIP based systems are adopted throughout the public and private sector and simplified hacking tools proliferate, virtual PBX is becoming a more common target for cyber-criminals.  Thus it is valuable for Service Providers to revisit these two dimensions of risk and explore an emerging potential third – failure by Service Providers to follow security Best Common Practices can lead to legal action by the Service Provider’s clients or denial of cyber-insurance coverage particularly as it pertains to protection of private information.

Understanding Standard Security Risks

For sophisticated hackers, a wide range of malicious activity is possible on VoIP networks, including but not limited to gathering information on all of the devices connected to the system, redirecting or otherwise interfering with legitimate calls, and eavesdropping.  Given the economic incentives involved, however, by the far the most common is toll or premium rate service fraud.  Reports by two security firms, Pindrop and UK based Nettitude, support this conclusion, and attest both to the predominance of toll fraud and the trend towards the increase in all forms of VoIP attacks.  When attackers gain access to VoIP PBX systems and use them for personal gain or collude with a crooked termination service (often located in a foreign jurisdiction), the costs to the enterprise of even one breach can be enormous.  Typically occurring outside of standard business hours, a weekend of toll fraud can rack up many thousands of dollars of charges for the unwitting enterprise, which is left with no recourse other than squabbling with their service provider about paying the bloated service charges.

The damage from attacks, both successful and unsuccessful, is not limited to fraudulent tolls.  Attackers can intentionally degrade the quality of calls and even have a variety of means to completely disrupt service.  Beyond this, regular, automated attempts on the network can have a deleterious effect on service even when a successful attack is avoided and no coordinated DDoS campaign is in progress. The monetary and lost-business/credibility costs of VoIP hacking are severe, and although the hosted VoIP service provider may avoid the monetary cost (which typically falls to the enterprise), any negative experience with the service is bad for business.

Approaching New Risks in the Remediation Stage

To some extent, however, these threats are old hat; although they remain significant, they are generally understood and those in the industry are aware of them even if they don’t take them seriously enough.  This inattentiveness could become much more dangerous in the future, however, as failure to adhere to network and VoIP security best practices — and the security breaches that may follow — gain greater legal significance.

Take the (already notorious) case of Cottage Health System, which operates a network of hospitals in Southern California.  After suffering a breach of security in late 2013, in which more than 32 thousand customers had their data stolen, the customers sued the company in a class-action lawsuit under California’s Confidentiality of Medical Information Act (CMIA) and ultimately won a $4.2 million settlement.  The California Department of Justice is also investigating the company for HIPAA violations.  Although Cottage had subscribed to a cybersecurity insurance plan and the insurer (Columbia Casualty Company) initially covered the settlement, it subsequently brought a case against Cottage, demanding the sum it had paid out plus legal fees.  The insurer argued that Cottage’s failure to follow “minimum required practices” voided its obligation to cover the costs associated with the breach.  In short, Cottage’s lax security led to a breach of customer data privacy, a HIPAA violation investigation, a class-action lawsuit, and further legal action by the insurer, who retroactively refuses to cover the claim.

Although this case falls outside of the scope of telecom, and more narrowly, VoIP, security, it should nevertheless serve as a warning.  Telecoms with business subscribers in the healthcare, financial and legal fields must be aware that their customers need be compliant under HIPAA and SOC-II as covered entities or business associates thereto.  Even telecoms outside of these groups are nevertheless obliged to protect customer proprietary network information in line with the Telecommunications Act of 1996, and legal precedent exists that (for any company handling personal data, telecom or otherwise) the published privacy policy must be matched by actual security practices.

If any of you have applied for Cyber-liability insurance over the past few years you’ve seen the bar being raised higher and higher with very specific questions around security and vulnerability protection practices.  While protecting against intangible damages – like loss of customer private data – is frequently in the news, it is also apparent that failure to subscribe to Best Common Practices in network engineering can also lead to the denial of claims for toll fraud and service interruption losses.

Given the relative vulnerability of VoIP systems, the proliferation of threats and attackers, and the expanding legal grounds on which holders of personal data (in particular private medical information) may be held liable for breaches, it is more important now than ever for hosted VoIP Service Providers to establish and abide by security best practices.

As a Platform provider to many Service Providers, VoIP Logic is frequently (and rightfully) quizzed on its methodology for security risk mitigation by existing and prospective Service Provider Partners. While we do not control the network we do offer tools for fraud monitoring and mitigation as well as a set of Best Common Practices under which we operate and we strongly urge our partners to operate.

Posted Under:VoIP Logic Blog