Video conferencing equipment vulnerable to premium number fraud

Users of many popular brands of video conferencing equipment are leaving themselves open to potentially hundreds of thousands of pounds of fraud each month.

London-based video conferencing consultancy City Conferencing claims to have identified a vulnerability occurring as organisations make the move from using ISDN to all-IP technology.

A statement from City Conferencing noted hacking into systems via ISDN is "a very unlikely scenario" but that "using the IP interface to send a dial command to the ISDN interface to ring premium rate numbers is a very real problem".

A scenario could see someone setting up a video conferencing system to dial an overseas premium rate number between the hours of 9:00PM and 7:00AM each night. Over six channels, for 600 minutes, at £5 per minute and over a 30-day month, that would add up to a £540,000 fraud - just from the one facility.

Simon Dudley, director at City Conferencing, said: "There's one known instance in London of a disgruntled AV [audio visual] technician who owned his own 0898 premium number. He randomly dialled the number from different desks of City traders and it took three months to for the company in question to find out - and then only because someone he told broke the silence."

This vulnerability is more serious because it can be automated. As well as the problem occurring because now is a time when users typically have hybrid ISDN and IP networks, it could also be due to lack of control by IT departments.

Traditionally video conferencing equipment has stood as part of the AV function in a company, on its own or part of the telecoms department - meaning IT departments have often been ignorant about how it works. There is even a joke in video conferencing circles that if the equipment had plugged into computer monitors rather than televisions that wouldn't have become the case.

Dudley added: "There's a turf war going on over who wants to own it. It's only recently that we've seen IP-enabled [video conferencing equipment] on the network and my money is on IT winning control eventually."

While thousands of companies use video conferencing, investment banks and other high-profile organisations are likely to be publicity shy about admitting problems - as is the case with various types of security breach - while others that don't check phone bills carefully may never know fraud has taken place.