Mentornet.co.uk - Business Mentoring & Telecom's Consultants
This blog deals with issues we encounter during normal mentoring and coaching activities. All the entries are real life experiences from people who have been there and done it with significant experience of the "sharp end". I also offer assistance with telecommunications issues, particularly telephone systems and voice mail.
Tuesday 30 August 2011
More Telecom Fraud
It looks like VoIP 'phones are now being targeted by hackers and this can mean anyone running a VoIP phone, whether at home or office is vulnerable. Make sure you use very long passwords with numbers, letters and case changes to minimise risk. Check you have the latest firmware upgrades and some sort of real time call monitor which can email/text you if activity occurs outside your normal call pattern. Just type "Yealink Hacking" into Google and be frightened!
Labels:
IP phone hacking,
Phone hacking,
Yealink,
Yealink hacking
Monday 14 February 2011
Telecom Fraud - Have you checked your bill recently?
Some years ago I came across a company who had their telephone system and voice mail infiltrated by hackers. They managed to clock up a bill of over £2000 in one month. This was a little known problem at the time and it caught everyone by surprise but amazingly, this practice is still going on and is now estimated to be in the same league as credit card fraud.
Now if you are thinking that when your next bill comes in and you see fraudulent activity, you can just contact your carrier and get a refund then sadly, you are mistaken! It doesn’t work like credit cards and currently, the subscriber has to bear all the cost. The only possible hope is that you may have some claim on your equipment or service provider if you can prove that they were negligent with the set up of your service. As fraud is now so well known in the telecommunications industry, it is really unforgivable to set up a telephone system or voice mail without making it as secure as possible.
So how do the hackers gain access to your lines? Well in the example mentioned, the customer had an 0800 number to access their telephone system and out of hours, this was answered by voice mail. The hackers rang the 0800 number at no cost, and then proceeded to crack the password for the voice mail which in this particular case, gave them access to external trunks. When they found the system only allowed UK calls, due to call barring, they dialled up a number of another pre-hacked PBX without the free number and also without call barring and they were able to call anywhere for nothing. If you didn’t follow that, here are the steps again.
1.Dialled 0800 number and hacked the voicemail that answered which gave them UK wide access but not international.
2. Made the voice mail dial the number of another hacked system which did not have an 0800 free number.
3. This system gave them access to anywhere
So how do you avoid this problem?
Make sure you write to your system and or service provider asking them to confirm that all fraud access is impossible on your system.
Make sure that trunk to trunk access is not allowed unless absolutely necessary. This applies to voice mail and PBX’s
Disconnect you maintenance modem and only allow access when your maintainer needs to change settings. Obviously do checks to make sure it is your maintainer calling! Preferably set the modem up for dial back. I.e. it has to dial the maintainer when they call it.
Make the password on your modem very long and change it frequently. Only let selected people have the password, As a matter of course, change the password after a remote maintenance session.
Make any passwords to access the admin of your voice mail very long and check to see if this has a modem. If so, the same rules apply.
Make sure that no extensions are forwarded to outside numbers.
Have call barring reduced to 999 only for after hours. Cleaners can have other sources of income! Barring can often be overridden by an authorised person should the need arise.
Ask your service provider to alert you if any calls go over a certain cost by text or email.
Make sure all software updates have been applied to in house telephone equipment.
If any technical staff leave, make sure all the passwords are changed on the system. An upset employee can cause havoc.
Install call logging and run it daily. If it has the ability to provide alerts, use it.
Audit and test you system regularly. Put the onus on your maintainer to verify the security status and get this in writing. If nothing else, having to commit to print will make them keen to stop any loopholes.
With IP systems, the security of your network is vital. If someone can get access to your network, they can also use IP voice services. WiFi with easily hacked passwords are a gift to fraudsters. Any homeplugs need to be encrypted if you network via mains circuits. Use VPN’s for remote workers wherever possible. All the aforementioned precautions apply regarding modems etc.
Use detection software to find any unauthorised access attempts.
Make sure your firewall is good and up to date.
If you are interested in knowing more, just post a comment or contact me via http://www.mentornet.co.uk/contact.html
Now if you are thinking that when your next bill comes in and you see fraudulent activity, you can just contact your carrier and get a refund then sadly, you are mistaken! It doesn’t work like credit cards and currently, the subscriber has to bear all the cost. The only possible hope is that you may have some claim on your equipment or service provider if you can prove that they were negligent with the set up of your service. As fraud is now so well known in the telecommunications industry, it is really unforgivable to set up a telephone system or voice mail without making it as secure as possible.
So how do the hackers gain access to your lines? Well in the example mentioned, the customer had an 0800 number to access their telephone system and out of hours, this was answered by voice mail. The hackers rang the 0800 number at no cost, and then proceeded to crack the password for the voice mail which in this particular case, gave them access to external trunks. When they found the system only allowed UK calls, due to call barring, they dialled up a number of another pre-hacked PBX without the free number and also without call barring and they were able to call anywhere for nothing. If you didn’t follow that, here are the steps again.
1.Dialled 0800 number and hacked the voicemail that answered which gave them UK wide access but not international.
2. Made the voice mail dial the number of another hacked system which did not have an 0800 free number.
3. This system gave them access to anywhere
So how do you avoid this problem?
Make sure you write to your system and or service provider asking them to confirm that all fraud access is impossible on your system.
Make sure that trunk to trunk access is not allowed unless absolutely necessary. This applies to voice mail and PBX’s
Disconnect you maintenance modem and only allow access when your maintainer needs to change settings. Obviously do checks to make sure it is your maintainer calling! Preferably set the modem up for dial back. I.e. it has to dial the maintainer when they call it.
Make the password on your modem very long and change it frequently. Only let selected people have the password, As a matter of course, change the password after a remote maintenance session.
Make any passwords to access the admin of your voice mail very long and check to see if this has a modem. If so, the same rules apply.
Make sure that no extensions are forwarded to outside numbers.
Have call barring reduced to 999 only for after hours. Cleaners can have other sources of income! Barring can often be overridden by an authorised person should the need arise.
Ask your service provider to alert you if any calls go over a certain cost by text or email.
Make sure all software updates have been applied to in house telephone equipment.
If any technical staff leave, make sure all the passwords are changed on the system. An upset employee can cause havoc.
Install call logging and run it daily. If it has the ability to provide alerts, use it.
Audit and test you system regularly. Put the onus on your maintainer to verify the security status and get this in writing. If nothing else, having to commit to print will make them keen to stop any loopholes.
With IP systems, the security of your network is vital. If someone can get access to your network, they can also use IP voice services. WiFi with easily hacked passwords are a gift to fraudsters. Any homeplugs need to be encrypted if you network via mains circuits. Use VPN’s for remote workers wherever possible. All the aforementioned precautions apply regarding modems etc.
Use detection software to find any unauthorised access attempts.
Make sure your firewall is good and up to date.
If you are interested in knowing more, just post a comment or contact me via http://www.mentornet.co.uk/contact.html
Wednesday 10 November 2010
My week of bad online purchasing experiences
I am wondering if the online revolution is starting to wobble a bit. At one time, online suppliers bent over backwards to help but this week has shown that sadly, the rot has set in and I predict that some suppliers will fall by the wayside in the next few years. First, I ordered a TV from Amazon and it was shipped via City link. I checked the tracker to see where it was and saw that it was scheduled for delivery last Friday. I waited in all day and nothing arrived so I checked the tracker and it said that they had tried to deliver it and were unable to. So where was the bit of paper in my letter-box to confirm this? To cut a long story short, they have "lost it". Well I don't know about you but I would find it pretty difficult to lose a 40 inch telly! Anyway, Amazon and City link had a chat but forgot to let me know what was going on as they had promised so I called Amazon and spoke to a very pleasant girl who asked if I was prepared to wait until 15th November for City link to find the TV. You guessed it! I wasn't prepared to do that so after checking, she duly shipped out another TV. So overall, not a bad job by Amazon but they did forget to call me which was somewhat annoying.
My less satisfactory experience was with Play.com. I ordered a Buzz Lightyear for a Christmas present and it took quite a few days to arrive. Play suggested on their web site that you wait 28 days before raising it with them! That's handy if you do your Christmas shopping a week before the big day! Anyway, Buzz arrived and he had indeed been to infinity and beyond but he had obviously had a rough journey. The box was crushed, torn and distorted so it was completely unacceptable as a present. It would be understandable if the Post Office had done the damage but the packers at Play decided to put the retail box in a plastic bag and send it like that so it's not hard to see why it arrived in this state.
So I started the returns procedure where they promise to respond within a working day. Well, nothing in my email after nearly 2 days so I called them on an 0845 number which is charged at a much higher rate than standard and spoke to some chap in Outer Slambodia on a lousy line and I said I wanted a refund and the toy collected. He agreed to a refund but not the collection so I gave them the choice....Collect or lose a customer. They chose the latter so now I have to drive to a Post Office and send the damn thing when it was their incompetence that caused the problem. I spent a few hundred £’s with them over the last year or so. Now I don’t know about you but if I was a director of Play.com, I would be seriously worried about this level of customer care and the loss of profit. There are plenty of competitors out there and frankly, I will use Amazon in future for the items that I may have bought from Play. And if Amazon go off the rails, there are plenty more to choose from. Let me know if you have similar experiences.
My less satisfactory experience was with Play.com. I ordered a Buzz Lightyear for a Christmas present and it took quite a few days to arrive. Play suggested on their web site that you wait 28 days before raising it with them! That's handy if you do your Christmas shopping a week before the big day! Anyway, Buzz arrived and he had indeed been to infinity and beyond but he had obviously had a rough journey. The box was crushed, torn and distorted so it was completely unacceptable as a present. It would be understandable if the Post Office had done the damage but the packers at Play decided to put the retail box in a plastic bag and send it like that so it's not hard to see why it arrived in this state.
So I started the returns procedure where they promise to respond within a working day. Well, nothing in my email after nearly 2 days so I called them on an 0845 number which is charged at a much higher rate than standard and spoke to some chap in Outer Slambodia on a lousy line and I said I wanted a refund and the toy collected. He agreed to a refund but not the collection so I gave them the choice....Collect or lose a customer. They chose the latter so now I have to drive to a Post Office and send the damn thing when it was their incompetence that caused the problem. I spent a few hundred £’s with them over the last year or so. Now I don’t know about you but if I was a director of Play.com, I would be seriously worried about this level of customer care and the loss of profit. There are plenty of competitors out there and frankly, I will use Amazon in future for the items that I may have bought from Play. And if Amazon go off the rails, there are plenty more to choose from. Let me know if you have similar experiences.
Monday 1 March 2010
I can confirm my thoughts on Barlcays Bank
Another debacle with Barclays again today. I have been locked out of my 3rd party online account due to "Technical problems". I was asked various security questions and then came the blinder! Could you give me a recent DD on the account? No, I replied, I have third party access so no statements come to my house. I need to get online to see the transactions and then I can give you the DD. So just like before, we have the catch 22. You need the online info to get past security but you can't get online to see it. This would be funny if it wasn't taking up hours of my time. So that was about an hour wasted.
Anyway, I gave in and went to the branch. I took everything bar the kitchen sink for identity Whilst there I asked if there was anything else they needed and was assured everything was OK and the online account would be active "tonight". No prizes for guessing what happened so I rang the help desk, went through the now well rehearsed responses whilst listening to their wretched music on hold (the trouble is that I am starting to hum it!). Forty five minutes later I get transferred back from India to the UK having "passed" security and then the girl said " I will get your account going now". Hurray I thought!. Then came the next blinder. "Can I have your mothers maiden name (well that's a really secure option isn't it?). I gave them the maiden name and guess what? "You will have to go to the branch because we can't verify it". Yes there are teethmarks in my desk and yes my hair is falling out.
How do they make such huge profits? It certainly can't be anything to do with the retail side. It's completely inept.
To be continued..... after my visit to the branch tomorrow.
Anyway, I gave in and went to the branch. I took everything bar the kitchen sink for identity Whilst there I asked if there was anything else they needed and was assured everything was OK and the online account would be active "tonight". No prizes for guessing what happened so I rang the help desk, went through the now well rehearsed responses whilst listening to their wretched music on hold (the trouble is that I am starting to hum it!). Forty five minutes later I get transferred back from India to the UK having "passed" security and then the girl said " I will get your account going now". Hurray I thought!. Then came the next blinder. "Can I have your mothers maiden name (well that's a really secure option isn't it?). I gave them the maiden name and guess what? "You will have to go to the branch because we can't verify it". Yes there are teethmarks in my desk and yes my hair is falling out.
How do they make such huge profits? It certainly can't be anything to do with the retail side. It's completely inept.
To be continued..... after my visit to the branch tomorrow.
Tuesday 2 February 2010
Are Barclays Bank the UK's most exasperating company?
I have just spent an hour wasting my time on the telephone to Barclays and I either need to hit someone or write my experiences down! This is not strictly in the vein of business advice but many businesses could considerably improve themselves if they mystery shopped their own enterprise. This is a brief outline of my experience because if I filled in all the detail, it would be several pages long.
If ever there was a lesson to be learned about how not to give good customer service, Barclays would be my nominated company. Fortunately, I do not have an account with them but I do have third part access to one of my relatives "Premiere" accounts for which I have power of attorney. One can only imagine how badly non-Premiere customers are treated.
My relative had sold a Spanish property and I wanted to set up a Euro account to deposit the proceeds. "You can't do that online", I was told. "You will need to visit a branch". I later discovered that this is a stock, pre-programmed phrase that the robots in their call centres use all the time. Anyway, I went to a branch and they couldn't help me because I needed to go to a bigger branch apparently. So off I went to a bigger branch which initially appeared to be full of school children but were actually Barclays advisors and eventually got to speak to the international desk. They gave me an application form to fill in, after much running backwards and forwards to a supervisor to find out what they had to do. I was told to post it back to the International Division. Why I couldn’t have downloaded this from their web site is anyone’s guess but that would involve joined up thinking wouldn’t it?
Miraculously, after posting the form I received a letter telling me the account was set up. The reason for my anger? I have just tried to check the balance and guess what? "I am unable to verify you" is the new stock answer. "What do I need to be verified?" I asked. Can you guess the response? "You will need to visit a branch". Just how many times do I have to visit a branch before the idiots that work at Barclays actually get it right? They have my address details, the original of the enduring power of attorney, a copy of my passport and my inside leg measurement etc. What else could they need?
It gets even worse and you will now need to concentrate! Digging further and after being transferred around the world twice, it turns out that they don't have the right questions to ask me to carry out the verification, so saying that I would stay on the line whilst they found out what questions they needed to ask me fell on deaf ears. I even suggested that if they couldn’t dream up what questions to ask me that they might ring the branch they wanted me to visit and ask them what questions they should be asking me. Hopefully you are still with me on this because if it doesn’t make any sense, you have the correct interpretation! As expected, no luck with that approach either. According to them, it was my fault that they didn’t have the right questions to ask me and that’s why I needed to visit a branch, presumably as punishment. They even tried my telephone banking password but the password was invalid after two months of non-use which they omitted to tell me. I expect I need to visit a branch to get a new one of those too.
So my final conclusion is that I will move all the accounts to Lloyds where I get sensible answers, the staff have wrinkles instead of acne and it will actually be easier than trying to find the balance on the Euro account. Apparently, Lloyds just need to see my power of attorney and they can move all the accounts from Barclays. I wish them luck.
In summary, I would love to see a director of Barclays try and set up a third party access account and then operate it because presumably they sit in their plush offices, counting their bonuses, blissfully unaware of their incompetent staff and the frustration they are creating for clients. A lesson for any business I think!
If ever there was a lesson to be learned about how not to give good customer service, Barclays would be my nominated company. Fortunately, I do not have an account with them but I do have third part access to one of my relatives "Premiere" accounts for which I have power of attorney. One can only imagine how badly non-Premiere customers are treated.
My relative had sold a Spanish property and I wanted to set up a Euro account to deposit the proceeds. "You can't do that online", I was told. "You will need to visit a branch". I later discovered that this is a stock, pre-programmed phrase that the robots in their call centres use all the time. Anyway, I went to a branch and they couldn't help me because I needed to go to a bigger branch apparently. So off I went to a bigger branch which initially appeared to be full of school children but were actually Barclays advisors and eventually got to speak to the international desk. They gave me an application form to fill in, after much running backwards and forwards to a supervisor to find out what they had to do. I was told to post it back to the International Division. Why I couldn’t have downloaded this from their web site is anyone’s guess but that would involve joined up thinking wouldn’t it?
Miraculously, after posting the form I received a letter telling me the account was set up. The reason for my anger? I have just tried to check the balance and guess what? "I am unable to verify you" is the new stock answer. "What do I need to be verified?" I asked. Can you guess the response? "You will need to visit a branch". Just how many times do I have to visit a branch before the idiots that work at Barclays actually get it right? They have my address details, the original of the enduring power of attorney, a copy of my passport and my inside leg measurement etc. What else could they need?
It gets even worse and you will now need to concentrate! Digging further and after being transferred around the world twice, it turns out that they don't have the right questions to ask me to carry out the verification, so saying that I would stay on the line whilst they found out what questions they needed to ask me fell on deaf ears. I even suggested that if they couldn’t dream up what questions to ask me that they might ring the branch they wanted me to visit and ask them what questions they should be asking me. Hopefully you are still with me on this because if it doesn’t make any sense, you have the correct interpretation! As expected, no luck with that approach either. According to them, it was my fault that they didn’t have the right questions to ask me and that’s why I needed to visit a branch, presumably as punishment. They even tried my telephone banking password but the password was invalid after two months of non-use which they omitted to tell me. I expect I need to visit a branch to get a new one of those too.
So my final conclusion is that I will move all the accounts to Lloyds where I get sensible answers, the staff have wrinkles instead of acne and it will actually be easier than trying to find the balance on the Euro account. Apparently, Lloyds just need to see my power of attorney and they can move all the accounts from Barclays. I wish them luck.
In summary, I would love to see a director of Barclays try and set up a third party access account and then operate it because presumably they sit in their plush offices, counting their bonuses, blissfully unaware of their incompetent staff and the frustration they are creating for clients. A lesson for any business I think!
Thursday 10 December 2009
Shareholders Agreements & Involving Family
One of the questions I always ask when introduced to a new client is "Are any family involved with the business"? My heart always sinks when they nod and whilst it's by no means a problem to everyone, it is not something I would encourage and in fact would positively discourage. It' can cause major family rifts and is just not worth it.
This brings me on to shareholders agreements. Obviously you should get a lawyer to do this but they are very important and set the rules of the game, before you play it, which is much better than making the rules up as you go along! Most small businesses do not have agreements in place and many lawyers have made tidy sums sorting out the mess that this can cause. So in summary, if you are setting up a new limited company, get the shareholders agreement incorporated into the memorandum & articles from the outset. This is just as important when family are involved and possibly even more important. Also, as the mem's and art's for a small business are usually rather generic, you can get these tidied up as well. Not the most riveting read, but essential to your future well being I can assure you.
This brings me on to shareholders agreements. Obviously you should get a lawyer to do this but they are very important and set the rules of the game, before you play it, which is much better than making the rules up as you go along! Most small businesses do not have agreements in place and many lawyers have made tidy sums sorting out the mess that this can cause. So in summary, if you are setting up a new limited company, get the shareholders agreement incorporated into the memorandum & articles from the outset. This is just as important when family are involved and possibly even more important. Also, as the mem's and art's for a small business are usually rather generic, you can get these tidied up as well. Not the most riveting read, but essential to your future well being I can assure you.
Monday 5 October 2009
Letting Go
One of the main issues I see with small businesses is the same problem I had myself and that is letting go. This is not an issue with the digestive system but the fact that so many entrepreneurs are also control freaks and just cannot delegate or see the benefit of taking on new staff. They are stuck in a catch 22. "By the time I have told someone else, I could do it myself" or "I can't afford another salary so I do it myself". Both statements could be true but if you don't change the way you work, the business will never grow.
Let's examine the first statement. Handing over routine jobs to staff will motivate them and even if they make mistakes, they should get there in the end. It's difficult but necessary. Assume they will make mistakes and then you can only be pleasantly surprised.
The second statement is the biggest dilemma for most business people but if for example you consider yourself to be the best salesperson in the business, why are you bogging yourself down with accounts, admin, HR etc? You release your time to sell and guess what? You can afford the extra salary and what's more, you will make more money into the bargain. Many of the aforementioned jobs can also be carried out by part timers, homeworkers and contractors.
Finally, if you think you are overloading your staff by passing over work to them, my experience has been that staff can always make themselves look busy but are not often working at capacity.
Let's examine the first statement. Handing over routine jobs to staff will motivate them and even if they make mistakes, they should get there in the end. It's difficult but necessary. Assume they will make mistakes and then you can only be pleasantly surprised.
The second statement is the biggest dilemma for most business people but if for example you consider yourself to be the best salesperson in the business, why are you bogging yourself down with accounts, admin, HR etc? You release your time to sell and guess what? You can afford the extra salary and what's more, you will make more money into the bargain. Many of the aforementioned jobs can also be carried out by part timers, homeworkers and contractors.
Finally, if you think you are overloading your staff by passing over work to them, my experience has been that staff can always make themselves look busy but are not often working at capacity.
Subscribe to:
Posts (Atom)