A recent security breach of some of Telfree’s user accounts resulted in R40 000 of lost funds by these users. According to one of the users his funds were nearly depleted by someone who hacked into his Telfree account, but that Telfree was less than accommodating.
The user asked for the money which was stolen from his account to be refunded, but the response from Telfree was that the company’s terms and conditions state that any fees paid to Telfree including any pre-payments are non-refundable".
"I am sorry but I am unable to refund you," a Telfree representative said.
"Telfree are not willing to give their clients information as to who used the clients’ service illegally. Instead they blabber on about employing ‘international lawyers’. Well, ‘Joe’ who’s a lawyer in Pretoria and has a cousin working as a lawyer in Botswana is also an ‘international lawyer’," one Telfree client said.
"Telfree has admitted that their security is lax. They don’t take steps to secure their client logins because it’s ‘too much of a hassle’."
Telfree’s chief technology officer Ruan Malan said that only a small portion of the company’s client base was affected by the recent security breach. "We did however warn our entire client base of this event and we urge them to respond. Some clients don’t want any correspondence and for them we can only serve on a reactive manner," said Malan.
Malan explains that it was not a security vulnerability of their system which lead to access to user’s accounts, but rather poor password management from the users themselves.
"It is not true to say that the TelFree system has a security vulnerability, but rather there is a vulnerability in the passwords of users with 087 numbers. We all know that this is a very difficult issue to manage, as it is completely out of the control of Telfree to what happens to passwords once it is sent to clients," said Malan.
"TelFree cannot control how passwords are accessed, stored or even exposed out in the Internet. All we can do is ask users to change their passwords regularly. Like internet banking, we do have a responsibility to warn clients of possible issues, and that is what we did."
Malan said that the lost funds were a result of passwords being obtained by "some or other way" and that the criminals used the 087 number to make calls to international destinations.
"It is easy to blame TelFree for this unfortunate event, but in reality TelFree just doesn’t publish client’s 087 numbers and passwords to the world and if it was a TelFree System problem the entire TelFree client base would have contacted you," said Malan.
TelFree said that they did pick this problem up fairly quickly and did take immediate action to stop the destinations from being called. "We did black list IP addresses etc and we are busy to build a case for our international legal team to react and pin down the criminals," said Malan.
Gregg Massel, MD of Switch Telecom, said that the primary failure that lead to this fraud was not an insecurity in VoIP technology, but rather in the fact that TelFree issued weak passwords to clients.
"The passwords were in the form of six-digit numbers and usernames were the same as phone numbers which are part of a specific range. This meant that one only needed to test about 10 000 usernames against 1 000 000 different password combinations to reveal almost every username/password pair. Running such a brute force attack for even a short period could easily reveal a small subset of the username/password pairs," Massel said.
According to Massel, VoIP fraud is far less prevalent then Telkom clip-on-fraud. "At least with VoIP, measures can be taken to mitigate such risks; with PSTN fraud, the only options are call barring and even this has proved unreliable because of Telkom technicians involved in the fraud lifting the barring," says Massel. "By comparison, even GSM fraud has been more commonplace with SIM-swap scams haunting the networks a couple of years ago."
Massel added that the sort of brute-force username and password guessing that happened with TelFree would have been virtually impossible with a company like Switch Telecom as passwords generated use alphanumeric characters and are longer.
"In fact, you’d have to try over 2.8 trillion combinations per phone number. The bandwidth and time required to do this would be too costly for the hacker and bandwidth usage would show up on our monitoring systems," said Massel.
VoIP accounts hacked – give your views