OBi200 installed, now seeing unknown phone calls in GV call history

[vailr]

Hello,: There seems to be a missing or mis-configured security setting with my OBi200 device, using Google Voice. The phone call feature works fine, both outgoing and incoming calls. However, my GV call history has started showing unknown calls to various U.S. destinations, that were not initiated by me. I've had this GV account for about 6 years, and never had this kind of problem before. Is there a missing security setting for the OBi200 device that would prevent whatever unknown hackers from possibly "hijacking" my GV account?
The internet connection is via cable modem->Netgear router->OBi200
(Netgear FVS318G-100NAS PROSAFE® 8-PORT GIGABIT Cable/DSL VPN FIREWALL Router)

[SteveInWA]

Hi:

It's difficult to know exactly how this is happening, so I'd suggest a "shotgun" approach to generally secure your Google account, and to factory-reset and re-configure your OBi.  Since you've had the OBi for that long, it is possible that you are still using the old, less-secure authentication method.

First, log onto the OBiTALK web portal, and delete your OBi 200 completely (click the trash can icon).  Wait a few minutes for OBiTALK to remotely reset your device.  Do not add it back yet.  Pick up the phone attached to the OBi and enter ***0 then 1# to hear it read back your firmware version.  Note the last four digits (the build number).  If lower than 5285, then download 5285 from this link:  http://fw.obihai.com/OBi202-3-1-0-5285.fw.  Log into your OBi from its local IP address (press ***1 to get the address, and the default login is admin/admin).  Go to the System Management --> Device Update page, select the file you downloaded, and upload it.  After the OBi is finished updating, press ***8 then 1 on the phone to restore it to factory defaults.

Next, add it back to the OBiTALK web portal, by clicking the "Add device" link on the left side of the page, and following the instructions.  Stop there, after you have added the device; do not set up Google Voice yet.

Leave that page open, and press Ctrl-T to open a new browser tab.  Go to this page, and go through the entire Google security checkup. 

https://security.google.com/settings/security/secureaccount

Take this opportunity to change your Google password.  Use a strong password of random alphanumeric and punctuation characters.  16 characters is recommended.  Do NOT use this password on any other online service.  Write it down, or use a password manager, such as LastPass.  Consider using Google's two-factor-authentication.  Also, be sure to set up your recovery email address and recovery phone number.  Do NOT use your Google Voice number as the recovery phone number!

After this is completed, then stay signed into Google on that tab, and to back to the OBiTALK tab.  Now, set up Google Voice on your OBi.

That should take care of hardening your account and your device.

If you have problems getting through the Google Voice setup, please read my complete set of instructions, here:

http://www.obitalk.com/forum/index.php?topic=8560.msg56460#msg56460

[vailr]

@ SteveInWA:
The OBi200 device was only very recently installed, and with the latest device firmware (dated May 2016) also installed at that time (about 2 weeks ago). If there might be: an OBi200 web interface or Netgear router setting that would enable better security, then that would seem to be the next logical step. I simply followed the posted steps for setting up the OBi200 device, without any specialized port settings, or that kind of thing. Ideally, there would be a setting from the web interface of either the OBi200 or the Netgear router, that would completely block any possibility of an outside hacker (that is: originating from outside of the cable modem access point to the internet) from surreptitiously accessing my OBi device and making outgoing phone calls without my knowledge.

Whether that is actually what happened or not: can't say for sure.
Note: the GV account password has now been changed, so maybe that will solve the problem.

[SteveInWA]

I gave you a detailed, and easy-to-follow set of instructions on how to a) review your Google account for vulnerabilities and b) reset and re-apply the correct settings, to remove any possible unauthorized access.  If you want to dismiss them, then you are on your own.