The way the 3CX system is configured as a default I believe there is no PIN required to create conferences. An external caller can then call the 3CX system then dial 700 and proceed to create a conference. Anyone can then call into the conference. As a result the system owner will incur charges if they get charged per minute for incoming calls. Can anyone explain what the logic was behind this implementation and not requiring some sort of robust authentication or at least allow restricting conferences from external trunks. Also if you decide to require a PIN code for conference calls there is one PIN for the entire company how are you supposed to keep that secure. The correct implementation in my opinion would have been to require a unique PIN for every user based on something like the Extension # plus their Voicemail password. How in the world do larger companies handle this ?