Security Risks Associated With The Automated Attendant Feature Of Voice Messaging Systems - Lucent Technologies MERLIN LEGEND Release 5.0 System Planning Manual

MERLIN LEGEND Communications System Release 5.0
System Planning 555-650-112
A Customer Support Information
Toll Fraud Prevention
If Outcalling is required by voice messaging system extensions:
Program an ARS Facility Restriction Level (FRL) of 2 on voice mail port
extension(s) used for Outcalling.
If 800 and 411 numbers are used, remove 1800, 800, 411, and 1411 from
Disallowed List number 7.
If Outcalling is allowed to long-distance numbers, build an Allowed List for
the voice mail port extension(s) used for Outcalling. This list should contain
the area code and the first three digits of the local exchange telephone
numbers to be allowed.
Additional general security for voice messaging systems:
Use a secure password for the General Mailboxes.
The default administration mailbox, 9997, must be reassigned to the
system manager's mailbox/extension number and securely password
protected.
All voice messaging system users must use secure passwords known only
to the user.
Security Risks Associated with the Automated
Attendant Feature of Voice Messaging Systems
Two areas of toll fraud risk associated with the Automated Attendant feature of
voice messaging systems are the following:
Pooled facility (line/trunk) access codes are translated to a menu prompt to
allow Remote Access. If a hacker finds this prompt, the hacker has
immediate access. (In Release 3.1 and later systems, dial access to pools
is initially factory-set to restrict all extensions: to allow pool access, this
restriction must be removed by the system manager.
If the Automated Attendant prompts callers to use Remote Call Forwarding
(RCF) to reach an outside telephone number, the system may be
susceptible to toll fraud. An example of this application is a menu or
Submenu that says, "To reach our answering service, select prompt
number 5," and transfers a caller to an external telephone number.
Remote Call Forwarding can be used securely only when the central office
provides "reliable disconnect" (sometimes referred to as forward
disconnect or disconnect supervision), which guarantees that the central
office does not return a dial tone after the called party hangs up. In most
cases, the central office facility is a loop-start line/trunk which does not
provide reliable disconnect. When loop-start lines/trunks are used, if the
calling party stays on the line, the central office does return a dial tone at
the conclusion of the call, enabling the caller to place another call as if it
were being placed from your company. Ground-start trunks provide reliable
disconnect and should be used whenever possible.
1
Issue 1
June 1997
Page A-14