Securing ININ's Interaction Center Against Toll Fraud

Subscribe to this Blog:


Enter Email:


Validate Code:

David Currier

While every effort can be made to secure a phone system against intrusion or abuse, there will always be methods that can be used to exploit a system. The Interaction Center platform is no different. Like all other phone systems, it has security precautions and necessary vulnerabilities. In other words, a lot of thought goes into how to secure an Interaction Center system against attack, but certain features of the system result in unavoidable insecurities or weak spots.

An example of this is remote access. It is usually desirable to allow users to remotely call into the system and access voicemail, manage their status, or perform other tasks. However, this exposes the system to the outside to any party with credentials that grant them access to the system. While this is definitely a feature worth having, it is also a potential vulnerability.

The most common attack against an IC system we have seen exploits this feature and often results in toll fraud. Here’s how it works:

  • Someone with a desire to gain access for whatever reason (and who likely knows they are calling an Interaction Center server) calls a number that reaches the target system
  • The caller navigates through menus and identifies a method to login to the system remotely (this is allowed by the Remote Access node in Interaction Attendant)
  • The caller then attempts to login using various combinations of extensions and passwords, sometimes gaining a list of extensions to try from the dial-by-name feature
  • Once a successful username and password combination has been found, the caller uses one of several methods to place outbound calls to other numbers (often international), one method is to set the user’s status to Available, Forward at an international number, then call the user directly

If remote access to the system is desired (and it almost always is), the best method to protect against this kind of attack is to enforce a solid password policy. The default password policy in IC is often sufficient, but should be evaluated to be sure that it matches your organizations security policies. As a best practice, set a secure password when creating new users and don’t use 1234 or the user’s extension. Remember, It is always possible to crack even a good password with a brute force attack, but much less likely.


Posted in