What are the risks of implementing an interactive voice response system for banking transactions? Can these IVR...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
systems be hacked? And are there additional measures that should also be put in place to reduce IVR security risks?
Phone phreaking was part of the beginning of old-school hacker culture many years ago. Currently, when it comes to security, most of the attention is on IP-enabled systems and computers, but phone systems still require adequate security. With the increase in credit card and banking transactions done via phones, these systems should not be ignored just because they aren't like most IT systems.
IVR systems should be based on a secure operating system and infrastructure, and the IVR application itself should be developed using a secure systems development lifecycle. IVR security risks involve business logic flaws or social engineering-related vulnerabilities, so programming in the necessary monitoring capabilities and logic checks to prevent abuse is essential.
Any system that interacts with end users needs to be monitored for suspicious behavior. Traditional security controls that monitor network traffic or log data and look for suspicious patterns may not be effective for finding IVR security risks.
Monitoring an IVR system, such as a PBX phone system, might make more sense, but this could miss business logic flaws or social engineering vulnerabilities. For example, if a particular phone number, which could be spoofed, is used for an unusually high number of banking transactions, investigating the phone number and the transactions could help identify potential fraud. Putting similar limits on financial transactions via an IVR system that exist for in-person ATM or Internet-based transactions could also help limit IVR security risks. In addition, financial institutions should require several security questions to be answered before access to an account is granted via an IVR system.
Security reporter Brian Krebs wrote how attackers can fool several banks' IVR systems, because the systems allow access after answering just three out of five security questions correctly; and several of the questions were based on easily obtainable personally identifiable information, such as date of birth or the last four digits of a Social Security number. Flaws such as this can be easily exploited by attackers.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn about how a new voicemail phishing scam works
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Nick Lewis
USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and ...continue reading
Exaspy spyware, which can access messages, video chats and more, was found on Android devices owned by executives. Expert Nick Lewis explains how ...continue reading
The Nemucod downloader malware is being spread through Facebook Messenger disguised as an image file. Expert Nick Lewis explains the available ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.