Q
Manage Learn to apply best practices and optimize your operations.

How can enterprises mitigate IVR security risks?

Interactive voice response systems can be used by attackers to hack into enterprises. Expert Nick Lewis explains the security risks of IVR systems and how to mitigate them.

What are the risks of implementing an interactive voice response system for banking transactions? Can these IVR...

systems be hacked? And are there additional measures that should also be put in place to reduce IVR security risks?

Phone phreaking was part of the beginning of old-school hacker culture many years ago. Currently, when it comes to security, most of the attention is on IP-enabled systems and computers, but phone systems still require adequate security. With the increase in credit card and banking transactions done via phones, these systems should not be ignored just because they aren't like most IT systems.

IVR systems should be based on a secure operating system and infrastructure, and the IVR application itself should be developed using a secure systems development lifecycle. IVR security risks involve business logic flaws or social engineering-related vulnerabilities, so programming in the necessary monitoring capabilities and logic checks to prevent abuse is essential.

Any system that interacts with end users needs to be monitored for suspicious behavior. Traditional security controls that monitor network traffic or log data and look for suspicious patterns may not be effective for finding IVR security risks.

Monitoring an IVR system, such as a PBX phone system, might make more sense, but this could miss business logic flaws or social engineering vulnerabilities. For example, if a particular phone number, which could be spoofed, is used for an unusually high number of banking transactions, investigating the phone number and the transactions could help identify potential fraud. Putting similar limits on financial transactions via an IVR system that exist for in-person ATM or Internet-based transactions could also help limit IVR security risks. In addition, financial institutions should require several security questions to be answered before access to an account is granted via an IVR system.

Security reporter Brian Krebs wrote how attackers can fool several banks' IVR systems, because the systems allow access after answering just three out of five security questions correctly; and several of the questions were based on easily obtainable personally identifiable information, such as date of birth or the last four digits of a Social Security number. Flaws such as this can be easily exploited by attackers.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Find out how a social engineering attack exposed information on FBI agents

Read more on techniques for social engineering penetration testing

Learn about how a new voicemail phishing scam works

This was last published in February 2016

Dig Deeper on IPv6 security and network protocols security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization protect its IVR systems from potential attacks?
Cancel
Nothing today is fool proof. Even bio-metrics are not safe.. It's just one of the reasons I do not do on-line banking, I do not own a smartphone either. I could care lees about social media and being connected 24/7... I have sat in on enough seminars about security, identity theft and the like. You can never be too cautious. Webites that ask for my birthday or other personal info to become a member of their club get fake info.. They never check in person.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close