What are the risks of implementing an interactive voice response system for banking transactions? Can these IVR...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
systems be hacked? And are there additional measures that should also be put in place to reduce IVR security risks?
Phone phreaking was part of the beginning of old-school hacker culture many years ago. Currently, when it comes to security, most of the attention is on IP-enabled systems and computers, but phone systems still require adequate security. With the increase in credit card and banking transactions done via phones, these systems should not be ignored just because they aren't like most IT systems.
IVR systems should be based on a secure operating system and infrastructure, and the IVR application itself should be developed using a secure systems development lifecycle. IVR security risks involve business logic flaws or social engineering-related vulnerabilities, so programming in the necessary monitoring capabilities and logic checks to prevent abuse is essential.
Any system that interacts with end users needs to be monitored for suspicious behavior. Traditional security controls that monitor network traffic or log data and look for suspicious patterns may not be effective for finding IVR security risks.
Monitoring an IVR system, such as a PBX phone system, might make more sense, but this could miss business logic flaws or social engineering vulnerabilities. For example, if a particular phone number, which could be spoofed, is used for an unusually high number of banking transactions, investigating the phone number and the transactions could help identify potential fraud. Putting similar limits on financial transactions via an IVR system that exist for in-person ATM or Internet-based transactions could also help limit IVR security risks. In addition, financial institutions should require several security questions to be answered before access to an account is granted via an IVR system.
Security reporter Brian Krebs wrote how attackers can fool several banks' IVR systems, because the systems allow access after answering just three out of five security questions correctly; and several of the questions were based on easily obtainable personally identifiable information, such as date of birth or the last four digits of a Social Security number. Flaws such as this can be easily exploited by attackers.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn about how a new voicemail phishing scam works
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Nick Lewis
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
A Gmail phishing attack brought users to fake login pages designed to look like Google's. Expert Nick Lewis explains how users can prevent similar ...continue reading
A HummingBad malware variant, HummingWhale, was discovered being spread through 20 apps on the Google Play Store. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.