What are the risks of implementing an interactive voice response system for banking transactions? Can these IVR...
systems be hacked? And are there additional measures that should also be put in place to reduce IVR security risks?
Phone phreaking was part of the beginning of old-school hacker culture many years ago. Currently, when it comes to security, most of the attention is on IP-enabled systems and computers, but phone systems still require adequate security. With the increase in credit card and banking transactions done via phones, these systems should not be ignored just because they aren't like most IT systems.
IVR systems should be based on a secure operating system and infrastructure, and the IVR application itself should be developed using a secure systems development lifecycle. IVR security risks involve business logic flaws or social engineering-related vulnerabilities, so programming in the necessary monitoring capabilities and logic checks to prevent abuse is essential.
Any system that interacts with end users needs to be monitored for suspicious behavior. Traditional security controls that monitor network traffic or log data and look for suspicious patterns may not be effective for finding IVR security risks.
Monitoring an IVR system, such as a PBX phone system, might make more sense, but this could miss business logic flaws or social engineering vulnerabilities. For example, if a particular phone number, which could be spoofed, is used for an unusually high number of banking transactions, investigating the phone number and the transactions could help identify potential fraud. Putting similar limits on financial transactions via an IVR system that exist for in-person ATM or Internet-based transactions could also help limit IVR security risks. In addition, financial institutions should require several security questions to be answered before access to an account is granted via an IVR system.
Security reporter Brian Krebs wrote how attackers can fool several banks' IVR systems, because the systems allow access after answering just three out of five security questions correctly; and several of the questions were based on easily obtainable personally identifiable information, such as date of birth or the last four digits of a Social Security number. Flaws such as this can be easily exploited by attackers.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read more on techniques for social engineering penetration testing
Learn about how a new voicemail phishing scam works
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading