Pavel Ignatov - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can enterprises mitigate IVR security risks?

Interactive voice response systems can be used by attackers to hack into enterprises. Expert Nick Lewis explains the security risks of IVR systems and how to mitigate them.

What are the risks of implementing an interactive voice response system for banking transactions? Can these IVR...

systems be hacked? And are there additional measures that should also be put in place to reduce IVR security risks?

Phone phreaking was part of the beginning of old-school hacker culture many years ago. Currently, when it comes to security, most of the attention is on IP-enabled systems and computers, but phone systems still require adequate security. With the increase in credit card and banking transactions done via phones, these systems should not be ignored just because they aren't like most IT systems.

IVR systems should be based on a secure operating system and infrastructure, and the IVR application itself should be developed using a secure systems development lifecycle. IVR security risks involve business logic flaws or social engineering-related vulnerabilities, so programming in the necessary monitoring capabilities and logic checks to prevent abuse is essential.

Any system that interacts with end users needs to be monitored for suspicious behavior. Traditional security controls that monitor network traffic or log data and look for suspicious patterns may not be effective for finding IVR security risks.

Monitoring an IVR system, such as a PBX phone system, might make more sense, but this could miss business logic flaws or social engineering vulnerabilities. For example, if a particular phone number, which could be spoofed, is used for an unusually high number of banking transactions, investigating the phone number and the transactions could help identify potential fraud. Putting similar limits on financial transactions via an IVR system that exist for in-person ATM or Internet-based transactions could also help limit IVR security risks. In addition, financial institutions should require several security questions to be answered before access to an account is granted via an IVR system.

Security reporter Brian Krebs wrote how attackers can fool several banks' IVR systems, because the systems allow access after answering just three out of five security questions correctly; and several of the questions were based on easily obtainable personally identifiable information, such as date of birth or the last four digits of a Social Security number. Flaws such as this can be easily exploited by attackers.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Find out how a social engineering attack exposed information on FBI agents

Read more on techniques for social engineering penetration testing

Learn about how a new voicemail phishing scam works

This was last published in February 2016

Dig Deeper on IPv6 security and network protocols security