Appendix A: Customer Support Information

Security Risks Associated with Transferring
through Voice Messaging Systems

Toll fraud hackers try to dial into a voice mailbox and then execute a transfer by dialing *T. The hacker then dials an access code (either 9 for Automatic Route Selection or a pooled facility code), followed by the appropriate digit string to either direct dial or access a network operator to complete the call.

All extensions are initially, and by default, restricted from dial access to pools. In order for an extension to use a pool to access an outside line/trunk, this restriction must be removed.

Preventive Measures

Take the following preventive measures to limit the risk of unauthorized transfers by hackers:

• Confirm that all MERLIN MAGIX Integrated System voice mail port extension numbers are outward restricted. This denies access to facilities (lines/trunks). Voice mail ports are, by default, outward restricted.
  
  
• As an additional security step, network dialing for all extensions, including voice mail port extensions, should be processed through ARS using dial access code 9.

 

SECURITY ALERT:

The MERLIN MAGIX Integrated System ships with ARS activated with all extensions set to Facility Restriction Level 3, allowing all international calling. To prevent toll fraud, ARS Facility Restriction Levels (FRLs) should be established using: FRL 0 for restriction to internal dialing only. FRL 2 for restriction to local network calling only. FRL 3 for restriction to domestic long-distance (excluding area code 809 for the Dominican Republic as this is part of the North American Numbering Plan, unless 809 is required). FRL 4 for international calling.

 

	WARNING:
	Default local and default toll tables are factory-assigned an FRL of 2. This simplifies the task of restricting extensions: the FRL for an extension merely needs to be changed from the default of 3.

 

	WARNING:
	Each extension should be assigned the appropriate FRL to match its calling requirements. All voice mail port extensions not used for Outcalling should be assigned to FRL 0 (the factory setting).

• Deny access to pooled facility codes by removing pool dial-out codes 70, 890 899, or any others on your system.
  
  
• Create a Disallowed List or use the pre-prepared Disallowed List number 7 to disallow dialing 0, 11, 10, 1700, 1809, 1900, and 976 or 1 (wildcard) 976. Disallowed List number 7 does not include 800, 1800, 411, and 1411, but Avaya Communication recommends that you add them.
  
  

Assign all voice mail port extensions to this Disallowed List. Avaya Communication recommends assigning Disallowed List number 7. This is an added layer of security, in case outward restriction is inadvertently removed. (Voice messaging ports are assigned, by default, to Disallowed List number 7.)

• Program an ARS Facility Restriction Level (FRL) of 2 on voice mail port extensions used for Outcalling.
  
  
• If 800 and 411 numbers are used, remove 1800, 800, 411, and 1411 from Disallowed List number 7.
  
  
• If Outcalling is allowed to long-distance numbers, build an Allowed List for the voice mail port extensions used for Outcalling. This list should contain the area code and the first three digits of the local exchange telephone numbers to be allowed.

Additional general security for voice messaging systems:

• Use a secure password for the General Mailboxes.
  
  
• The default administration mailbox, 9997, must be reassigned to the System Manager's mailbox/extension number and securely password protected.
  
  
• All voice messaging system users must use secure passwords known only to the user.
  

Topics
	Support Telephone Number
	Federal Communications Commission (FCC) Electromagnetic Interference Information
	Canadian Department of Communications (DOC) Interference Information
	FCC Notification and Repair Information
	Installation and Operational Procedures
	DOC Notification and Repair Information
	Renseignements sur la Notification du Ministère des Communications du Canada et a Réparation
	Security of Your System: Preventing Toll Fraud
	Toll Fraud Prevention
	Physical Security, Social Engineering, and General Security Measures Security Risks Associated with Transferring through Voice Messaging Systems Security Risks Associated with the Automated Attendant Feature of Voice Messaging Systems Security Risks Associated with the Remote Access Feature
	Other Security Hints
	Educating Users Educating Operators Detecting Toll Fraud Establishing a Policy Choosing Passwords Physical Security Limiting Outcalling
	Limited Warranty and Limitation of Liability
	Remote Administration and Maintenance