Appendix A: Customer Support Information

Security Risks Associated with the Automated
Attendant Feature of Voice Messaging Systems

Two areas of toll fraud risk associated with the Automated Attendant feature of voice messaging systems are:

• Pooled facility (line/trunk) access codes are translated to a menu prompt to allow Remote Access. If a hacker finds this prompt, the hacker has immediate access. (Dial access to pools is initially factory-set to restrict all extensions: to allow pool access, this restriction must be removed by the System Manager.)
  
  
• If the Automated Attendant prompts callers to use Remote Call Forwarding (RCF) to reach an outside telephone number, the system may be susceptible to toll fraud. An example of this application is a menu or submenu that says, "To reach our answering service, select prompt number 5," and transfers a caller to an external telephone number.

Remote Call Forwarding can be used securely only when the central office provides "reliable disconnect" (sometimes referred to as forward disconnect or disconnect supervision), which guarantees that the central office does not return a dial tone after the called party hangs up. In most cases, the central office facility is a loop-start line/trunk which does not provide reliable disconnect. When loop-start lines/trunks are used, if the calling party stays on the line, the central office does return a dial tone at the conclusion of the call, enabling the caller to place another call as if it were being placed from your company. Ground-start trunks provide reliable disconnect and should be used whenever possible.

Preventive Measures

Take the following preventive measures to limit the risk of unauthorized use of the Automated Attendant feature by hackers:

• Do not use Automated Attendant prompts for Automatic Route Selection (ARS) codes or Pooled Facility codes.
  
  
• Assign all unused Automated Attendant selector codes to zero, so that attempts to dial these are routed to the system attendant.
  
  
• If Remote Call Forwarding (RCF) is required, MERLIN MAGIX Integrated System owners should coordinate with their Avaya Communication Account Team or authorized dealer to verify the type of central office facility used for RCF. If it is a ground-start line/trunk, or if it is a loop-start line/trunk and central office reliable disconnect can be ensured, then nothing else needs to be done.
  
  

In most cases, these are loop-start lines/trunks without reliable disconnect. The local telephone company must be involved in order to change the facilities used for RCF to ground-start line/trunks. Usually, a charge applies for this change. Also, hardware and software changes may be necessary in the MERLIN MAGIX Integrated System. The MERLIN Messaging Automated Attendant feature merely accesses the RCF feature in the MERLIN MAGIX Integrated System. Without these changes being made, this feature is highly susceptible to toll fraud. These same preventive measures must be taken if the RCF feature is active for MERLIN MAGIX Integrated System extensions, whether or not it is accessed by an Automated Attendant menu.

Topics
	Support Telephone Number
	Federal Communications Commission (FCC) Electromagnetic Interference Information
	Canadian Department of Communications (DOC) Interference Information
	FCC Notification and Repair Information
	Installation and Operational Procedures
	DOC Notification and Repair Information
	Renseignements sur la Notification du Ministère des Communications du Canada et a Réparation
	Security of Your System: Preventing Toll Fraud
	Toll Fraud Prevention
	Physical Security, Social Engineering, and General Security Measures Security Risks Associated with Transferring through Voice Messaging Systems Security Risks Associated with the Automated Attendant Feature of Voice Messaging Systems Security Risks Associated with the Remote Access Feature
	Other Security Hints
	Educating Users Educating Operators Detecting Toll Fraud Establishing a Policy Choosing Passwords Physical Security Limiting Outcalling
	Limited Warranty and Limitation of Liability
	Remote Administration and Maintenance