Voice Messaging System Security
Voice messaging systems have two areas of weakness:
■codes that transfer to inside or outside dial tone
■mailboxes that can be used as message drops
Once thieves transfer to inside dial tone, they have access to any unprotected switch features. Preventing this type of abuse requires security at both the switch and at the voice messaging system.
Once thieves break into a mailbox, they can use it as a message drop for untraceable calls or for illegal activities. If you have 800 lines that can connect to your voice messaging system, they can pass stolen information around at your expense using your 800 lines. If you have user administrable outcalling, they can pass stolen information around at your expense automatically. Preventing this type of abuse requires security at the voice messaging system and on the part of your subscribers.
■Cellular phones can be monitored. If a subscriber enters a mailbox number and a password on a cellular phone, the mailbox number and the password will be known to anyone listening.
■To break a password, every word in a computerized 100,000
Security Tips
To help prevent toll fraud at the voice messaging system, follow these guidelines:
■Do not create voice mailboxes before they are needed.
■Deactivate unassigned mailboxes. When an employee leaves the company, close or reassign the mailbox.
■Do not have permanent “guest” m ailboxes (mailboxes without a physical extension that are loaned to outsiders for the duration of a project). If you need a guest mailbox, assign it when it is needed and deactivate or change its password immediately after it is no longer needed. Do not reassign a guest mailbox without changing the password.
■Lock out multiple unsuccessful attempts to enter a voice mailbox on a single call. (Allow no more than two or three attempts on the same call.)
■Do not use default initial passwords that follow any scheme. Have a list of random passwords and select one when you create the mailbox. Require that the mailbox owner personally appear at the corporate security office or telecommunications office to obtain the initial password. Go over the subscriber password guidelines with the subscriber when you give out the initial password.
