MERLIN LEGEND Communications System Release 6.0
System Programming
555-660-111 Issue 1
February 1998
Customer Support Information
PageA-15Toll Fraud Prevention
A
NOTE:
In most cases these will be loop-start li ne s /tr u nk s wi thou t reliable
disconnect. The local telephone company w ill need to be involved to
change the facilities used for RCF to ground start lines/trunks. Usually a
charge applies for this change. Also, hardware and software changes may
need to be made in the MERLIN LEGEND Communications System. The
MERLIN MAIL and MERLIN LEGEND MAIL Automated Attendan t feature
merely accesses the RCF feature in the MERLIN LEGEND
Communications System. Without these changes being made, this feature
is highly susceptible to toll fraud. These same preventive measures must
be taken if the RCF feature is active for MERLIN LEGEND Communications
System extensions whether or not it is accessed by an Automated
Attendant menu.
Security Risks Associated w ith the Remote Access Feature 1
Remote Access allows the MERLIN LEGEND Communications System owner to
access the system from a remote telephone and make an outgoing call or perform
system administration, using the network facilities (lines/trunks) connected to the
MERLIN LEGEND Communications System. Hackers, scanning the public
switched network by randomly dialing numbers with war dialers (a device that
randomly dials telephone numbers, including 800 numbers, until a modem or dial
tone is obtained), can find this feature, which will return a dial tone to them. They
can even employ war dialers to attempt to discover barrier codes.
Preventive Measures 1
Take the following preventive measures to limit the risk of unauthorized use of the
MERLIN LEGEND Communications System Remote Access feature by hackers:
The Remote Access feature can be abused by criminal toll fraud hackers, if
it is not properly administered. Therefore, this feature should not be us ed
unless there is a strong business need.
It is strongly recommended that customers invest in security adjuncts,
which typically use one-time passcode algorithms. These security adjuncts
discourage hackers. Since a secure use of the Remote Acces s feature
generally offers savings over credit-card calling, the break-even period can
make the investment in security adjuncts worthwhile.
If a customer chooses to use the Remote Access feature without a security
adjunct, then multiple barrier codes should be employed, with one per user
if the system permits. The MERLIN LEGEND system permits a maximum
of 16 barrier codes.