Interactive voice response (IVR) systems allow people to interact with computers in an automated fashion, through voice or touch-tone phones. Often, these systems process confidential data such as credit card numbers, social security numbers, user PIN information, and other personally identifiable information (PII). McAfee Foundstone’s IVR assessment helps organizations secure their IVR systems and identify security holes before attackers can gain access.
IVR systems are typically used for telephone banking, credit card services, hospitals, and call centers. Now, IVR technology is also being introduced into automobile systems for hands-free operation. Current deployment in automobiles revolves around satellite navigation, audio, and mobile phone systems.
There is a common misconception that these systems are secure and do not pose a real threat to an organization. Most of the time, IVR systems are conveniently left out of regular security testing and internal audits; however, hackers are shifting away from traditional hacking methods and focusing on weak links such as IVR systems.
Foundstone’s IVR testing methodology uses a combination of commercial tools, internally developed utilities, and manual methodical techniques to review the various potential points of security failure on an IVR system and the communication between the user and the system. Automated testing is performed using internally developed scripts that leverage the Skype API and other tools for DTMF fuzzing. Voice recognition software is used to speed up testing for English language IVR systems. Moreover, testers review the XML files and architecture diagram to identify implementation and development flaws.
At the beginning of a test, Foundstone requests the following information:
Based years of experience testing IVR systems, Foundstone broadly classifies the common vulnerabilities into the following categories: