Technical information
MERLIN LEGEND/MAGIX Toll Fraud
Issue 7 June 2001
5-21
Security Risks Associated with Transferring
through Voice Messaging Systems
Toll fraud hackers try to dial into a voice mailbox and then execute a transfer by
dialing
*T. The hacker then dials an access code (either 9 for Automatic Route
Selection or a pooled facility code), followed by the appropriate digit string to
either direct dial or access a network operator to complete the call.
All extensions are initially, and by default, restricted from dial access to pools. In
order for an extension to use a pool to access an outside line/trunk, this restriction
must be removed.
Preventive Measures
Take the following preventive measures to limit the risk of unauthorized transfers
by hackers:
Confirm that all MERLIN MAGIX Integrated System voice mail port
extension numbers are outward restricted. This denies access to facilities
(lines/trunks). Voice mail ports are, by default, outward restricted.
As an additional security step, network dialing for all extensions, including
voice mail port extensions, should be processed through ARS using dial
access code
9.
****SECURITY ALERT****
The MERLIN MAGIX Integrated System ships with ARS activated with all
extensions set to Facility Restriction Level 3, allowing all international calling. To
prevent toll fraud, ARS Facility Restriction Levels (FRLs) should be established
using:
FRL 0 for restriction to internal dialing only.
FRL 2 for restriction to local network calling only.
FRL 3 for restriction to domestic long-distance (excluding area code 809 for
the Dominican Republic as this is part of the North American Numbering Plan,
unless 809 is required).
FRL 4 for international calling.
WARNING:
Default local and default toll tables are factory-assigned an FRL of 2. This
simplifies the task of restricting extensions: the FRL for an extension merely
needs to be changed from the default of 3.