Thursday, April 3, 2008

Is your VMX password worth $13,000?

I normally stay in touch with security trends and happenings through the many groups and lists I belong to. However, a story jumped out at me today that was listed on Fark. Yes, I prefer to get my news from an aggregator - and Fark is one of my favorites. Here's the headline that caught my eye (link to the original story):

Motivation #1345789 for changing the default password on all devices: The $13,000 bill you get stuck with when someone changes your voicemail greeting to "Operator, I will accept the charges."

Now, people have been abusing telephone systems for years to make calls on someone else's dime. However, this is the first time I had read about a voice mail greeting being used to fraudulently accept charges for a collect call. Should this have been anticipated? Frankly yes, if your job includes the mindset of a security professional.

In the world of Information Security we know that to prevent systems from being abused, controls need to be placed and validated. In this case at least a couple layers of controls were missing. First and foremost, a good (and well enforced) password policy would take into mind all systems including voice mail passwords. Most phone systems now allow for up to eight digit passwords and have a complexity filter. User education is important in this area, and in my last job I taught users to spell a phrase for their voice mail password. For example - IHATEVMX equates to 44283969.

Further, most phone systems allow for limiting and accounting of calling options (such as international long distance) with the requirement of a user password that is different than that of the voice mail password. While this might be a burden to some, a clear example like this story can help users understand why they need to take the extra few seconds for each call.

In all, I am a bit glad and a bit frustrated that the business owners got the charges reversed on their bills. In some ways, the scare alone may have been enough of a lesson - however a precedent is being set that if your automated systems are not configured properly, you won't have to pay for it.

Creative Commons image credit: richardandgill

No comments: