" /> ISCC over PSTN - Genesys CTI User Forum
« previous next »
Pages: [1]   Go Down

Author Topic: ISCC over PSTN  (Read 3046 times)

GenUser

  • Guest
ISCC over PSTN
« on: March 03, 2010, 03:54:01 AM »
Advertisement
Whenever a route ISCC is done over PSTN, are we introducing some kind of security hole in the system?

An example scenario –

A. A customer call is authenticated by IVR In front. Sensitive data attached.
B. Customer wants to talk to an agent. IVR requests ISCC for transferring a call to Avaya PBX.
C. Avaya T-Server assigns ERP and sends the access number – which is a public number.
D. Before IVR can dial the access number, someone from public network dials that number.

In this scenario, T-Server will most likely think this call as the original customer call and attach all data gathered by the customer call with this new call.

Of course having private trunks will help. But is there anything anyone knows of if it could be addressed in above scenario in some elegant way?

Thanks for any help.
Logged
Marked as best answer by on Today at 10:11:00 PM

Offline René

  • Administrator
  • Hero Member
  • *****
  • Posts: 1832
  • Karma: 62
Re: ISCC over PSTN
« Reply #1 on: March 03, 2010, 09:20:00 AM »
  • Undo Best Answer
    • Hi GenUser,

    Yes, it sounds you have a security issue ;) What kind of ISCC transaction do you use? Route? If your answer is yes then TServer will match any call arriving to External DN and attach UserData passed from IVR to this call.

    You have two options

    1/ Change the public number used for transfer - it should be dedicated to transfer only and should not be presented to public/customers
    2/ Change ISCC transaction type so TServer will do some call matching (e.g. route-uui, direct-ani)

    Please be aware that 2nd option will require some configuration changes and it's necessary to do proper testing before going live!

    R.
    Logged

    Offline rpenney

    • Jr. Member
    • **
    • Posts: 64
    • Karma: 2
    Re: ISCC over PSTN
    « Reply #2 on: March 04, 2010, 07:41:45 AM »
    I posted last night but the site was having problems so here goes again

    I have dealt with this issue several times with paranoid clients (Banks) and each time the result is that it is a non-issue.

    Don't make the External Route Points in a known range of numbers (known to customers or staff) and the probability of there being a security risk is so minimal that PINs are easier to guess. Remember you have to know the ERP that will be chosen next and be able to dial in the exact instant to "spoof" a call.

    The only way I have been able to get one call through is by having an IVR making hundreds of call while I make a test call. Each call that hits an ERP is either caught by the switch programming or directed to the default_destination so you would notice a sudden burst of calls.

    As I said it is a non-issue
    Logged
    Pages: [1]   Go Up
    « previous next »