Unauthorized Mailbox Use
One type of voice mail fraud occurs when a hacker is able to break in to a voice mail system. Once connected, the hacker can access a mailbox and change its password and greeting. This provides the hacker full use of the mailbox, which can be costly if access is gained to the voice mail system through an 800 number.
Note If a subscriber receives any strange messages or reports that his or her personal greeting was changed, or if for any other reason you suspect that your messaging facilities are being used by someone else, contact Avaya Toll Fraud Crisis Intervention.
Mailbox Administration to Prevent Unauthorized Use
Several precautionary measures can be taken to prevent unauthorized use of your voice mail system. These are:
Administer your system so that the number of consecutive unsuccessful attempts permitted to log in to a mailbox is low. This helps block break-in attempts.
Deactivate unassigned mailboxes. When an employee leaves the company, remove the subscriber profile and, if necessary, reassign the mailbox.
Do not create mailboxes before they are needed.
Subscriber Mailbox Security and Password Administration
To minimize the risk of unauthorized access to your messaging mailboxes, ensure that your subscribers follow these guidelines for messaging passwords.
Establish minimum requirements for creating a password. For example, a password must be at least five digits and a minimum length of at least one digit greater than the extension number length. For maximum security, subscriber's passwords can be up to 15 digits.
Require that new subscribers change the default password the first time they log in to the messaging software. This ensures that only the subscriber has access to his or her mailbox.
Administer the Password Aging field located on the System Parameters Features screen. Password Aging requires subscribers to change their password at a predefined interval. See Defining Basic Features and Parameters for additional information on password aging and the System Parameters Features screen.
Prohibit personal greetings that indicate the called extension will accept calls billed to a third party.
Prohibit the use of obvious or trivial passwords, such as a room number, employee identification number, social security number, or easily guessed numeric combinations.
Discourage the practice of writing down passwords, storing them, or sharing them with others. If a subscriber must write down a password, advise the subscriber to keep the document that contains the password in a secure place. Never discard a document that includes a password while the password is active.
Prohibit the programming of passwords onto auto-dial buttons.