According to this article in SecurityNewsDaily, hackers can send certain DTMF (touch tone) signals through a system to jerk it around or crash it:
“No banks or organizations are testing IVRs because they think the systems are secure, but in reality, they are not. No firewall or CAPTCHAs monitor voice traffic,” said Rahul Sasi, who works for security company iSight Partners.
Sasi explained that when a system’s audio processing algorithms are fed strange DTMF (dual-tone multi-frequency) signals, it can cause the entire system to behave strangely or crash entirely.
I’ve heard about the golden days of phreaking (hacking phone networks) and read about the “blue box” (Apple founders Steve Wozniak and Steve Jobs have been known to pull a few notably pranks with it in their younger years), but never in recent decades about rogue touch tones causing havoc among phone networks. One of the largest security threats today are from DDoS (distributed denial-of-service) attacks which floods networks and cripples computers.
Also, the statement about IVRs going into production without adequate testing is absurd, especially in the financial sector. There’s a handful of companies that specialize in nothing but IVR testing, and they are doing very well. IVRs are almost always tested for call flow accuracy, speech recognition, performance under load, and redundancy (if applicable). It’s like any other system that’s put into production — why would IVRs be treated any differently in terms of quality control?
Of course, that’s not to say that IVR account PINs or passwords couldn’t be compromised through some sort of brute force attack, although that would have to take a lot more resources due to the nature of IVR systems. Normally the IVR will send a call to an agent if PIN input attempts exceed a certain number. That means a hacker would have to redial many, many times into system. And usually PIN input errors will get flagged as well as a flood of attempts coming from a certain line. Additionally, there are strict laws which apply to banking account access on a system, so a lot of times it’s not just a combination of account and PIN, but also some other piece of personal information is required to retrieve actual account data.
But I’m going to keep my mind open and invite anybody who’s actually hacked IVRs via DTMF to chime in. After all, if this turns out to be a major ignored security vulnerability then it’s worth disclosing for everybody’s sake.