Toll fraud is a serious issue in the Telecommunications Industry. The fraudulent use of telecommunications technology can be expensive for a company, so the Telecom Administrator must take the necessary precautions to prevent this. For
Unified CCE environments, resources are available at Cisco.com on how to lock down Unified CM systems and to mitigate against toll fraud.
Unified ICM, the primary concern is in using dynamic labels in the label node of a Unified ICM script. If the dynamic label is constructed from information entered by a caller (such as with Run External Script), then it is possible to construct labels of the following form:
These labels might cause the call to be sent to outside lines or even to international numbers. If the dial plans configured in the routing client would allow such numbers to go through, and the customer does not want such labels to be used, then the
Unified ICM script must check for valid labels before using them.
A simple example is an ICM script that prompts the caller with "If you know your party's extension, enter it now," and then uses the digits entered blindly in a dynamic label node. It is possible that the call could be transferred anywhere. If this behavior is not desired, then either the
Unified ICM routing script or the routing client's dial plan must check for and disallow invalid numbers.
An example of a
Unified ICM script check is an "If" node that uses an expression such as:
substr (Call.CallerEnteredDigits, 1, 1) = "9"
The True branch of this node would then branch back to ask the caller again. The False branch would allow the call to proceed. This is only an example. Each customer must decide what is and what is not allowed based on their own environment.
Unified ICM does not normally just transfer calls to arbitrary phone numbers. Numbers have to be explicitly configured as legal destinations, or alternatively, the
Unified ICM routing script can contain logic that causes the call to be transferred to a phone number that is contained in a script variable. Scripts can be written so that a caller enters a series of digits and the script treats it as a destination phone number, asking the routing client to transfer the call to that number. You should add logic to such a script to make sure the requested destination phone number is reasonable.