Hacked IVR Security

I am running a FreePBX on Asterisk (in process of setting up a newer system, but have to leave the production server in place for now). We have 24 POTS lines connected with ZAPtel cards.

Not long ago, we experienced one of our “Misc Destinations” being exploited for making International calls. The way we have it set up is that the IVR allows customers to press a number to get our Emergency Support line (which forwards to a cell phone). But what happened was the person with that cell phone was receiving calls that were just silence (with the caller ID of our office). And this would happen repeatedly.

Then when we checked our logs, many International calls were being made from our system – during those silent calls (which was after work hours). A consultant suggested we use a Ring Group to call the cell phone, instead of a Misc Destination, and add to the IVR Entries a “t” Ext that dials our reception (I’m not sure exactly what this does, but apparently it stands for “timeout”). After these changes, the symptoms and rogue international calls stopped completely.

Our consultant also recommends filling every single IVR entry from 0 - 9, even if it directs itself back to the IVR.

I wanted to check these IVR security methods with the community for A) validity, B) what they do and C) any other recommended security points to take into account with IVRs or the system in general.