I'm posting this to the forum both to get a feature request going as well as crowd source some ideas.
We recently had an unknown person join a recurring RingCentral Meeting and use the "invite by phone" feature to make some very expensive international calls. The RingCentrals Fraud department was awesome in catching it, turning off international calling for the meeting organizers account and alerting us via email (Go RC!). But now we're trying to figure out how to prevent this in the future. Our obvious first step was to remove international calling (which we had on by default) to at least stop international charges, but that doesn't stop domestic US calls.
I think this situation revealed a pretty genius way to exploit RC Meetings. The base URL is the same—all you have to do is increment through meeting numbers until you find a valid one and BAM free international or long distance calling all on someone else's dime!
The current meeting features of turning off "join before host" or "add password" would stop this, but also add some complexity that our internal users or external clients may find frustrating. For example we've often had a meeting scheduled a couple weeks out and the meeting organizer get sick or something. A substitute host will try to start the meeting only to be confronted with "waiting for host to start meeting" message and then have to quickly find a way to get a new meeting invite out to the participants list. After this happened with several client facing meetings our IT department recommended ALL meetings have "join before host" enabled. Likewise, I'm nervous that adding a password to all meetings will generate as much confusion and late meeting starts when someone has a meeting link, but not the password. Then there is trying to enforce this across our 800+ user base... Yep.
The best idea we have so far is to request a feature to turn off the "invite" button within the meeting interface for participants and make it only available to hosts as well as the ability to set it globally and make exceptions for some users. This would stop bad actors from racking up international charges on our account and keep joining the meetings simple. Anyone else have a better idea?
-
102 Points
- curious
Posted 8 months ago
-
2,192 Points
Jeff Salisbury, Champion
-
2,002 Points
Chris Verdin, Champion
-
2,904 Points
When you use the password option the link you send out will actually include the password in the link. So they won't get prompted to enter a password. It will get them right in like they usually do. However, if anyone joins manually by just going to https://meetings.ringcentral.com/j/14xxxxxxx it will then prompt them for a password.
-
102 Points
Thank you for this clarification Mr. Verdin. Anyone with the full link
https://meetings.ringcentral.com/j/149#######?pwd=xxxxxxxxx will NOT be prompted for the password, but someone joining by
https://meetings.ringcentral.com/j/149####### WILL be prompted for the password.
Further, I also noticed that once in the meeting if you "copy URL" the passworded URL is copied. Also if anyone clicks the "invite" button the password to the meeting is displayed in the lower right corner of the invite windows that pops up for nice easy access.
Now, how to enforce this across the org...
https://meetings.ringcentral.com/j/149#######?pwd=xxxxxxxxx will NOT be prompted for the password, but someone joining by
https://meetings.ringcentral.com/j/149####### WILL be prompted for the password.
Further, I also noticed that once in the meeting if you "copy URL" the passworded URL is copied. Also if anyone clicks the "invite" button the password to the meeting is displayed in the lower right corner of the invite windows that pops up for nice easy access.
Now, how to enforce this across the org...
How is the "invite by phone" option allowing the person to make outside calls? My understanding was that this feature only allows the person to connect to the conference.
Jeff Salisbury, Champion
-
1,950 Points
There are two options - one is the Call Me feature to have the system call the number you provide to join audio. The second option once you are in a meeting is to Invite by phone where you enter a phone number and the system calls that person so they can join the audio (including international numbers).
Jeff Salisbury, Champion
-
2,002 Points
This happened to one of my users in November - showed up as a spike in long distance charges, and through call logs found where a bunch of call outs were done to (876) phone numbers that correspond to Jamaica. The RC team disabled international LD for that user and are nice enough to generate a credit request. Their Fraud department said that if you are going to use a Personal Meeting ID (most of us do) and you have your default meetings set to allow Join Before Host, you definitely should have a meeting password set to prevent these types of attacks. I asked about potential feature changes to lock things down and they chose to not respond, so likely nothing imminent coming in near term releases.
-
102 Points
Well, maybe this post will help gain traction? The password option is a helpful work around, but I would like to see an enforceable option for admins.
