Thursday, December 11, 2014

Should you be parnoid with a voice response systems? ( hell yes! )

From a security standpoint, the telephone usage  while dialing up to a bank customer service center  is greatly overlooked.

The common practice of entering digits while dialing or access your account  with a bank by phone system, or voicemail, insurance company, etc...... should not be taken lightly.

Most of today modern systems have a IVR/IVRS ( Interactive Voice Response System  ) systems that "improves" you access to account information , and eliminates human interaction , but put's your  at risk. We use these in a regular duty/roles/function.

e.g ( a typical  IVR menu.. I bold some sensitive details )
  1. dial # 1 for ingles or #2 for spanish
  2. dial your  4 digit pin
  3. dial the last 4 of your SSN
  4. dial your DoB
  5. dial 1 to get your balance
  6. dial 2 to speaker to a customer service representative
  7. dial 9 or hangup to complete this call 
  8. or dial # to return to the start of the menu

This is good for the banks/hospitals/insurance companies/onlineshopping outlets, but the end-user needs to be aware that this is not secure.   Even the banks reps have you provide even more account details, by requesting more information about you. This place more sensitive data out in the air and over the call paths.

e.g ( a typical dialog of an unsecured transmissions to bank XYZ )

Hello , I'm Jane at Bank Blah Blah your today's customer-service representative
I need you to tell me your security code or password
can you provide your mother maiden name
Can you confirm your zipcode that's on-file
Can you give me the account digits
Thank you , now how can I help you ?

Yes, we provide all of the above and don't bat an eye & never suspect that evil joe is capturing your transmission.

My parents for example, hate using the phone and internet  for conducting ANY business & they have valid reasons. They are also old and afraid of technology, which is another story.

1st the digits you transfer to the IVRs are  typically in the media path and can be capture and decoded with ease. So a hacker ( unethical ) could gather your information. This means any of the following;
  • SSN
  • DOB
  • ACT#
  • PIN
  • CreditCard #
  • CVV code
  • zipcode 
  • etc.....
Yes with analog trunk or  VoIP trunk systems, the DTMF tones can easily be captured. So think twice when you dial your bank up and the potential harm that could come about if a MiTM captures your details.

The same holds true for a voicemail system. Entering your account details on a call to a IVR is about as secure as you " saying it our loud  & in the open on a  business  NYC street corner in uptown Manhattan " ;)

NOTE: When I was younger and dumb, we regularly capture DTMF tones from various VoiceMail access systems  when I was communication specialist in the military. And then we would hack a person VoiceMail or delete messages for fun ;) 

We would also intercept random numbers and calls to ensure COMSEC was being used. 
"loose lips sinks  ships !"

Nobody in a military outfit would discuss a classified pending military operation over an unsecured phone or radio, but to a lesser degree, we pass out our personnel details over a phone without thinking twice.

NOTE: Most of the banks, provide a calling_party number lookups to see if the number is present in the personnel account, but this with someone gathering the last 4 of the SSN , DOB, ACT#, etc...... but your still exposing critical information.

The best system would be fully-enclosed and 100% secured from end-2-end , but the TDM and SIP trunks to include the gateways would be un-secured & if no encryption was provided end-2-end. Also you have NO IDEAL if encryption is/was  used for any paths or legs of that call.

The diagram below will show you a typical multi-call path and the risk at each leg is very high. You call might terminate thru 3 or more carriers or nodes.


So any path between you and the IVR is at risk of tapping. The ole hollywood movies with the guy on the telephone pole wiretapping a call is now made even simpler with VoIP.

Now for the bad news, we have no way to know the  security that used on call unless you had  your own STU or similar device on the call  & at both ends of the call ( caller and called parties )

note: Read about a STU here;

So we know that's not going to happen, so you are S%#$T our of luck.

Even a facsimile transmission can be capture and decode to reveal  the document details. So that application form you fill out and fax in with your details, can be decode with ease. This means any of the following;

 place of employment

Your at risk & the sad thing, the Public Telephone Network is probably bigger than the Internet.

A few common voip security tools/method

for cpature dialed numbers using DTMF :  tshark -R 'rtpevent'
( )

faxscan or fax decoder for capturing T.38 modem transmission ( )

faxTap ( )

wireshark/tshark for RTP streams analysis
( )
poing media grabber

In conclusions most enterprise site2site voip systems have much ease with securing calls end-2-end due to the nature of less devices out of control of the operator. You have less devices and can actually encrypted the path end-2-end ( phone-2-phone or between VoiceGateways )

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( &  ! )=
      /   \

No comments:

Post a Comment