The common practice of entering digits while dialing or access your account with a bank by phone system, or voicemail, insurance company, etc...... should not be taken lightly.
Most of today modern systems have a IVR/IVRS ( Interactive Voice Response System ) systems that "improves" you access to account information , and eliminates human interaction , but put's your at risk. We use these in a regular duty/roles/function.
e.g ( a typical IVR menu.. I bold some sensitive details )
- dial # 1 for ingles or #2 for spanish
- dial your 4 digit pin
- dial the last 4 of your SSN
- dial your DoB
- dial 1 to get your balance
- dial 2 to speaker to a customer service representative
- dial 9 or hangup to complete this call
- or dial # to return to the start of the menu
This is good for the banks/hospitals/insurance companies/onlineshopping outlets, but the end-user needs to be aware that this is not secure. Even the banks reps have you provide even more account details, by requesting more information about you. This place more sensitive data out in the air and over the call paths.
e.g ( a typical dialog of an unsecured transmissions to bank XYZ )
Hello , I'm Jane at Bank Blah Blah your today's customer-service representative
I need you to tell me your security code or password
can you provide your mother maiden name
Can you confirm your zipcode that's on-file
Can you give me the account digits
Thank you , now how can I help you ?
Yes, we provide all of the above and don't bat an eye & never suspect that evil joe is capturing your transmission.
My parents for example, hate using the phone and internet for conducting ANY business & they have valid reasons. They are also old and afraid of technology, which is another story.
1st the digits you transfer to the IVRs are typically in the media path and can be capture and decoded with ease. So a hacker ( unethical ) could gather your information. This means any of the following;
- SSN
- DOB
- ACT#
- PIN
- CreditCard #
- CVV code
- zipcode
- etc.....
The same holds true for a voicemail system. Entering your account details on a call to a IVR is about as secure as you " saying it our loud & in the open on a business NYC street corner in uptown Manhattan " ;)
NOTE: When I was younger and dumb, we regularly capture DTMF tones from various VoiceMail access systems when I was communication specialist in the military. And then we would hack a person VoiceMail or delete messages for fun ;)
We would also intercept random numbers and calls to ensure COMSEC was being used.
http://en.wikipedia.org/wiki/Communications_security
"loose lips sinks ships !"
Nobody in a military outfit would discuss a classified pending military operation over an unsecured phone or radio, but to a lesser degree, we pass out our personnel details over a phone without thinking twice.
NOTE: Most of the banks, provide a calling_party number lookups to see if the number is present in the personnel account, but this with someone gathering the last 4 of the SSN , DOB, ACT#, etc...... but your still exposing critical information.
The best system would be fully-enclosed and 100% secured from end-2-end , but the TDM and SIP trunks to include the gateways would be un-secured & if no encryption was provided end-2-end. Also you have NO IDEAL if encryption is/was used for any paths or legs of that call.
The diagram below will show you a typical multi-call path and the risk at each leg is very high. You call might terminate thru 3 or more carriers or nodes.
e.g
So any path between you and the IVR is at risk of tapping. The ole hollywood movies with the guy on the telephone pole wiretapping a call is now made even simpler with VoIP.
Now for the bad news, we have no way to know the security that used on call unless you had your own STU or similar device on the call & at both ends of the call ( caller and called parties )
note: Read about a STU here; http://en.wikipedia.org/wiki/STU-III
So we know that's not going to happen, so you are S%#$T our of luck.
Even a facsimile transmission can be capture and decode to reveal the document details. So that application form you fill out and fax in with your details, can be decode with ease. This means any of the following;
DOB
SSN
address
place of employment
etc......
Your at risk & the sad thing, the Public Telephone Network is probably bigger than the Internet.
A few common voip security tools/method
for cpature dialed numbers using DTMF : tshark -R 'rtpevent'
( https://www.wireshark.org/ )
faxscan or fax decoder for capturing T.38 modem transmission ( http://www.vocal.com/specialties/t-38-image-extraction-library/ )
faxTap ( http://www.netgencommunications.com/ )
wireshark/tshark for RTP streams analysis
( https://www.wireshark.org/ )
poing media grabber
In conclusions most enterprise site2site voip systems have much ease with securing calls end-2-end due to the nature of less devices out of control of the operator. You have less devices and can actually encrypted the path end-2-end ( phone-2-phone or between VoiceGateways )
Ken Felix
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( & ! )=
@
/ \
No comments:
Post a Comment