RE: Phone Switches + telephone banking etc

From: Kayne Ian (Softlab) (Ian.Kayne@softlab.co.uk)
Date: 06/07/02


From: "Kayne Ian (Softlab)" <Ian.Kayne@softlab.co.uk>
To: Vuln-Dev <VULN-DEV@SECURITYFOCUS.COM>
Date: Fri, 7 Jun 2002 09:03:45 +0100 


->

> I know many banks ( at least in the UK) will say not to use their
> service through cordless phones, maybe they should increase to include

Why's that? I've never heard of a bank making that statement. A cordless
phone is pretty much a minor risk anyway, if someone wanted to go to the
trouble of listening in to your call to the bank, they'd be better off
splicing the phone line outside your house. IIRC DECT fones are scrambled in
some way, so you can't just tune in with a reciever. Non-DECT fones have
enough trouble finding the base station and making a clear call through even
paper thin walls, so someone sitting outside your house is unlikely to get
anything through a few layers of concrete...

0.02

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company

> -----Original Message-----
> From: quentyn@fotango.com [mailto:quentyn@fotango.com]
> Sent: 06 June 2002 16:54
> To: vuln
> Subject: Phone Switches + telephone banking etc
>
>
> I was thinking today about phone switches, many of them are
> connected to
> the internal LAN. Many of them record all the keystrokes made by the
> individual phones (this is the important bit). If one could
> compromise a
> phone switch (or where ever it stores it's logs) then making
> free calls
> would be a minor issue. The prize in this situation could be
> who phoned
> what bank and if you can get the key presses then if that person has
> used the automated telephone banking service, you will have ( at a
> minimum):
>
> the account number
> sort code
> any verification number
>
>
> has any one done any work in this area ?
>
> I know many banks ( at least in the UK) will say not to use their
> service through cordless phones, maybe they should increase to include
> corporate phone switches.
>
>
>
> Q
>
> --
> #####################
> Quentyn Taylor
> Sysadmin - Fotango
> #####################
> RFC 882 put the dot in .com.
>

********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.

If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.

Internet communications are not secure and Softlab does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.

If you have received this email in error, or if you are concerned with
the content of this email please notify the IT helpdesk by telephone
on +44 (0)121 788 5480.

********************************************************************



Relevant Pages

  • RE: Phone Switches + telephone banking etc
    ... I've never heard of a bank making that statement. ... Phone Switches + telephone banking etc ... delivering to the intended recipient, be advised that you have received ...
    (Vuln-Dev)
  • RE: Phone Switches + telephone banking etc
    ... monitor' during most weekend nights. ... Phone Switches + telephone banking etc ... I've never heard of a bank making that statement. ...
    (Vuln-Dev)
  • Off till tuesday 24th January
    ... intended recipient of this message you are hereby notified that any use, ... This email was sent by the Bank of New Zealand. ... send email to listserv@xxxxxxxxxxx with the message: INFO IBM-MAIN ...
    (bit.listserv.ibm-main)
  • Away monday, public holiday, back tuesday
    ... intended recipient of this message you are hereby notified that any use, ... This email was sent by the Bank of New Zealand. ... send email to listserv@xxxxxxxxxxx with the message: INFO IBM-MAIN ...
    (bit.listserv.ibm-main)
  • Away friday, back monday
    ... intended recipient of this message you are hereby notified that any use, ... This email was sent by the Bank of New Zealand. ... send email to listserv@xxxxxxxxxxxxxxx with the message: INFO IBM-MAIN ...
    (bit.listserv.ibm-main)