[VOIPSEC] Phishers Snare Victims With VoIP

[Rodolfo G. Rosini]

Hi Mark,

I'm currently working on this issue. The problem at the bottom is that
you have to provide media security and caller authentication. You have
solutions that provide the first part and fewer that provide the second.
If then you look at cross domain solutions there is nothing on the market.

Consider this scenario, you're a bank and want to be able to speak with
your customers securely. The normal VPN-like approach fails, because the
people calling you are not your employees, but a larger group. some of
them might not even be customers yet. Offering voice encryption does not
help much, because an attacker could impersonate you if the caller does
not have a way to authenticate the other party.

Right now I have a first beta that runs on mobile smartphones and looking
for customers to test it, does not have all functionalities but it works.

PS. we're hiring! www.cellfiresecurity.com

Best regards,

-Rodolfo Rosini,
CEO, Cellfire Security


>You may have seen this article on how phishers directed users to call a
>fake bank automated voice response system to steal account numbers and
>PINs.

>Because they used a VOIP service provider to set up their 800 number and
>Asterix to set up the voice response system this is a VOIP enabled
>security problem more than a security problem with VOIP.

>Still, I'm curious how this could be prevented. Is any of the VOIP
>Security work being discussed here relevant to this problem?