[VOIPSEC] Phishers Snare Victims With VoIP

Geir Hedemark geir at dod.no
Thu Apr 27 09:00:16 PDT 2006

On Thu, 2006-04-27 at 07:46 -0700, Rodolfo G. Rosini wrote:
> >You may have seen this article on how phishers directed users to call a
> >fake bank automated voice response system to steal account numbers and
> >PINs.
> I'm currently working on this issue. The problem at the bottom is that
> you have to provide media security and caller authentication. You have
> solutions that provide the first part and fewer that provide the second.
> If then you look at cross domain solutions there is nothing on the market.

Ok, I'll bite.

All of the big vendors that are subjected to phishing attacks already
have media security and caller authentication in place. They are running
big https sites with very expensive certificates.

What makes phishing efficient is that some users will provide their own
authentication based on look and feel. 

If they get a letter with stationery that looks legit they will
implicitly trust the phone numbers, web addresses and whatever
information is in there. The phisher makes something click inside the
head of the user, making him in turn go "that's my bank!".

The same thing applies when they see a copy of a website - which is
still authenticated by a certificate, mind you. It authenticates in such
a way that the user _thinks_ it is his bank asking him to log in. The
problem is still in the head of the user.

I have a somewhat vague theory that you can't stop the stuff that makes
the user go "click" because your in-house designer will have four kinds
of fits. The mechanisms the phisher abuses are the same mechanisms any
design department uses to build a brand, and the user also uses the same
information to approve of the non-scam bank website.

I can't really see this changing when you move from an alphanumeric
display and keyboard to a numeric telephone-style interface.

To turn this back into a voip discussion:

I think this may become an issue in the not-so-near future, if the
question we just had wasn't a sign that it is already here.

A lot of voip startups are accepting more or less any customers they can
get their hands on. They don't have access to any sales offices, so
orders are collected off the net - and on the net, you don't have a clue
who is really ordering. A lot of them have unmanaged services where
anyone can put up an asterisk service. When the first complaints come
in, a new account has been opened - these numbers don't need to be
operative for long.

Geir Hedemark

More information about the Voipsec mailing list