[VOIPSEC] On the topic of Vishing

Hallam-Baker, Phillip pbaker at verisign.com
Fri Jul 14 08:32:08 CDT 2006 

The invention of clueless neologisms is a bigger concern for me.

Under Article 4.3(b) of the San Diego accord the technical community agreed to only introduce one neologism per field to the public every 2 years. Allocations in the Internet area are particularly oversubscribed, the next available introduction date is sometime after 2025.

Seriously, we have a security vocabulary we should use it. Phishing was a term invented by the perps. The base assumption here is that the perps are the people who do the evil stuff and we are the ones to fix it.


	Go to, let us go down, and there confound their language, 
	that they may not understand one another's speech.  

	So the LORD scattered them abroad from thence upon the 
	face of all the earth: and they left off to build the city.  

	Therefore is the name of it called Babel; because the LORD 
	did there confound the language of all the earth: and from 
	thence did the LORD scatter them abroad upon the face of all 
	the earth.  

	( Gen 11:7-9 )

If we use the term VOIP phishing people will understand what we mean without explanation.

It is OK to think like the opposition. It is a very bad idea to act like them.


> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Simon Horne
> Sent: Friday, July 14, 2006 2:28 AM
> To: voipsec at voipsa.org
> Subject: [VOIPSEC] On the topic of Vishing
> 
> 
> Recently I read this article
> http://news.com.com/Phishers+come+calling+on+VoIP/2100-7349_3-
6092366.html?tag=fd_nbs_ent&tag=nl.e433
> 
> Vishing is a major concern for SIP. Without any form of 
> peer-entity (end-to-end caller) authentication and secure 
> call admission mechanism (or the capability to support it) 
> then there appears to be no real method for addressing this 
> incredibly major problem.
> 
> Let me explain using the example from the article and how 
> Vishing can be prevented in standard based VoIP.
> 
> As I have mentioned in previous emails that one possible 
> solution is the use of 2 factor authentication, Something I 
> have (a PKI cert etc) and something I know (username/password)
> 
> Certainly using end-to-end authentication will definitely 
> help reduce the risk as the caller will have some certainty 
> to whom they are calling but it is not a complete answer as 
> the Vishers may acquire a valid digital certificate which 
> makes them appear that they are someone who they are not. 
> This is where the importance of the second factor comes in. 
> The Bank issues the user with a user and password and this is 
> used to verify the client at the bank so their is no need to 
> enter user/pass or credit card information (or in fact 
> depending on the application there so no need for an IVR 
> system at all). Although human conditioning may still be an 
> issue, but proper education will go a long way to resolve a 
> lot of the vishing problems in VoIP.
> 
> All this is possible to do today using the H.235 framework of H.323.
> 
> 
> Simon
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
>

More information about the Voipsec mailing list