15

Sometimes when you call an administrative service it tells you "Dial 1 to access such service. Dial 2 to access some other service. Otherwise, dial 3."

No harm if somebody comes to learn I chose "2".

However I recently switched to a new bank. When I call this bank, it asks me to dial my customer reference and my passcode.

Here are the things that come to my mind :

  1. Is such data cyphered? I don't know much about phone communications but I guess there are nodes between me and my interlocutor. May I trust these nodes?
  2. May somebody listen to the conversation and catch my credentials?
  3. May somebody spoof the phone number of my bank to catch my credentials?
  4. Shouldn't my passcode be hashed? Is it stored as plain? I think even my bank should not know my passcode. (this question was obviously wrongul)
Antoine Pinsard
  • 4,647
  • 4
  • 16
  • 27
  • 1
    I am not that knowledgeable in this regard, but I think it might be relevant if you are using a cellphone, an IP phone or a POTS (plain old telephone service) phone. When you are using a hand-held DECT telephone, the wireless link between handset and base station might be another attack vector. – Philipp Aug 01 '15 at 09:48
  • Right, in my case I am using a cellphone (which adds the weakness of having to trust the app, but it is not the question). However I am also interested in other phone types. – Antoine Pinsard Aug 01 '15 at 09:53
  • 2
    Also, I *think* that after the call was established, pressing an number key does nothing but sending a tone with a specific frequency over the normal audio channel. In that case it would be no more or less interceptable than speech, but easier to interpret automatically. But again, not my area of expertise. – Philipp Aug 01 '15 at 09:54
  • Yes you are right, I forgot this. This means I could save my credentials on a recorder to authenticate faster. :D – Antoine Pinsard Aug 01 '15 at 10:03
  • 2
    Not safe at all. DTMF codes can be decoded by ear with little difficulty. Musicians often set their voicemail passwords to sound like a melody. If someone is recording your call DTMF can be decoded with something as simple as a sound editing program. – Oleg Mazurov Aug 14 '15 at 21:10
  • @OlegMazurov - old office trick, if the DTMF can be heard during dialing, the phone number is not a secret. Same goes for any PinPad you come across that has DTMF feedback. If it's not a simple bip to tell you the key has been pressed, it's data exfiltration. – Fiasco Labs Aug 15 '15 at 16:19

3 Answers3

18

Your sensitive information travels through different mediums and systems to get to the bank, and yes, there are vulnerabilities along this path.

  • First, it is transmitted from your finger tips to your dialler application. It can be intercepted by malware running on your phone. There is a new vulnerability in Android called Stagefright that can get full access to an Android phone.

  • Before exiting the phone, the data is sent to a different part of the phone which does the actual communication called the baseband processor that runs a realtime OS. There were some vulnerabilities in this OS, some of the most interesting were presented here.

  • Then the audio tones (DTMF) are encrypted and sent overt the air to a GSM base station. In almost all of the world, GSM is encrypted and almost any phone will notify you if there is no encryption. The problem here is that 2G communication is using the A5/1 encryption scheme that was purposely weakened for governmental access and it's easy and cheap to intercept and break it. 3G and 4G have better encryption but an attacker can jam the safer frequencies around the target and force the target phone to use the vulnerable 2G. An bigger issue here is that some banks use SMS to authenticate banking operations, and SMS is always over the 2G network.

  • There was also the allegation that the NSA hacked the database of most of the world's SIM encryption keys, but Gemalto swears NSA didn't get to the keys.

  • But the phone can be talking to a fake base station. This kind of fake GSM tower is often called an IMSI-catcher and is available to law enforcement and also attackers. There is open source software and hardware to build a fake base station and it was demoed in 2010.

  • Then the information travels inside the telecom network where it might be intercepted by a well placed attacker or governments that obtains a legal wiretap. In 2014 the SS7 attack was made public. It allows to track and intercept 3G communication anywhere in the world, not just local.

  • The last step is in the bank's systems. That looks like a safer place because banks take security more seriously than common businesses, but you can't really know for sure until an assessment can validate that.

Going back to your questions:

  1. Is such data cyphered? I don't know much about phone communications but I guess there are nodes between me and my interlocutor. May I trust these nodes?

As I said, voice communication is encrypted but there are vulnerabilities in different parts of the network

  1. May somebody listen to the conversation and catch my credentials?

It is possible. It depends on your phone, the capabilities of the attacker and the vulnerabilities of your mobile-phone operator.

  1. May somebody spoof the phone number of my bank to catch my credentials?

There is no GSM vulnerability I know of that works like that but there has been malware that will block access to your online banking then will make you call a phone number pretending to be form the bank. This way a user is less suspicious when giving sensitivity information away.

  1. Shouldn't my passcode be hashed? Is it stored as plain? I think even my bank should not know my passcode.

I don't know what is the actual process when you access your bank via a phone call, but your bank doesn't have to store your passcode in plaintext. When you transmit it, it could then be hashed and compared to a hashed version stored in the bank's computers. This is no different from web authentication where passwords transmitted in plaintext.

But don't panic, the overall risk of you specifically being targeted this way is rather low because the bad guys have other easier ways of stealing from large numbers of users. The risk is lowered also because many attacks on GSM require physical proximity and increased sophistication. Banks can quickly close such vulnerabilities because they notice if some cards or accounts are being compromised and they will track down the source of the compromise.

Cristian Dobre
  • 9,837
  • 1
  • 31
  • 51
5

Is such data cyphered?

Yes, there is an encryption in 3G and 4G. However, this encryption isn't end to end encryption, it's only from the mobile device to the base station. It's fairly easy for your mobile operator or government intelligence agencies to intercept the communication.

With wired telephone, I believe there's no encryption happening between your handset and the base station. However, an attacker would have to physically hook into the wire to intercept, and this can be sufficient deterrent for most attackers.

I don't know much about phone communications but I guess there are nodes between me and my interlocutor. May I trust these nodes?

That depends on your mobile operator. Do you trust your operator and government? Do you trust the competence of your mobile operator in securing their network?

May somebody listen to the conversation and catch my credentials?

Could be.

May somebody spoof the phone number of my bank to catch my credentials?

The mobile operator can do this fairly easily and they can give government agencies the capability to do this. Someone who hacked into the mobile operator's network and gain control of their central control would also be able to do this. In practice, doing this kind of attack would probably require a very large organised criminal and conspiracies from a number of the operator's employees.

Shouldn't my passcode be hashed? Is it stored as plain? I think even my bank should not know my passcode.

When you dial in numbers on the phone, it's simply sent to the other side as DTMF tones. In other words, they're sent in plain text. Note that this isn't any different than common password authentication over HTTP(S). The bank may not necessarily store your code in plain text though, they would most likely store it in their database with hashing and salting. One of the advantage of dialing in the numbers though (as opposed to speaking the number over the phone), is that your code would neverpass through a human operator who can make copies of your code. With appropriate security controls in place (and most banks do care a lot about security), generally corrupting a computer system is harder than corrupting call center workers.

Lie Ryan
  • 31,279
  • 6
  • 69
  • 93
4

The other answers are great but focus on mobile phones, so I'd like to talk about landlines.

Before even talking about phone lines or networks, let's talk about the phone itself. Most landline phones today are cordless phones you can get pretty much everywhere. They use DECT, a protocol with proprietary crypto that's broken and only requires a DECT NIC plus some CUDA GPU time to crack the crypto (if it's even enabled). No physical access is required. An attacker can eavesdrop on your calls, spoof your bank's number and do all sorts of other evil without even touching the phone network. This is as easy as cracking a WEP key, and the fact that these phones are so widespread doesn't make it any better.

Now let's talk about POTS (prehistoric analog phone line) and the new "fake" POTS offered by DSL and fiber providers.

With traditional POTS the audio is transmitted in the clear over phone wire, sometimes over several kilometers. Depending on your country and the state of the POTS infrastructure, the cables could be (relatively) secure underground, in the air on utility poles, or damaged, barely hanging off a electric pole somewhere. Eavesdropping on that is as easy as connecting another phone on the wires and recording, but this is still harder than breaking DECT and requires physical access. I'm not an electrical engineer but I suspect there may also be leaks in the form of crosstalk with other lines, possibly caused by old/damaged switching equipment, so using potentially expensive equipment someone may be able to listen in from a different line that shares the same switch or wiring.

With the new fake POTS, it's actually VoIP that gets turned into POTS with FXS hardware inside the modem/router (this is actually very stupid, as they force the user to buy often insecure wireless phones and lowers the quality instead of using an IP phone and secure crypto).

Compromising the modem/router is enough to listen in and impersonate your bank or any other number. No physical access is required, the attack can be done online as the modem/router is directly exposed to the Internet and often have disastrous firmware.

If compromising the modem isn't a possible, it may be possible to eavesdrop on the actual DSL line, cable or fiber, and from there attack the VoIP protocol (SIP or MGCP). Physical access is obviously required, and most equipment is relatively expensive so I wouldn't worry about banking data - someone who MITM's your DSL line definitely isn't after your banking data, as he probably already has much more in his own account than you do so if your bank data gets stolen it's unlikely that your DSL line is the culprit.

DSL eavesdropping requires expensive equipment (a DSLAM basically), but once that's done there's no encryption of the DSL traffic. Both PPPoE and IPoA are merely encapsulation.

Cable and fiber eavesdropping is easier. Both cable (DOCSIS) and consumer-grade fiber (PON) broadcast the downstream traffic to everyone connected to the same CMTS/OLT, it's supposed to be encrypted but I wouldn't count on it being enabled (France's largest DOCSIS provider didn't have it enabled last time I checked in late 2013). Listening on the downstream channel for cable only requires a basic DVB-C TV tuner card, and transmitting would require a rooted cable modem. PON eavesdropping requires a rooted ONT for the downstream channel, but I believe physical access to the OLT is necessary in case of fiber - the upstream channel may not be broadcast to everyone.

Once we assume the DSL/fiber/cable is broken and MITM'd, there's the actual VOIP protocol, SIP or MGCP. Both support encryption, but I doubt it's enabled. Most likely it isn't, so listening in would be very easy. If crypto is enabled you could still try and MITM the connection, chances are the awful SIP client running on the modem/router doesn't properly validate certificates and would accept your self-signed cert.

That's about the part that connects you to the phone provider (often your ISP). Once there, your call may go through lots of legacy and potentially insecure systems, and even the call center's infrastructure may be a disaster. Sadly, the DECT and DSL part may only be the tip of the iceberg.

About caller ID, it's spoofable by design. Phone providers can set the caller ID string to anything and it'll work just fine. Most providers often prevent end-users from setting their own caller ID, but I'm sure there are some that don't do these checks and attackers can use those providers to impersonate any number.

André Borie
  • 12,736
  • 3
  • 40
  • 76
  • Someone should put a security-oriented [What-Happens-When](https://github.com/alex/what-happens-when) tutorial on GitHub (what could go wrong and when?) – Deer Hunter Aug 15 '15 at 20:32