[MW Forums]

VOIP systems put banks and other companies at risk of phishing attacks, a security researcher warned. more

[SeaFox]

Quote:

---

In this scenario, the customer would be asked by the hacker to enter personal banking information before being passed on to an actual bank customer-service representative. Theres no security technology out there that companies can deploy to fix this, The Grugq said, noting that existing intrusion-detection systems are not capable of detecting when a VOIP attack takes place.

---

I have a solution, it's called ANALOG PHONE! Really, run a PBX again (without external control access). We didn't have digital phone routing our 800-number calls for all time, there's no reason we couldn't go back to that point. The problem here is the bank managers are more interested in the cost saving of their VoIP solution than customer security.
Part of this is behavioral, too. If banks hadn't started this deal with having customers give all of their account information before speaking to a represenetive, the sudden requirement of having to do so (by the hacker) might stick out in the consumer's mind. But now that everyone is doing it the idea that giving personal information to a middleman or dialing it into the phone for a computer before reaching the agent is so ingrained in our society, they coudln't just send out a memo saying "do not give account details until you reach the BankofAmerica represenetive" as many people would not read it and wouldn't bat an eyelash at having to enter the info, even if they ended up giving the same info twice. Some banks have multiple call centers and some can recieve the info from when the computer took it from you at the beginning of the call, and other's can't. So they have to ask you to repeat it to them.