Skip to main content

Telephone and Fax Services Security

In this day of doing everything online, we still rely heavily on services delivered over POTS (Plain Old Telephone Service). Banks and credit card companies still require the telephone to make certain changes, queries and security checks, even though most functions can be performed online. Medical records, bank details, security key order requests, etc., are routinely transferred by facsimile. However, are these secure? Are they more or less secure than doing the same thing online?

I'm not going to talk about the underlying security of POTS, but concentrate on a couple of easy attack vectors on the end device of the user that I have recently observed. A couple of weeks ago, I needed to amend something on one of my credit card accounts (I would tell you which bank, only it's my personal credit card and I don't want phisers knowing which banks I have accounts with). This bank has an automated telephone answering system to make things more efficient and reduce staff required - pretty standard. So I made sure that I was in a room on my own, to prevent eavesdropping my conversation, and dialled the number. The automated system asked me to type in my full credit card number on the keypad.

The problem with doing this is that the telephone will remember these digits as part of the last number dialled. Therefore, all someone would have to do is to recall the last number dialled and read off the credit card number. If they actually dial it they would be put through as the legitimate card holder. Now, admittedly they will probably ask some security questions on the other end before making any changes, but these may consist of simply asking for a date of birth, which is fairly easy to find out. Even if you don't know this information, other information may be given away in the mean time (e.g. who the card holder is as they normally use your name in any greeting). The problem is compounded if you make a call from work, where you will probably be using an exchange. Exchanges will store all the numbers dialled, including any options or credit card numbers entered on the phone's keypad. This log can simply be printed out and your details read off. Of course the number dialled will show which bank you are using as well, although this can also be gleaned from the first 6 digits of your credit card number.

Things can potentially get worse if you use facsimile or fax machines. There are different types of fax machines that work in different ways. Most will keep a log of calls and faxes sent and received. This may or may not be a problem, depending on the level of detail of the log and whether you're typing in credit card details during a phone call made on the machine. However, some fax machines use rolls of pigment on acetate (or similar) to print the fax out when received. The problem here is that these rolls are wound through during printing and that part is never reused (otherwise you will get gaps in your printing). However, what this means is that when you come to throw the roll away once used, it will have a perfect facsimile of everything printed on the machine since the roll was put in, only in negative. To get round this, you must shred, or otherwise destroy, the used roll, not just throw it in the bin.

As to whether this is more or less secure than an online transaction is a difficult question to answer. On the one hand, you often need physical access to the phone or fax machine to get to the logs, although telephone exchanges are often online. Also, sifting through a bin outside a premises isn't that hard and can often be very rewarding. On the other hand, transactions online are encrypted and people are more aware of the security implications in general. However, malware and man-in-the-middle attacks can still thwart this type of transaction, but it does require more skills than sifting through a bin.

Not all data leakage comes from computers, pen drives, etc. Sometimes a seemingly innocuous device can betray your information and breach your security. Unfortunately, you have to think of all possible attack vectors and mitigate the risks. This is why a full information policy that covers all forms of data is required.

Comments

  1. Hi, it's soo nice! I'd like to share some internet fax service security tips. It is recommended that people change their passwords twice a year and never use the same ones in order to keep documents, emails, internet fax, and other data secure. One of the things that experts caution about is using passwords that are extremely easy to guess such as a name with the birth year. Also, make sure that the security questions are rather hard to guess and do not have common answers. It may be a chore keeping up with all the account passwords but the important ones such as banking, email, and the social networking sites are worth the effort. Another tip is that you should not have matching passwords for different sites and accounts. And as always, be on the look out for things that look fishy and out of the ordinary. Like I said before, a little common sense can go a long way. thanks, @Linda:)

    ReplyDelete

Post a Comment

Popular Posts

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post . How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't real

How Reliable is RAID?

We all know that when we want a highly available and reliable server we install a RAID solution, but how reliable actually is that? Well, obviously, you can work it out quite simply as we will see below, but before you do, you have to know what sort of RAID are you talking about, as some can be less reliable than a single disk. The most common types are RAID 0, 1 and 5. We will look at the reliability of each using real disks for the calculations, but before we do, let's recap on what the most common RAID types are. Common Types of RAID RAID 0 is the Stripe set, which consists of 2 or more disks with data written in equal sized blocks to each of the disks. This is a fast way of reading and writing data to disk, but it gives you no redundancy at all. In fact, RAID 0 is actually less reliable than a single disk, as all the disks are in series from a reliability point of view. If you lose one disk in the array, you've lost the whole thing. RAID 0 is used purely to speed up dis

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this. Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most