Sign up with Google
- Joined
- Jun 22, 2007
- Messages
- 10,896
We deploy Asterisk based telephony systems, so I'm pretty familiar with what can be logged when troubleshooting. So today I called FNB and as part of the authentication process I need to punch in:
ID number #
last 8 digits of my card #
PIN code for card #
The first time around I declined the pin entry. I queried the consultant and they suggested that it was secure because I only put in the last 8 digits of my card and that they couldn't help me if I didn't go through the automated authentication process (forgetting that anyone with the partial information I just punched in could now call them). IIRC correctly in the past I used to be able to go through a manual authentication process?
A quick look through the logs on my Asterisk box shows all the DTMF is logged and with a little bit of creative grep work you can put it all together. Obviously I'm not going to paste all my details in here. But below is a random DTMF sample.
So granted a number of things need to be available to you to get this information. SSH or console access to the Asterisk box and obviously people aren't calling their bank every single day, but the information is not secure and people should not be blindly trusting that telephone transacting is secure. I've used Asterisk here as an example as that's what we work on, but any modern PBX system can log this kind of information.
Anyway that's my "use it, don't use it" piece of information for today
ID number #
last 8 digits of my card #
PIN code for card #
The first time around I declined the pin entry. I queried the consultant and they suggested that it was secure because I only put in the last 8 digits of my card and that they couldn't help me if I didn't go through the automated authentication process (forgetting that anyone with the partial information I just punched in could now call them). IIRC correctly in the past I used to be able to go through a manual authentication process?
A quick look through the logs on my Asterisk box shows all the DTMF is logged and with a little bit of creative grep work you can put it all together. Obviously I'm not going to paste all my details in here. But below is a random DTMF sample.
So granted a number of things need to be available to you to get this information. SSH or console access to the Asterisk box and obviously people aren't calling their bank every single day, but the information is not secure and people should not be blindly trusting that telephone transacting is secure. I've used Asterisk here as an example as that's what we work on, but any modern PBX system can log this kind of information.
Anyway that's my "use it, don't use it" piece of information for today
Last edited:
