[VOIPSEC] VoIP and Banking Security
Kirill Bolshakov
kirill at sjlabs.com
Thu Jun 23 01:55:25 CDT 2005
Al,
if your bank is not using OTP (one-time password) authentication schemes,
then you are right in your suspicions: this method is insecure.
If your bank gave you a device that can calculate passwords basing on your
card (inserted in the device of the size of a calculator) and some nonce
(delivered to you out-of-band; say, via a Web page or via IVR), then there
is a chance that sniffing won't help, as the device implements an OTP scheme.
Respectfully yours,
Kirill
P.S. Unfortunately, I don't know this device name in English, for I am not a
native English speaker.
Al wrote:
> Greetings,
>
> New here, and yes, I did check the archives first.
>
> I just finished a session with my bank using the touch pad on my phone.
> When finished I dumped the packets captured during the transaction (using
> ethereal). I was a little dismayed and a lot alarmed to see wherever the
> protocol was RTP EVE that the numbers I pressed on the phone were visible in
> the info field:
>
> Payload type=RTP Event, DTMF Eight 8
>
> I'm guessing that if I can sniff these packets, so can anyone else.
>
> Anyone have any comments to calm my nerves?
>
> Thanks,
>
> Al
More information about the Voipsec
mailing list