[VOIPSEC] VoIP and Banking Security

[Scott Keagy]

1) It requires at least a several hundred dollar computer to sniff it in
VoIP, and it requires a $20 butt set to sniff it in analog phones (e.g. from
the connection block that is usually unlocked on the outside of an apartment
building or a house). Most people don't recognize how incredibly insecure
traditional phone service is (this is one area where the stuff you see in
spy movies etc. is actually true and easy to do with traditional phone
services).
2) You can use SRTP (secure RTP) to encrypt VoIP packets, and it will become
ubiquitous in the coming years, while traditional phone service will still
be in the clear.
3) Aside from SRTP, there are various mechanisms to reduce the likelihood of
bad guys getting in the flow of packets in the first place (which is a
prerequisite to interpretting the info contained in the packets)


Regards,
Scott

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Al
Sent: Wednesday, June 22, 2005 11:52 AM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] VoIP and Banking Security

Greetings,

New here, and yes, I did check the archives first.

I just finished a session with my bank using the touch pad on my phone.
When finished I dumped the packets captured during the transaction (using
ethereal).  I was a little dismayed and a lot alarmed to see wherever the
protocol was RTP EVE that the numbers I pressed on the phone were visible in
the info field:

     Payload type=RTP Event, DTMF Eight 8

I'm guessing that if I can sniff these packets, so can anyone else.

Anyone have any comments to calm my nerves?

Thanks,

Al
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org