[VOIPSEC] Question on VoIP security requirements in financial sector

Simon Horne s.horne at packetizer.com
Tue Jun 19 06:04:22 CDT 2007 

I guess the biggest concern beyond media/signalling encryption is that, is 
this person a customer at this financial institution and is the customer 
who they say they are. So the two elements Caller validation and 
verification. In the PSTN world there usually is "what is your name and 
customer number?" to verify you are a customer and questions like "what is 
your grandmothers maiden name?" to verify you are who you say you are. If 
we go to the financial institutions website we can login (to prove we are a 
customer) and as a lot of institutions are doing these days requiring 
entering of other information such as smartcards, keyfob number generators 
etc to verify your identity.

The one million dollar question is can VoIP (SIP) provide a better service 
to the customer and the financial institution beyond just encrypted 
voice?  The answer is NO as SIP has absolutely no capacity to provide any 
form of caller validation or verification outside of a user response IVR 
systems at the financial institution (which can already be done with PSTN).

Simon


At 07:25 PM 18/06/2007, Fleming, Eoin (DSCP) wrote:
>I am not aware of any regulations concerning VOIP specifically (the 
>regulations will probably never refer to VOIP anyway but to 
>telephony/telecommunications networks normally...). Encryption is not 
>mentioned in connection with VOIP certainly but if you are dealing with 
>personal financial information or personally identifiable information then 
>encryption would be considered a mandatory requirement under the banner of 
>exercising due care in the protection of financial records (but this is by 
>inference only...) The only area that I am sure affects VOIP is call 
>recording requirements for certain dealing and call centre operations.
>
>This link might shed some light 
>http://www.syngress.com/book_catalog/372_PRAC_VoIP/sample.pdf
>
>But like most things in the regulatory world it's all open to some degree 
>of interpretation i.e. even if you implement encryption so it's available 
>for the use of your customers you have no guarantee that the other end of 
>the conversion will use it, similarly in the PSTN you have no control over 
>the possibility that your carrier might route some of your calls over 
>VOIP....so the only thing you can really do is risk assess and encourage 
>the use of encryption.
>
>Cheers,
>
>Eoin D. Fleming
>
>-----Original Message-----
>From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On 
>Behalf Of Roland Auckenthaler
>Sent: 18 June 2007 10:35
>To: voipsec at voipsa.org
>Subject: [VOIPSEC] Question on VoIP security requirements in financial sector
>
>Hello,
>
>I'm trying to find some information regarding security policies or legal
>obligations with regards to the use of VoIP in the financial sector. Does
>anybody know if the use of SRTP and/or TLS are mandatory requirements for
>some financial transactiosn (i.e. phone banking)? I'm especially looking
>for information that relates to europe but if you got something from other
>regions that that would be helpful too.
>
>best regards
>
>Roland Auckenthaler
>Sales Engineer CEEME, NMS Communications
>
>Address:  Richard Strauss Strasse 71, D-81679 Munich, Germany
>Phone: +49 89 945484-78, Fax: +49 89 945484-70
>MSN-IM: rauckenthaler at hotmail.com
>
>Amtsgericht Muenchen: HRB 132404, Geschäftsführer: Herb Shumway
>
>
>
>
>voipsec-request at voipsa.org
>Sent by: voipsec-bounces at voipsa.org
>19.01.2007 13:00
>Please respond to
>voipsec at voipsa.org
>
>
>To
>voipsec at voipsa.org
>cc
>
>Subject
>Voipsec Digest, Vol 25, Issue 4
>
>
>
>
>
>
>Send Voipsec mailing list submissions to
>                  voipsec at voipsa.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
>                  http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>or, via email, send a message with subject or body 'help' to
>                  voipsec-request at voipsa.org
>
>You can reach the person managing the list at
>                  voipsec-owner at voipsa.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Voipsec digest..."
>
>
>Today's Topics:
>
>    1. EUSecWest 2007 Papers (Dragos Ruiu)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Thu, 18 Jan 2007 16:07:22 -0800
>From: Dragos Ruiu <dr at kyx.net>
>Subject: [VOIPSEC] EUSecWest 2007 Papers
>To: Voipsec at voipsa.org
>Message-ID: <200701181607.22142.dr at kyx.net>
>Content-Type: text/plain;  charset="us-ascii"
>
>(Nico already beat me to telling you folks, but
>there is some other info in this message that
>may interest some folks here  --dr:)
>
>Hi,
>
>For those who asked, we are still processing the submissions for
>CanSecWest
>and the call closed, please stand by. The paper selections are back from
>the
>reviewers for EUSecWest, in London on March 1-2.
>
>In absolutely random order:
>
>Threats against and protection of Microsoft's internal network - Greg
>Galford,
>Microsoft
>Linux Kernel == Security Nightmare - Marcel Holtmann, Red Hat
>/GS and ASLR in Windows Vista - Ollie Whitehouse, Symantec
>Fuzzing: history, perspectives and limits - Christian Wieser, Oulu
>university
>The new OWASP Web Application Penetration Testing Methodology - Matteo
>Meucci
>& Alberto Revelli, OWASP-Italy
>Reverse Engineering Malicious Javascript - Jose Nazario, Ph.D., Arbor
>Bypassing NAC Systems - Ofir Arkin, Insightix
>RFID - Adam Laurie, trifinite
>Protecting Next-Gen Networks @ Nx10G link sizes - Jim Deleskie, Teleglobe
>Video Conferencing Security - Navid Jam, Sandia National Laboratories
>Software Virtualization Based Rootkits - Sun Bing
>VoIP Attacks! - Dustin D. Trammell, TippingPoint
>Windows Vista Exploitation Countermeasures - Richard Johnston, Microsoft
>OSX Security - Daniel Cuthbert, Corsaire
>Distributed drone-based malware propagation and deployment automation -
>Emmanuel H
>
>We have added a new RFID dojo in London with Adam, and Nico
>has a new VoIP Security dojo amongst the new dojos to be announced
>for CanSecWest along with the paper selections. Dojos for London
>have final schedules now.
>
>cheers,
>--dr
>
>--
>World Security Pros. Cutting Edge Training, Tools, and Techniques
>London, U.K.    Mar 1-2 - 2007    http://eusecwest.com
>pgpkey http://dragos.com/ kyxpgp
>
>
>
>------------------------------
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>End of Voipsec Digest, Vol 25, Issue 4
>**************************************
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list