Earlier today I had to phone up a credit card provider to activate a new credit card, as part of a balance transfer. As is increasingly common these days, I didn’t even have to speak with a human being. All I had to do was use the telephone keypad to enter some details, so that the automated system could identify the card, check that I was who I said I was, and then activate the card for me. And here’s part one of the problem: computers aren’t that great at speech recognition (caveat: Google Translate app is pretty damn good at natural English to Spanish and back, but more on that later). Instead of me speaking the card number, it’s far easier to collect the data using the keypad. You’ll all be familiar with DTMF – the tones you hear when pressing keys on a phone. With these all being a specific frequency, and far enough apart to avoid error, it’s very very easy for a computer to listen and understand numbers that way. What I found a little disturbing though, was the fact that to activate the card, I had to give the details of the card in my hand over the phone, as well as personal details about myself, using DTMF. Think about that for a second. I had to give away the sixteen digit number, the expiry date, the CVV, and my date of birth, all using DTMF. I wonder if that kind of information might be useful to anyone?
Well, if you haven’t heard of the Payment Card Industry Data Security Standard (PCI-DSS), it’s a “…proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.” I did a little digging and it seems that there are actually companies who market products to financial institutions who receive calls like mine, and those products are designed to do what it known as DTMF filtering. What this means is that if a call to a call centre is being recorded, data protection laws prevent the recording of sufficient information as would allow someone listening to compromise the security of customer’s card. These companies therefore have products which sit between the customer and the recording device, which listen specifically for DTMF and then drop the content before it hits the recorder. That way the bank doesn’t need to rely on stop/start recording and can actually record the entire call with the customer. This is useful to the bank in the case of a dispute or a complaint from the customer: they have all relevant data about who said what during a call, and the customer can’t claim reasonable doubt that an offensive comment was made during one of the stop/start blank moments in a call. So far, so good.
However, where I think the PCI-DSS falls down is that it appears to assume that the connection between the customer and the call centre is secure, or otherwise outside the remit of their responsibility. But it isn’t. A call on a modern mobile to a 4G, or even 3G capable base station is encrypted*, but as soon as it gets into the service provider’s network, the same issue of encryption costing money applies. However, if you make a call over your landline (perhaps thinking that cause it’s not broadcast into the air, it’s even more secure), then you’re in even more trouble. Signalling System 7 (SS7) was designed in the 1970s, and has received next to no updates since. The original designers could have had no idea of what was to come in modern telecommunications, and in the 1970s it wasn’t a time where engineers and developers were thinking “Secure by default”. No, instead, your telephone call is going out in the clear. Which brings us to the next problem.
I know where your telephone line goes, and it’s trivial for me to tap it. In every neighbourhood, near on in every street there is a little green box somewhere nearby where all the phone lines come together to be multiplexed before passing on further up the comms provider’s infrastructure. These boxes are protected by a particular type of key which should be only available to the telephone company. However, this overlooks one key consideration: locks, and security in general, are not ever designed to keep people out. Instead, they are designed to either alert someone if a break in attempt is happening, or make it obvious if someone broke in. If a phone company only has need to visit your box once every six months, I can crack it open with relative ease and since I’m wearing a high vis jacket and I have an orange lamp beacon that I bought online, obviously I work for the phone company. So now I’m in to the green box, and I have physical access to your phone lines. As everyone knows, physical access means game over. So now I can tap your phone line rather trivially. What does this matter though? Well now I can attach a Raspberry Pi Zero that listens to any calls made to a list of known banking call centres. I then call you up and tell you I’m calling from your bank, there’s an issue with your credit card. However, you should never trust someone calling out of the blue pretending to be your bank, so first hang up and then Google the number of your bank and call them back. You do this, and my Raspberry Pi Zero notes the DTMF as you call them. Now it’s recording. You go through verification and it grabs your card number, your date of birth, your CVV and anything else you willingly give over an unencrypted connection. It’s almost too easy.
Now I have your credit card details and all the information I need to use them.
Why is it you insist on AES-256 for online banking, but you’ll bank over the phone in the clear?
After this incident, I spoke to a friend of mine who is a telecoms engineer. He reiterated the horrendous security around telephone lines, and how easy it is to tap them outside a customer’s home. It is absolutely trivial.
So what can we do? Here’s an idea… instead of making us give up all of our card details in a computer readable format over an untrusted network in the clear… perhaps the letter accompanying the credit card in the post has a passphrase containing no information about the card which I can enter online to activate the card. You could even do that in the clear and the phrase would be meaningless to any eavesdropper but acceptable to any financial organisation. Effectively you’re using a Pre-shared Key. Albeit you’re not using that phrase to generate encryption. Perhaps pre-shared secret is a better description.
To follow: Proof of concept using a Raspberry Pi Zero attached to junction box. In the meantime don’t use the phone to bank.