Forgot your password?
typodupeerror
Security IT

Spoken Commands Crash Bank Phone Lines 178

Posted by samzenpus
from the initiate-self-destruct-sequence dept.
mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."
This discussion has been archived. No new comments can be posted.

Spoken Commands Crash Bank Phone Lines

Comments Filter:
  • Good (Score:5, Funny)

    by Anonymous Coward on Monday September 17, 2012 @10:26AM (#41362283)

    I hate those automated prompts.

    • Re:Good (Score:4, Interesting)

      by justforgetme (1814588) on Monday September 17, 2012 @10:28AM (#41362317) Homepage

      Especially if after pressing all possible combinations and you finally get to the part where it says "I'll connect you to a human being" the while system blows up and you have to start over. Which in my experience happens approximately 100% of the time.

      • Re:Good (Score:5, Insightful)

        by SJHillman (1966756) on Monday September 17, 2012 @10:36AM (#41362413)

        I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

        • Re:Good (Score:5, Funny)

          by JustOK (667959) on Monday September 17, 2012 @11:00AM (#41362719) Journal

          Press SQRT(-1) if this annoys you.

        • Re:Good (Score:5, Insightful)

          by TheCarp (96830) <[ten.tenaprac] [ta] [cjs]> on Monday September 17, 2012 @11:03AM (#41362761) Homepage

          I don't even mind the hybrid systems, in theory.

          What I mind is the last part. I am on with the machine, it collects all the info that a human operator would need, makes sense....helps speed things along, route calls, and keep the actual time of the operator useful, rather than monotonously getting account details....cool.

          In reality though, its exactly as you say.... I spend all that time on with the computer, give it all my info, verify my account...and then... the operator gets on and asks for all that info again....

          So it didn't save him from monotony, it didn't keep his time useful.... all it did was waste my time.... yay.

          • Re:Good (Score:5, Insightful)

            by h4rr4r (612664) on Monday September 17, 2012 @11:10AM (#41362855)

            Wasting your time is good for them, it reduces the number of hangups. Far more importantly It means hold times don't start until after all the prompts have been exhausted. This makes the call center numbers look great.

            Record a stupid metric get a stupid result.

          • Re:Good (Score:5, Interesting)

            by SlippyToad (240532) on Monday September 17, 2012 @11:19AM (#41362973)

            the operator gets on and asks for all that info again....

            I bitched about that once. Turns out, they are killing time while your screen comes up from their glacially-slow system.

            • Re: (Score:2, Informative)

              by Anonymous Coward

              I don't know about banks, but I've worked in 2 call center jobs: a utility company and a state government agency.
              In both places, info entered by the caller was used only to route the call; none of it was passed on to me.

        • Good Morning, Sir, would you mind confirming your slashdot UID for me before I can respond to your post?

        • Re: (Score:2, Informative)

          by Anonymous Coward

          I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.

          Say "operator" when you're dealing with an automated system, and it'll generally hook you straight up to a real live homo sapien.

          Now you know.

          • by sjames (1099)

            Swearing often helps too. Some systems take it as a sign you're getting angry and try to head it off.

          • by AK Marc (707885)
            Not any more. pressing 0 and saying "operator" used to work, but they are so common that the big people just say "that was an invalid option, please choose from one of the following options." These days, repeatedly mashing "1" gets you to a person fastest. They even plan on it, as that was the "old person" version, where they don't ever listen. Ever wonder why the Spanish choice has you pressing 2 or 4 or something? So that if you hit 1 repeatedly, you'll end up at the "regular" operator pool, not the
        • Here are the two worst I have encountered:

          One was a customer satisfaction survey. For each question, it asked the question, and then followed it with this entire message: "Press 1 for strongly agree; press 2 for agree; press 3 for neither agree nor disagree; press 4 for disagree; press 5 for strongly disagree." Now, I have no problem with this kind of prompt existing, but seriously, after the first question, I get how it works. Oh, I almost forgot: It would not accept any input until it had finished rea

        • Re:Good (Score:4, Interesting)

          by Lorens (597774) on Monday September 17, 2012 @12:23PM (#41363775) Journal

          [It's] a human who then asks you all of the same questions as the automated system that I really hate.

          I have a supplier whose automated system asks for contract number and system ID's and the like. Once, my system was totally down and the different numbers I had were refused by the supplier's IVR. I remembered hearing that some IVR systems detect swearing. I quite deliberately swore a few times at the system, and it beeped and asked "Are you currently experiencing a severity-1 production outage, press one". I did and got a human immediately. I'll never again complain about their system . .

        • by morgauxo (974071)
          Yes, that really sucks. I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again. There could be any number of individuals whose fau
          • by AK Marc (707885)

            I've been on both sides of that though. When the faceless big corporation that employs you doesn't give you access to that information imagine having to explain it 100 times a day while not putting down the hand that feeds you. I get it that the customer is annoyed but there still isn't anything the person on the phone can do until the customer quits their whining about it and just answers the damn questions already.... yes, again.

            There's no reason to answer the questions twice (aside from the evil corporation being too cheap/stupid to set up their expensive IVR correctly, which isn't acceptable to me as a customer).

            It's unfortunate for both sides when that information isn't sent on to the individual who actually answers.

            If it were that unfortunate for the faceless megacorp, they'd send the information they've already gathered and verified to the person on the phone. Otherwise, it's much much easier for the caller to just route it to a human. There's no benefit to the caller to go through a non-integrated IVR. At worst, there are sligh

      • by dywolf (2673597)

        usually, in the good systems (natch!), you just keep hitting 0, or saying "Representative" or else something that it can't decipher and it'll take you right to an operator, after only about 15 seconds.

        • by azadrozny (576352)
          Some companies are getting wise to this. Yes, this will take you to a real person, but that person is often nothing more than a switchboard operator. Many times they have routed me back to the same prompt queue I just escaped from.
        • On lots of the implementations I have seen either the menu loops indefinitely or it just disconnects you. To be honest though this is something I only have noticed in countries in the Mediterranean. So maybe it is somehow related to economic insolvency?

          • by DarthBart (640519)

            I always like the systems (I'm looking at you Dell!) that send you through the song and dance of entering information, then when the time comes to hit the queue the system says "We're sorry, call volumes are too high at the moment. Please call back later. *CLICK*".

      • by morgauxo (974071)
        I used to be one of the human beings a person might reach after mashing in those possible combinations. I don't know how awful the system may have been that lead customers to do that. I had no input in making it or access to anyone who did. It may have really sucked but I sure hated those people that got to me by randomly mashing the wrong buttons. They were always so pissed off and difficult when I told them I had to transfer them. What did they expect? Ignore the system that is supposed to be helping
        • I wasn't talking about randomly mashing the buttons, but just trying to find the menu that does what you want without any success because it doesn't exist. Leading to the aforementioned every possible combination

        • by Obfuscant (592200)

          They were always so pissed off and difficult when I told them I had to transfer them. What did they expect?

          Good customer service from a company that truly cares about their business and doesn't waste their time playing through an endless cycle of "press 1 for this" or "press 2 for that", usually after starting the cycle with the useless "please listen carefully to the options because our menu has changed", when the menu hasn't changed in two years. A company that clearly offers "None of the options fits, press 0 for a person who is trained to assist you" instead of simply repeating the same three or four irrele

          • by AK Marc (707885)
            Danmed straight. If you don't get a human (or your question answered for truly automated things like account balance and payment info or such) by about 3 menus deep, then you need to ditch the IVR and go back to human call routing. It's just too complicated to expect the general users to get where they are going, or you have 10,000 departments and nobody knows what goes where (I'd estimate about half the IVRs I've had to use had at least one invalid choice).
        • by AK Marc (707885)
          The "correct" buttons got me to the wrong department. I wanted to make a payoff, not make a regular payment, and the people who accept payments can only tell me my current due, not lock in a payoff amount. So, call back, same IVR, same wrong department. Call back, deliberately press the wrong buttons, get to an "operator" that can route me to the right person. IVR fails, wrong buttons get me what I was looking for.

          And it can't count against your stats if they call back if they were in the wrong departm
    • by dywolf (2673597)

      I do too. "Please say or key in your PIN/Account/Social Security/Member Number" ... ya I want to say my very important number out loud...
      luckily USAA lets you key in the stuff too. I've come across some that dont, and I frankly refuse to use them.

      But when I saw this article, my first thought was, what do I say to trigger a money dump into my account?

  • by BSAtHome (455370) on Monday September 17, 2012 @10:30AM (#41362335)

    How is the turing test doing for social engineering an automated system?

    Maybe the system commited suicide after listening to those humans and just decided it was not woth it anymore.

  • by ledow (319597) on Monday September 17, 2012 @10:30AM (#41362341) Homepage

    You decided to link to explanations of touch-tones and buffer overflows? On Slashdot? Really?

    And yet the article basically parrots the summary with no more information.

  • by pr0t0 (216378) on Monday September 17, 2012 @10:31AM (#41362351)

    To hear the PINs of our other customers, please press 1, or say "yes" now.

  • by Gotung (571984) on Monday September 17, 2012 @10:32AM (#41362363)
    "In one test, a phone system run by an unnamed Indian bank had dumped customer PINs" Sounds like a SQL injection attack, via voice. Lol. Little Bobby Tables strikes again.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      My money is on it not being purely by voice, but prepped with online banking. The attacker probably set their name or security question to Bobby Tables, then used the standard voice prompts to have the voice system attempt to say the name/security question/etc, which then ran the queries un-escaped

      • The article indicates that the attack was done by speaking attack commands.

        • Re: (Score:3, Funny)

          by Anonymous Coward

          The article indicates that the attack was done by speaking attack commands.

          Attack commands?

          "DIE AND BURN IN HELL, YOU STUPID FUCKING PIECE OF SHIT VOICEMAIL SYSTEM!"
          "Okay. I will die now."
          *sound of distant explosion*
          "...huh. Cool. I didn't think it'd be that easy."

        • Computer: Sic balls!

        • by Obfuscant (592200)

          The article indicates that the attack was done by speaking attack commands.

          Sit!

          Stay!

          Good dog, Ubu!

    • by Anonymous Coward on Monday September 17, 2012 @11:08AM (#41362813)

      "Thank you for calling Mega Bank. Please say 'Customer Service' or 'Loan Application'."

      "SELECT password FROM members"

      "It sounds like you're trying to hack our system. Please hold while I access that data."

  • Oblig (Score:3, Funny)

    by gmuslera (3436) on Monday September 17, 2012 @10:32AM (#41362371) Homepage Journal
    Wonder of something like this [xkcd.com] happened.
  • Video of the talk (Score:5, Interesting)

    by Tryfen (216209) on Monday September 17, 2012 @10:36AM (#41362421) Homepage

    You can you watch a video of the talk on YouTube [youtube.com] - or read the slides at BlackHat [blackhat.com].

    Fairly interesting to see how buffer-overflows can occur in the most unlikely places.

    • Re:Video of the talk (Score:5, Informative)

      by bouldin (828821) on Monday September 17, 2012 @10:46AM (#41362559)
    • by jittles (1613415)
      I'm sorry, I know this guy probably isn't a native English speaker, but he is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable. The presentation is also very long, and not very interesting most of the time.
      • by cffrost (885375)

        [H]e is a horrible presenter. One of the worse I have ever seen. It doesn't seem like he practiced or anything, and you can tell he is terribly uncomfortable.

        I didn't watch this presentation, but your post reminded me of Elon Musk's appearance on The Daily Show. [thepiratebay.se] Blushing, glistening in sweat, strange answers, etc. It seemed like he'd never spoken in public before, and I was half-expecting him to flee the interview at any moment.

        • by jittles (1613415)

          He wasn't sweating, and didn't look like he would flea in terror but he had DTMF tones blaring loudly from his powerpoints, had long pauses where he had to figure out what he wanted to say, and was constantly saying "Umm umm umm." This is why most universities require you to take public speaking classes, and things of that nature. At my last company I would go to a tradeshow every year and give 2 presentations a day for a week. I also gave demos to government officials (Including a 1-star [Brig. General]

          • but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

            • by jittles (1613415)

              but you'll see the strangers only once; and you'll have to see your co-workers again and again. how is this better?

              That's exactly my point. If are a good employee then your coworkers will value you despite your embarrassing attempt to present to them. You only get one attempt at showing those strangers that your product (whether it is you as an employee, or your company's product) is worth the money. If you mess that up, the game is over. But if you've had a great career and you get a little bit of stage fright in front of your coworkers, they will (in my experience) genuinely offer constructive criticism and help y

    • by MobyDisk (75490) on Monday September 17, 2012 @11:53AM (#41363375) Homepage

      I don't dare run Powerpoint files or Word documents I receive from my relatives. Yet here I am downloading one from Black Hat and I feel perfectly safe. The world has gone mad.

  • One trick (Score:4, Funny)

    by kilodelta (843627) on Monday September 17, 2012 @10:37AM (#41362437) Homepage
    If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.
    • by P-niiice (1703362) on Monday September 17, 2012 @10:57AM (#41362691)
      I do this and get more and more pissed everytime I have to yell "Agent" at it. My kids get a huge laugh out of it everytime too.
      • by MachDelta (704883)

        Have you tried "I'm going to stab you in the EEPROM" ?
        It worked for Frontalot...
        kinda....

    • Re:One trick (Score:5, Interesting)

      by fuzzyfuzzyfungus (1223518) on Monday September 17, 2012 @11:04AM (#41362765) Journal

      If you have the knack for it, whenever you encounter and IVR is to repeatedly scream a phrase at it, something like 'agent'. Good systems recognize the word and put you through to a human post haste. Shit systems, which are the predominant type, have something like a 30 or 60 second timeout before requiring human help.

      Some systems may actually be responding to the vocal stress cues. In an effort to pretend to care, while minimzing the number of actual humans needed, some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way. I find that it generally isn't difficult to convincingly emulate boiling rage, and(depending on whether the phone drone knows he is being dumped into a rage call or not) immediately switching to polite-and-businesslike when the human comes on usually works pretty well.

      • by Obfuscant (592200)

        some designs will prioritize the ones that sound increasingly angry so as to get them dealth with and out of the way.

        I can't figure out whether you put an extra 'h' on 'dealt', or an extraneous 'l' in 'death', but I guess either way they are "out of the way".

    • Re:One trick (Score:5, Interesting)

      by PRMan (959735) on Monday September 17, 2012 @11:11AM (#41362871)
      Pressing 0 works on a little more than half of systems. Make sure you keep pressing 0 in response to every prompt.
  • Heh. For some reason this reminds me of the "shower scene" from the very first episode of Dilbert (the animated series), where Dogbert is attempting to hack Dilbert's voice-activated shower temperature control.

    http://www.youtube.com/watch?v=7MqhBL9eEts [youtube.com]

  • Wow - surely you could find a way to work in a Cap'n Crunch whistle? [jetcityorange.com]
  • Seriously, phone support? That's a waste of all time and effort. So is online chat support, email and talking to anyone in person if they even exist.

  • by PPH (736903) on Monday September 17, 2012 @11:04AM (#41362769)

    "All your PINs are belong to us!"

  • If humanity has any luck left this will spell the end of shitty automated phone systems (which is about 99.9% of them). With Windows as my bell weather, I'll not be holding my breath.
  • Nobody reckognizes TFA as being about phreaking? You know, this kind of stuff dates back ages. Kevin Mitnick even had the superpower to whistle nuclear missiles into flight... True Story(TM).

  • by gigne (990887) on Monday September 17, 2012 @12:01PM (#41363493) Homepage Journal

    Working in the industry, and having to read low level logs all of the time, I see this frequently.
    People will call up, wait for a silence, and after 500ms start pumping down DTMF signals. Often they do this with seemingly random patterns 3-4 times before giving up.
    often times they retry promps with longer and longer strings. This is old news.

    I am guessing there is a wardialler in ther that is looking for specific systems at the other end. Sort of known phreak attacks.

    Weird things like this exist and have existed for a long time. Hardware and software suppliers check for this now. We routinely check for stuff link this in dev and QA.

    The submitter is doing nothing new, nothing unknown or even clever. These sorts of phreaks are older than I am. meh.

    • by oodaloop (1229816)
      Right. First thing I though of was the whistle from Capn Crunch.
    • by cffrost (885375)

      In the mid-1990s there was a DOS program called Code Thief, which would dial an 800* number, enter a telephone number known to be answered by modem (e.g., multi-line BBS), enter an authorization code (4-6 digits, IIRC), then keep a log of which codes resulted in successful connection.

      * I don't know what these 800 numbers were exactly, but I was told they were intended to allow corporate business travelers to make LD calls from payphones/hotel phones at their employer's expense. The 800 numbers themselves we

  • are em minus f slash root
    Permission Denied
    sudo are em minus f slash root
    no home directory

  • At the voice prompt, yell "Format c" followed by "yes!".
  • by Animats (122034) on Monday September 17, 2012 @01:38PM (#41364657) Homepage

    The problem remains the C language. C (and C++) is the only remaining major language prone to buffer overflows.

    This can be fixed. See "Safe arrays and pointers for C through compatible additions to the language" [animats.com]. This is a proposal for a "strict mode" for C which prevents buffer overflows. It's been discussed on Lambda the Ultimate, the C standard newsgroup, and the GCC development list, and with each round of criticisms, the design is tightened up.

    This proposal includes a "strict mode", in which the rules are tighter, and ways to talk about the size of arrays. Non-strict code can call strict code, and vice versa. So there's a gentle migration path to all-strict programs, one source file at a time. It's an extension to C, not a new language. Some of the necessary features for this are already in C99 or are GCC extensions, so I'm trying to get this into GCC as an extension so it can be tried in the real world.

    It's no longer acceptable to say that this problem can't be solved. It can. It just takes the will to solve it. Prodding from the security community will help.

    Strict code is mostly about declarations. For example, the Linux "read" function, which is now declared int read(int fd, void* buf, size_t len); would be declared int read(size_t len; int fd, void_space (buf&)[len], size_t len); Instead of passing a pointer, you pass a reference to an array, a reference with an associated size. So the language knows how big the array is. Incidentally, the first "size_t len;" is a forward declaration of len. That's an existing but rarely used GCC extension. It's needed because so many C, UNIX, Linux, and POSIX APIs have the buffer param before the buffer size.

    (For those few of you who know what a C99 variable length array parameter is, you'll wonder why this syntax differs from that. It's a long story. C99 VLA params are demoted to pointers at function entrance, losing the size info. It turns out nobody uses C99 VLA params; repeated searches have failed to find any of them in open source code. Also, Microsoft refused to implement them in Visual C/C++, they're incompatible with C++, and they've been demoted to an optional feature in the latest C standard draft.)

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...