Spoken Commands Crash Bank Phone Lines 178
mask.of.sanity writes "A security researcher has demonstrated a series of attacks that are capable of disabling touch tone and voice activated phone systems, forcing them to disclose sensitive information. The commands can be keyed in using touchtones or even using the human voice. In one test, a phone system run by an unnamed Indian bank had dumped customer PINs. In another, a buffer overflow was triggered against a back-end database. Other attacks can be used to crash phone systems outright."
Re:Video of the talk (Score:5, Informative)
There's more detail here, including links to papers: http://voipsecurityblog.typepad.com/marks_voip_security_blog/2012/09/dtmf-telephony-denial-of-service-tdos-issues-for-ivrs.html [typepad.com]
Re:Good (Score:2, Informative)
I don't mind a lot of the entirely automated systems (although some are horrible), nor do I mind waiting for a human. However, it's the hybrid systems where you go through anywhere from five to twenty layers of prompts only to be connected to a human who then asks you all of the same questions as the automated system that I really hate.
Say "operator" when you're dealing with an automated system, and it'll generally hook you straight up to a real live homo sapien.
Now you know.
Re:Good (Score:2, Informative)
I don't know about banks, but I've worked in 2 call center jobs: a utility company and a state government agency.
In both places, info entered by the caller was used only to route the call; none of it was passed on to me.