An Indian researcher has discovered that phone-banking systems’ software tone-decoding algorithms have problems. The researcher was able to crash a few banks’ systems remotely, and even extract customer PINs from one Indian bank’s phone system. Oops.
(A similar flaw was discovered by Matt Blaze in federal wiretaps, allowing the tapped person to turn the tap on and off during the call. One of the cleverer if less reliable TSCM techniques, beating out ‘wave a frequency counter around’ but falling behind ‘search the room for a tape recorder.’)
Whereas the Blaze attack’s most likely clientele was mobsters (and he indeed found evidence they’d discovered it before he did, and were using it), this one’s most likely to be used by unscrupulous competition.
Fortunately it’s not likely to get them very far, being a matter of a software patch: banks generally understand that if someone’s harassing you, you can either keep going or keep going and counterattack. (caving shows weakness and thereby invites worse attacks, since ultimately the attacker wants to take over the target or run them out of business)
“Certain DTMF (Dual-Tone Multi-Frequency) signals can cause these private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way that unexpected input data can knacker applications running on a desktop computer or server.
PBX and IVR machines are often used to run phone banking, call centres and other interactive telephone systems. Given the appropriate DTMF input, it may be possible to crash backend application servers or convince them to cough up sensitive information. Repeating the trick to bring down a machine effectively launches a denial-of-service attack on the phone line[…]”