Former Hacker Tackles IVR and Voice Biometric Security
NEW YORK (SpeechTEK 2008) -- The newest trend in phishing targets is interactive voice response (IVR) systems through man-in-the-middle telephone attacks, warned Kevin Mitnick today in his keynote address at SpeechTEK 2008 at the New York Marriott Marquis.
"Instead of having me fill out a form or clicking on a link to go to a Web site, [attackers] simply give me the phone number of the customer service department, and the customer service department is really an IVR system," said Mitnick, the world’s most famous former hacker turned professional security consultant. "You are receiving a telephone number you think is the bank. When you call it, it actually accesses the bank. But you don’t know the attacker has put himself into the middle of the transaction."
Mitnick--who prior to his keynote address set up a Web site capable of performing man-in-the-middle attacks—then demonstrated this security threat. Accessing his Web site, Mitnick called Washington Mutual Bank. When the call was diverted to the bank’s IVR system, he entered an account number and four digits of a social security number, all of which were stolen and transferred immediately to the man-in-the-middle Web site.
"It doesn’t matter what it is—credit cards, banking, your voicemail, anything," said Mitnick, author of the books The Art of Deception and The Art of Intrusion.
"This is where the attacker does a phishing attack to put himself in the middle and you can’t detect it because when you do your transactions, it works… And in the more sophisticated attacks, the bad guys get into the telephone switch and divert a percentage of the traffic…and put themselves in the middle, and it’s impossible to detect."
Mitnick also pointed out the weaknesses of voice biometric security solutions. He relayed an instance when he was hired by a company to see if he could crack its voice biometric security system. "And how does this voice biometric work? You call the system. It would have you read off a certain number of digits to register, and then thereafter you would simply call up and say a certain number of digits and it would verify you as legitimate or not legitimate."
Mitnick said many companies use this model. "The problem…is you’re using just numbers; you’re not using phrases or words, and so when you’re talking about digits you only have one through zero."
According to Mitnick, he simply used caller ID spoofing--in which one masks a phone number on caller ID by adopting a false phone number--called an employee of the company, tricked the employee into repeating the fraudulent phone number, which contained the digits zero through nine, recorded the call, and broke each digit into a separate .WAV file. Mitnick then called back and used the recordings to defeat the system.
"So that was an easy way to defeat it," he said. "But I understand that the company fixed that problem."