Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Thoughts of the paranoid on the call centre security.
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 22 Jan 2008 13:07:24 -0600 (CST)

On Fri, 18 Jan 2008, Sean Jackson wrote:
I had seen a conversation about putting people on 'hold' but really
listening to the other side.

My recent experience:

I called a credit card to work out a payment plan (grrr) and had to enter in
my account number and last four of my SSN.  Then I wait and am sent to a
person, and she asks me to verify my name, address, SSN, etc....then she
says she's going to put me on hold and send me to someone who can take care
of my account, CLICK, .....and silence.  I'm on hold.  Well, I'm pissed,
because I just spent another two minutes verifying what I thought I had
inputted through my phone.  Why do it twice, only to find the person you're
talking to can't even help you?  So I said out loud, "If you couldn't help
me, why the hell did I have to verify my account info?".  Click click,
"Excuse me, sir?  What were you asking?"

She was listening to me while I was on hold.  I said I wanted to know why I
had to verify with her if she couldn't help me, she explained it's to
expedite the process so the actual account representatives can spend more
time with the clients, blah blah balh.

She was listening to me while I was on hold.  She heard my question I was
just blathering to the ether while on hold, and she came back on and asked
me to repeat my question.

I was so excited I had found an instance of this happening.  And I've since
closed my account.

This scam would cost money (or if you can avoid paying, at least your time, and that's money). Further, it runs a higher risk of being caught. Then, you need to be lucky and havde someone talk in the background.

I say it i snot as cost-effective as other scams.

On a more basic note, people may spend time with encryption and security measures to ensure people don't listen in to their ocnversations, yet have them in a public place or while someone else in on the phone near them (and whoever is on the other side doesn't necessarily need to hear what they have to say).

        Gadi.


Sean Jackson


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of Serg B
Sent: Thursday, January 17, 2008 7:32 AM
To: pen-test () securityfocus com
Subject: Thoughts of the paranoid on the call centre security.


I needed to call my bank today to ask few questions?  Called the bank,
asked my questions and the lady on the other end asked me if she could
put me on hold while she searched for the required information.  I
don't generally like being on-hold so I said no and that I would
rather wait online.  She went a little quiet while she was doing
whatever it is that she was doing. Meanwhile, I am sitting there,
doodling and listening to all the background noise? Somehow it makes
me feel more comfortable than being on-hold. For some reason I tuned
into a particular conversation where a call centre person was reading
some numbers.  They sounded like somebodies credit card number (maybe
an account number).

And here is where I start getting a little paranoid: wouldn't it be
possible to call a bank call centre from a monitored (recorded) line,
keep the staff on the phone for as long as possible (I don't think it
would be very hard, just keep asking dumb but time consuming
questions) until you get tired of it or disk space/tape runs out.

Next comes the tricky part: filtering and isolating the conversations
in the recording.  Personally I wouldn't know where to start, however
people who are into their music software would probably find it
trivial.

This makes me wonders if it could be a new (most likely inefficient
but non-the-less) higher-return method of phishing?

Just a passing thought?


  Serg

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]