From: Gadi Evron (ge@linuxbox.org)
Date: Tue Jan 22 2008 - 14:07:24 EST
On Fri, 18 Jan 2008, Sean Jackson wrote:
> I had seen a conversation about putting people on 'hold' but really
> listening to the other side.
>
> My recent experience:
>
> I called a credit card to work out a payment plan (grrr) and had to enter in
> my account number and last four of my SSN. Then I wait and am sent to a
> person, and she asks me to verify my name, address, SSN, etc....then she
> says she's going to put me on hold and send me to someone who can take care
> of my account, CLICK, .....and silence. I'm on hold. Well, I'm pissed,
> because I just spent another two minutes verifying what I thought I had
> inputted through my phone. Why do it twice, only to find the person you're
> talking to can't even help you? So I said out loud, "If you couldn't help
> me, why the hell did I have to verify my account info?". Click click,
> "Excuse me, sir? What were you asking?"
>
> She was listening to me while I was on hold. I said I wanted to know why I
> had to verify with her if she couldn't help me, she explained it's to
> expedite the process so the actual account representatives can spend more
> time with the clients, blah blah balh.
>
> She was listening to me while I was on hold. She heard my question I was
> just blathering to the ether while on hold, and she came back on and asked
> me to repeat my question.
>
> I was so excited I had found an instance of this happening. And I've since
> closed my account.
This scam would cost money (or if you can avoid paying, at least your
time, and that's money). Further, it runs a higher risk of being caught.
Then, you need to be lucky and havde someone talk in the background.
I say it i snot as cost-effective as other scams.
On a more basic note, people may spend time with encryption and security
measures to ensure people don't listen in to their ocnversations, yet have
them in a public place or while someone else in on the phone near them
(and whoever is on the other side doesn't necessarily need to hear what
they have to say).
Gadi.
>
> Sean Jackson
>
>
> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com]On Behalf Of Serg B
> Sent: Thursday, January 17, 2008 7:32 AM
> To: pen-test@securityfocus.com
> Subject: Thoughts of the paranoid on the call centre security.
>
>
> I needed to call my bank today to ask few questions? Called the bank,
> asked my questions and the lady on the other end asked me if she could
> put me on hold while she searched for the required information. I
> don't generally like being on-hold so I said no and that I would
> rather wait online. She went a little quiet while she was doing
> whatever it is that she was doing. Meanwhile, I am sitting there,
> doodling and listening to all the background noise? Somehow it makes
> me feel more comfortable than being on-hold. For some reason I tuned
> into a particular conversation where a call centre person was reading
> some numbers. They sounded like somebodies credit card number (maybe
> an account number).
>
> And here is where I start getting a little paranoid: wouldn't it be
> possible to call a bank call centre from a monitored (recorded) line,
> keep the staff on the phone for as long as possible (I don't think it
> would be very hard, just keep asking dumb but time consuming
> questions) until you get tired of it or disk space/tape runs out.
>
> Next comes the tricky part: filtering and isolating the conversations
> in the recording. Personally I wouldn't know where to start, however
> people who are into their music software would probably find it
> trivial.
>
> This makes me wonders if it could be a new (most likely inefficient
> but non-the-less) higher-return method of phishing?
>
> Just a passing thought?
>
>
> Serg
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT