Telephone address books, a new danger

Monday, September 18th, 2006 Posted in News & Updates |

More and more people are now using Voice over IP (VoIP) systems, such as Skype or Microsoft’s Messenger VoIP function. These systems are on many occasions replacing traditional telephone calls, as broadband connections can allow good-quality voice transmission at no extra cost. As added services, these programs include phonebooks to enable making calls without having to look for telephone numbers. However, entries in these phonebooks should never include addresses or telephone numbers that could compromise the security of users’ financial data.

For example, banking services should be dialed directly as, just with classic phishing techniques, an attacker could replace these numbers with others. In this case users, when trying to communicate with their bank, could really be calling a completely different number, and could therefore unwittingly reveal authentication details such as username and passwords which could then be used to operate the account fraudulently.

As with VoIP systems, bank numbers should not be stored on cell phones, as, similarly, calls made without checking the number could be redirected.

Oxygen3 advises users to ensure that any automatic dialing device is not accessible to others, especially if it includes the numbers of banks or other services that could jeopardize the security of users’ identity. As with basic security measures against phishing, telephone numbers of this type should be dialed directly by the user, rather than relying on a phonebook that could have been tampered with.

Likewise, phone numbers should be checked before they are used, as an attacker could have managed to publish a false number in order to trick users into revealing authentication details by redirecting them to a call center.

Source: Oxygen3 24h-365d, by Panda Software