(no title)
g_p | 9 months ago
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
danaris|9 months ago
For 99% of people, 99% of the time, what they need to worry about is someone calling them suspiciously asking for key information.
The fact that targeted attacks like that exist does not make it a good idea to treat them as ubiquitous. People with the kind of money that would make executing such an attack worthwhile should be expected to take higher precautions than the rest of us with it.
joquarky|9 months ago