I just rang up NAB Telephone Banking to setup NAB Internet Banking after much ado. It didn't want to let me reset my password and told me to speak to a human, which I reluctantly did. He thought that was all strange and made me go through the process again while he listened. The second time it wanted me to put a new password in, so I typed the new one in twice. He was listening to me type in my pin number. The pin number that anyone can use to log into someone's account and transfer $2500 to any account they like. The banks always tell you not to tell any banking staff your pin number. But they don't seem that fussed by banking staff listening to the tones of your pin number.
Now I'm not phone geek, but I'm pretty sure that a sharp phone geek cookie would know exactly which numbers I'd typed just from the tones. A slightly less sharp phone geek could definitely record the tones and get a computer to tell them what the pin number was. Perhaps something like the Voice Controlled 5Hr. Recorder with DNR (Dialed Number Recorder). The whole point of audio tones is for them to be turned into numbers. It wouldn't be that difficult.
I raised this issue with the NAB fellow and he said "But they're just tones, how am I going to know what they mean?" He was sufficiently confused that I'll have to assume he isn't one of the afore mentioned sharp cookies. But I was worried enough that I rang back and told them about it. They said that "NAB staff wouldn't do something like that." So that's encouraging.
Yeah that is plain dumb. DTMF (the tones) are so easy to convert into numbers. No security.
David / 11:51am / 10 July 2007
People worry about internet banking, but I think I’d feel safer with it.
Ryan / 11:55am / 10 July 2007
A friend can record them and then decode them by ear – (further down in the noise than decoding equipment). Am sure anyone half musical could train themselves to do it.
Julian / 12:05am / 11 July 2007
Saying or typing card numbers on a cheap and nastly analogue (FM) cordless phone lets anyone listen in to them.
Julian / 12:06am / 11 July 2007
I was thinking about that too. With internet banking your details become tricky to steal as soon as they leave the computer. But there are plenty more unencrypted connections with telephone banking.
Ryan / 10:45am / 11 July 2007
I guess Ryan’s case could be considered paranoia. In my case, it is totally madness. I called the Commonwealth Bank phone service and the woman who answered my phone later ASKED for my phone PIN number. I was… well, fooled by her and told her my PIN numbers verbally. Upon hearing that, she said “Sorry I couldn’t help you. Please contact your nearest local branch” And then hung up.
As soon as i realise this, I called the phone banking again, 3x, and all they say is just “you have to go to your nearest branch to settle this”
Wilson / 11:21pm / 29 July 2008