[VoiceOps] PCI Compliance and VoIP

Paul Timmins paul at timmins.net
Fri Oct 21 01:10:11 EDT 2011


On Oct 20, 2011, at 10:55 PM, Jay Hennigan wrote:

> On 10/20/11 6:07 AM, Hiers, David wrote:
>> I've no doubt that they are correct; card information encapsulated in a codec needs to be encrypted over unsecure networks, which includes the Internet.
>> 
>> We can safely assume that they are in contact with the PCI standards people, and getting advice from other PCI compliant entities. 
> 
> But is not the analog/TDM PSTN also a public, insecure, unencrypted
> network?  What's more difficult, tapping an analog phone line with a
> simple recorder coupler from Rat Shack or intercepting a specific RTP
> stream over a random route mixed in with gigabytes of pornography and
> other assorted cruft?
> 
> It boggles how people who think nothing about using cordless phones are
> so paranoid about VoIP security over the Internet.

Attached to my backpack is a massive PCI standard violation. I think nothing of carrying it every day.

How long until they either try to ban my fluke ts44 deluxe, or wake up to the idea that POTS is less secure but still not considered a problem. It's not like it's hard to decode the 300 baud FSK datastream of a credit card terminal.

A T1 is no match for my T-Berd 224, comparatively a relic but perfectly capable of doing what my harris can do to a t1. Even if that's some high rent money for you, my phoenix networks t1 test unit can do it and cost less than the buttset on ebay.

Preaching to the choir here, of course, but it's just plain silly. Any of these devices could be used relatively anonymously with nothing more than a $30 assortment of various tools (can wrench, inverted hex wrench used on a lot of remote terminal and cell tower enclosures, smartjack enclosure key). If you're broke and your adversary has a pots line, climbing the pole and taking a corded phone with the jack hacked off to expose the wires will give you more access and anonymity than you could ever want.

But here we are talking about military grade encryption for some RTP streams over a generally saturated backbone network with 10 gige links brimming with porn. LOL. Talk about killing an ant by running it over with a semi truck.

-Paul


More information about the VoiceOps mailing list