Outbound call to a number is harder to break. One way is to port the number to another provider, illegally. If you have the person's information and bill, you probably have enough info to get the line transferred. And sometimes, providers will accidentally/idiotically allow a number to be ported even if the information isn't correct; there's plenty of room for mistakes.
Another attack is to target the way they place the outbound call. Suppose they place the outbound call with provider X. An attacker might sign up and start a port via provider X. If provider X has poor code, they might activate the number internally, and route all their customers calls to your account, before they find out the port's been rejected. Or you might be able to compromise the provider another way - many providers and VoIP software systems are hilariously weak on security.
The first attack will work across the entire phone network; the second requires the authentication call to be made via an insecure provider.
Right but you're talking about owning the DID, which one may or may not need to do in order to compromise your connection. For example, if I pwn the Asterisk box your call routing runs through, I can mirror the audio or redirect the audio pretty trivially.
Going a step further, given how few people aren't buying through a reseller, it's possible to pwn an upstream provider and impact boxes through a man in the middle attack. Even over TDM you're not safe because of physical taps which are difficult to detect (albeit easier than IP).
No, Phone numbers are not secure and should never be used as a form of authentication. You don't even need to port a number, you just need to be somewhere in the stream.
I think there's a significant scope difference in performing a MiTM attack (via hacking a provider or installing a tap) and forcing a port through.
After all, it's implicit in telephone banking when you authenticate via voice that you trust the connection. The argument you're making is that telephony is insecure, which is arguably true, but sorta irrelevant within the scope of telephone banking.
How is it irrelevant? Is it not the crux of the issue here?
Many upstream providers are just Asterisk boxes forwarding traffic. Those boxes can be overloaded with a malformed SIP header; hell, most application switches get wrecked by malformed headers.
What I'm trying to say is that money is one of those things where security is actually important. Trusting telephony, even as a signal and not source, is foolish. There are many better methods of deriving identity.
My point, and arguably the point of the article, is that telephony is insecure, and I think it's pretty far from irrelevant... Please correct me if I misunderstood, I'm not trying to offend I just don't understand.
Another attack is to target the way they place the outbound call. Suppose they place the outbound call with provider X. An attacker might sign up and start a port via provider X. If provider X has poor code, they might activate the number internally, and route all their customers calls to your account, before they find out the port's been rejected. Or you might be able to compromise the provider another way - many providers and VoIP software systems are hilariously weak on security.
The first attack will work across the entire phone network; the second requires the authentication call to be made via an insecure provider.