Soundminder Android Trojan Hears Credit Cards

Blacklaw writes "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers — typed or spoken — and relaying them back to the application's creator. Once installed, Soundminder sits in the background and waits for a call to be placed — hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number."

But hey

[Pojut]

It's Linux-based, so naturally it's secure! /sarcasm

Note: I have a Droid Eris running Nonsensikal 15.2...so I'm certainly no Android hater.

Re:

[Tharsman]

When there is no limit to what Droid Gets, well.... there is no limit to what Droid Gets. [gogadgetnews.com]

Re:

[0xdeadbeef]

How is this insecure? The behavior is "as designed".

If it isn't the behavior you thought it should be, well, perhaps you shouldn't install unsigned applications from sketchy websites that want to both access your mic and your phone log.

Re:

[BasilBrush]

How is this insecure? The behavior is "as designed".

Being "as designed" is irrelevant to whether something is insecure. If anything insecure by design is worse than insecure by mistake. At least you can fix a mistake.

iPhone has this particular issue covered. A background app which is recording sound causes the status bar to turn red and the name of the application doing the recording is displayed.

Re:

[trollertron3000]

In fairness to Linux, it still requires a moron somewhere in the equation to accomplish this feat.

Re:

[dudpixel]

This is not a question of the OS, but a question of the app delivery model.

The same trick would be possible on iOS or WP7 but the app would be less likely to be approved (although some suspect apps have been approved in the past).

Re:

[FunkyELF]

Is there really insecurity when the user has to click "accept" when prompted with a list of everything that application has access to?

Re:

[s73v3r]

Not really. The only way to make it more secure would be to also prompt when the app actually attempts to use the permission. Although that could get annoying kinda fast. The other thing might be for the app developers to actually have to list why they need the permission in question. Why do you need access to my phone calls? I'm sure most spam apps might just make something up, but if they are doing something other than what they say, it should be easier to catch them.

Does it even need to do that...?

[Joce640k]

It could watch for people dialing the numbers of (eg.) online ticket sellers then just record the conversations. There's bound to be a credit card in there.

Re:

[Tharsman]

Why limit your spyware to only specific lists of phone numbers? May as well go for the virulent gold and catch any credit-card number you catch, no matter who you are giving it too. A predetermined list also would mean the virus would be forced to carry extra overhead with a database of phone numbers. Given business closing up, opening up, and plainly changing numbers, things that happen every day, the list would be obsolete very fast. An online based database would require the virus to do constant checks a

Re:

[Tharsman]

Although the risks of being found are minimal, a smart attacker would minimize as much as possible despite the fact. Maybe I give them too much credit, maybe I dont. I have never audited spyware.

I can say, though, that I seen enough reports from security experts on this stuff. Spyware that does constant requests to a database for updated phone number lists to intercept will likely have to run out of calling time, not during call. That would increase the chances of a security expert to notice the unnecessa

Wouldn't you have to be root for this to work?

[filesiteguy]

I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root?

Or can the app simply request permission?

(Disclaimer: I'm root and have cyanogen on my phone.)

Re:

[Imagix]

The app simply requests permission. More accurately, the app asks for permission during install time when the installer notifies the user that this app requires permissions to intercept calls.

Re:

[rjstanford]

So it could be bundled in with a "voice changer" app or, probably more successfully, one that randomly inserts background noise (train station, jungle, room-o-farts) into your call. For freez!

Re:

[Rennt]

You also have to tick a box saying:

Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone for loss of data that may result from using these applications."

This is a social engineering attack, not an exploit in the Android system.

Re:

[Rennt]

Android's software distribution model is also "curated" if that's what floats your boat. But this is a business model, not a security model.

Security can be enhanced, but only in the sense of limiting infection by removing an app from the store after it has been "outed" as malware. The thing is, an educated user can do the exact the same thing with their device without the need for a central authority.

Android lets me choose to opt-out of dubious security in exchange for enhanced liberty. This is a strength t

Re:Wouldn't you have to be root for this to work?

[Jahava]

I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root? Or can the app simply request permission? (Disclaimer: I'm root and have cyanogen on my phone.)

The article says the application requests the following permissions:

• Read Phone State and Identity: Used to know when your phone is calling
• Your Personal Information: Not really used in the attack.
• Hardware Controls (probably specifically microphone): Lets the application record audio

There's an additional app that requests Network Capabilities; it's used to relay the data. Since the original application doesn't request those capabilities, it's less obvious (although now a second application has to be installed).

Basically, the application masquerades as an overly-permissive "voice recorder". It registers to receive notifications when the "phone state" changes, and when you place a call it starts recording. It processes the audio and pulls out voice and touch-tone number sounds. It then passes that information to the "Deliverer" application, which forwards it to the bad guy. Two applications written by the same developer can share data, so they probably use that channel.

The scenario is that a user will install the recorder app because they want a voice recorder, and will install the "Deliverer" app for some unrelated reason. Neither app's permissions set off any warning bells, but, together, they can steal your data.

So no, no rooting necessary. Goes to underline the general idea - given any security fence and enough time to understand it, someone will find a way around it. It's not particularly creative or innovative - just one of those proofs-of-concept of the obvious that will get media attention. Android's permissions are a nice heads-up to the user, but you really need to know and trust the publisher before you give any of the more deadly set of permissions (e.g., hardware controls, network communication) to an app.

Re:

[Klync]

While "Hardware Controls" seems intuitive for the stated purpose, "Read Phone State and Identity" is fairly common, too. Almost every application will do things differently - whether operating in the foreground or background - depending on whether you are using the phone at the time. E.g. whether to play a sound or ring an alarm. This is one permission I (and I hate to admit it) would barely think twice before granting to just about any app.

Re:

[icebraining]

Personally, I think Google should change the permissions. Hardware Controls should not get access to the microphone during a call - instead, it should ask for a new permission, like "Recording calls". Make it more clear for the user.

If people install a trojan that specifically says it'll record calls, then there's not much one can do.

Re:

[shadowrat]

I'm sure many of us raise an eyebrow at the premissions requests, but most people do not. The biggest security flaw is the user. Most will grant any app permission to do anything.

Re:

[BasilBrush]

This is why a closed app store is useful. Either malicious apps will be discovered at the approval stage, and never appear on the app store, or they will be removed later when a user reports an app as being malicious.

Re:

[leonardluen]

i believe if you read the full article you will also notice that google stated that they have thought of such a scenario of apps sharing data, so they purposefully made it difficult for them to pass data back and forth to each other. so the recording app and the deliverer app secretly share data by updating various global phone settings such as the ring volume and backlight timeout.

Re:

[mjwx]

asically, the application masquerades as an overly-permissive "voice recorder". It registers to receive notifications when the "phone state" changes, and when you place a call it starts recording. It processes the audio and pulls out voice and touch-tone number sounds. It then passes that information to the "Deliverer" application, which forwards it to the bad guy. Two applications written by the same developer can share data, so they probably use that channel.

So basically all I have to do to get around thi

Re:

[BasilBrush]

In this case, a very low success rate for voice recognition is quite acceptable. It's still useful to its creators even if it only occasionally catches a credit card number.

Re:

[dudpixel]

I wonder if there is room for google to host a 2nd app store that is vetted, thereby having the best of both worlds.

Or better, they should have a certification system for apps, so that apps market with the tick of approval are guaranteed "safe" by google.

Re:

[dudpixel]

?? why?

The people who want to click "OK" to anything would welcome a vetted app store as it would appear safer, and no doubt would be marketed as such.

Using the argument that such people would prefer an iphone amounts to the same thing...if they would choose iphone for app safety, then they would also choose a "safe" app store if one were available.

Re:Wouldn't you have to be root for this to work?

[ColdWetDog]

If we can teach people to steer a heavy metal vehicle down a highway at speed we can certainly teach them to understand how software trust works.

We're doomed.

Okay we use it to fund the bat-gear this once...

[aapold]

But once we stop the Joker, you have to destroy this app or I, Morgan Freeman, will not be in the next movie.

Can't make smarter users...

[kellyb9]

... so you better start making smarter phones and more rigorous guidelines for app store approval. Problem solved.

Re:

[Ginger Unicorn]

Or perhaps give you the choice to opt between using a secure app store or installing what you like, thus solving your false dichotomy.

Re:

[BasilBrush]

Or perhaps give you the choice to opt between using a secure app store or installing what you like, thus solving your false dichotomy.

Without smart users, that's still adangerous option. So no, it wasn't a false dichotomy.

Re:

[Anonymous Coward]

Well I'm unsure whether Apple actually check for covert malware (or the extent to which they check), the cost to them to do so would be prohibitive, and I'll bet if you read the terms and conditions of the App store you'll find wording to the effect that they're not responsible if malware does get through, but to suggest that the Android Marketplace lets people post anything they want is a little misleading. There's still a process by which harmful content can be removed, and Google have not been shy about

Re:

[Tharsman]

Things that Apple consider can intrude user privacy are either not allowed to be done at all or request user permission every time they are going to execute. Location requests must be re-approved every day and things like call recording are just not allowed.

During approval, Apple does check for calls to APIs that can access these services, and rejects the application if it finds any. Thats the reason for their "No Use of Non-Public APIs" restriction. This is no manual review, they have automated processes

Re:

[I8TheWorm]

Even then, we've seen with the Apple app store that the system in place to check apps isn't very good. With the number of submittals they would need an army of people to vet the apps properly anyway.

Google has a more lax approach with their store, but the net result is the same... some bad apples get through the process and onto people's phones.

The good news is the dev registration process requires you put up some $$ with a credit card which gives Apple/Google/RIM/MS at least a small chance of tracking the

Re:

[I8TheWorm]

And this comment lacks sarcasm detection.

Re:

[ColdWetDog]

And this comment lacks sarcasm detection.

There should be an app for that.

Re:

[kellyb9]

Yeah, I guess it'll be exactly like the app store without all the blatant censorship of "distasteful content". If you want to download malware, go outside android's official app store... I suppose its nice being able to decide.

Triple Android dis...

[Rob Kaper]

Three articles in a row casting doubt on Android in one way or the other... really, Rob?

They have now cast doubt thrice!

[aapold]

THRICE!

Re:

[Anonymous Coward]

Yes, clearly Android must be above all criticism.

Back in real life, Slashdot is about page views, not some juvenile war against the "bad guys".

Re:

[socz]

So for the last world cup, I made for the teams we were rooting for (here in the office) Android banners! It took about a day to figure out what I was doing, but after that it went well. At first I just used backgrounds to match the colors and text for the slogan. But then I found it better/easier to use a graphic. So when our teams were playing we'd open the program and display our support on our android phones. +1 for Android!

Other applications

[kellyb9]

This is just one practical application. *Puts on tin foil hat* What about a comparable government system mining for certain terrorism related keywords? I can think of 100's of more dangerous applications to this type of software, and I don’t even have to be the person who has it installed. I find that particularly frightening.

Re:

[delinear]

Why would the government go to the cost and effort of trying to get a few people to install this on their phones when they are almost certainly already listening to everyone's calls at the exchange.

Re:

[kellyb9]

Who says I meant our government?

Re:

[cpghost]

What about a comparable government system mining for certain terrorism related keywords?

Governments don't need it: they already tap the backbones... But look at it the other way: how about an app that would listen on Gov't employees, and relay everything to sites like WikiLeaks et. al?

Soundminder Trojan once installed

[doperative]

"A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers -- typed or spoken -- and relaying them back to the application's creator. Once installed, Soundminder sits in the background"

How does this 'trojan' get onto the handsets in th first place?

Re:

[The Moof]

The same way other malware gets distributed - offer some trivial software with this bundled into it. Users have a tendency to blindly give permissions without caring just to get dialogs out of their face.

Complain about Apples 'closed' ethos all you want,

[tonywestonuk]

But... this type of hack will never get into the wild on the iPhone.... ..or, if it was ever missed by their app vetting procedure, Apple could remotely shut it down anyhow.

Remind me not to get an Android phone, if this is the type of stuff hackers are going to be distributing soon.

--
Possessed - my first Facebook game. Come play!. [facebook.com]

Re:

[Klync]

Article: "People have been known to cut themselves when using these really sharp knives. Maybe they should have additional safety features."

You: "Yeah, but those knives wouldn't even get through the door of the prison I live in. Why doesn't everybody just live in a prison like me?"

Re:

[tonywestonuk]

The thing about a sharp knife, it looks like a sharp knife...

The thing about a trojan running on a phone, it looks like whatever the app maker wants it to look like, probably fluffy and cute and not at all like something that's going to hurt.

--

Possessed - my first Facebook game. Come play! [facebook.com]

Re:

[AK Marc]

Reminds me of Happy99. That was the first I remember running into a working program that did what it said it would do that was also a virus (well, we didn't call them viruses at the time, but they do now). Well, aside from keygens and such that people were already wary of.

Re:

[jgtg32a]

Actually a sharp knife is a safe knife, most knife injuries are from having a dull knife slip.

Re:

[SCHecklerX]

Only a threat if you are dumb enough to install it in the first place. Dumb users == owned equipment. That's always been the case. No technology is going to fix stupid behavior. This is why antivirus is useless. If antivirus is detecting things, then IT'S ALREADY TOO LATE! We want to PREVENT the infection, and proper hygiene and common sense in synergy with proper technological controls is the only way that is going to happen.

Re:

[jisatsusha]

You are aware that Android has a kill switch too, right?

Re:

[I8TheWorm]

Never. I agree. Apple has enough employees and technology to thoroughly check [iphonehacks.com] apps it allows into the app store.

And wouldn't it be cool if Google had built in an app kill switch [readwriteweb.com] like Apple did?

You are hereby reminded not to get an Android phone if you lack the ability to do simple web searches.

Re:

[BasilBrush]

That an app store can't catch every malicious app before approval doesn't mean it isn't useful to catch most.

And the Android kill switch is only for apps downloaded off Google's own marketplace. Android fans here often praise the openness of being able to install apps from anywhere. But that also means that security wise, they're fucked.

cell scanners?

[Culture20]

Aren't there still cell-phone scanners? Why would anyone enter a CC number via cell phone if anyone within cell range could be listening in or recording CC info?

Re:

[karnal]

I never used to think anything at all about giving my CC # and info over the phone. Nowadays, I'm dealing in cash for phone transactions or not at all.

Over the holidays, "famous chain pizza maker" got a call from me to order some pizza and drinks. Ten days later, my account was put on hold for fraud watch... because someone was ringing up all sorts of transactions with my card. At other pizza places. While I see the irony in this, the amounts were staggering. $30+ at same "famous chain pizza maker" (I

O_EXCL Microphone.

[codegen]

So why isn't access to the microphone mutually exclusive? If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time. I can understand having the the OS accessibility routines having concurrent access with an app, but when you are on an actual voice connection, that should probably be exclusive access. Similarly, applications like skype should also be able to request exclusive access to the microphone.

Re:

[OverlordQ]

If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time.

But how else can you get the completely awesome t-pain autotune app!

Re:

[I8TheWorm]

Since I use my personal smartphone for business, I do like to record calls from time to time. An exclusive lock on the mic would prevent that.

Other folks like voice changers, background noise apps, etc...

Proposed solution: secure call mode

[Klync]

Perhaps one solution to consider would be the ability to put the device into a state where nothing but the phone is running - i.e. all other apps are just blocked until the call is released. Alternatively, the phone data in / out could be sandboxed from the rest of the OS. This would be a special mode since there are legitimate uses for this (tone dialing, call recording, etc.), but should be available to switch on when needed (or take the reverse approach and have it on by default, switched off when desired).

I'm not sure if the Android API would allow building an app for this, or if something at a lower-level would be required.... Anyway, feel free to implement this and send me the royalty cheques if you can. Just google for my banking info.

Should have two Android Marketplaces

[unimacs]

I don't own an Android phone so I may not be the best person to comment but it seems to me they need two Marketplaces, - or at least 2 separate areas. One area would contain apps that have gone through some testing and approval process and another that's just wide open, - all bets are off. Probably wouldn't prevent people from blaming the phone if their CC number gets stolen but at least people would know that there's an identifiable subset of apps that are malware free.

Re:

[I8TheWorm]

From Google's point of view that's exactly what Android users have. The Google Marketplace where apps are vetted, and the other app stores where they may or may not be.

Re:

[I8TheWorm]

I would say as clear as it can be. It's the only one that ships with all Android phones natively.

But as far as clear to users goes, you have to remember, these are the same people that will click on .exe links in emails from people they don't know because of the promise of hilarious puppies or flashing lights.

Re:

[asdf7890]

Assuming it is the same on other Android versions as it is on my phone (a Motorola running 2.1, though if they don't put out an upgrade at some point and they keep up their locking so I can upgrade later by other means, I'll buy from another manufacturer next time) then yes it is quite clear, at least first time you install a non-marketplace app.

You can't install an app from a source other than Marketplace from a default install. First time you try it explains and takes you to the options screen where you

WAN TOO FREE

[neon-fx]

Once again being unintelligibly Scottish comes in useful.

of course...

[MickyTheIdiot]

...Android is vulnerable because it's open source [electronista.com], or so sayth the idiot CEO of Trend Micro...

Mitigation is simple, but ignored

[jeffmeden]

In the team's research paper (PDF), they suggest a defence mechanism against Soundminer: an intermediary layer that analyses input from the microphone before passing it to an application, able to detect credit card numbers and prevent their transmission to Soundminer-like Trojans.

This is possible, but why not take it one step farther (and simpler) and just make an event handler that lets you know what is going on when. These apps all work WITHIN the security construct of the Android OS. They don't even have to exploit code defects or undermine system permissions for this to work; they ask the user if the app is allowed to record (possibly during phone calls) and if its also allowed to send data (possibly right after a phone call). The user doesn't put two and two together, allows the activity and doesn't give it a second thought.

Interlude: This isn't a problem just with "ok-mashing lusers" who blindly accept permissions on anything that comes along. You might want an app with the ability to record voice calls (for security, quality assurance, etc.) and you might want that app to also be able to send data to the internet so it can upload the audio, or something similarly useful. What even the smartest of the smart users don't have any visibility over is the actual source code of all of these apps, to make sure that the app is *only* doing what you want it to. Even astute users, who do everything right except for misplacing their trust in the app developer, can fall for this attack.

Solution: Introduce an event handling feature that can be set up to notify users of possibly malicious activity. If you are paranoid, you will check all the boxes off and be notified when "a third party app is recording while the phone is active", "a third party app is backgrounded and sending data to an internet service and is not on the whitelist", etc. etc. etc. This way you can tell if some random app you didnt even think you were using at the time happened to get ahold of some data you didnt want it to have, and sent it off to a collection server. Is it going to stop the activity? No. Is it going to give the average user who pays attention to their phone but doesn't have the time/wherewithal to do code audits on every app they have installed? YES.

Android security works

[brunes69]

Once installed, Soundminder sits in the background and waits for a call to be placed -- hence the access to the 'Phone calls' category....

Er, perhaps this is why you should not be giving random applications access to your phone calls. There is a reason the android security system prompts you for this stuff.

Re:

[Tubal-Cain]

When my cards expire my bank mails me a new card, with a phone number to call in order to activate it. The process involves telling the machine what card is being activated.

Re:

[Wannabe Code Monkey]

When my cards expire my bank mails me a new card, with a phone number to call in order to activate it. The process involves telling the machine what card is being activated.

I believe I just activated a credit card recently and I think they only ask for a portion of the credit card digits, last four digits or something. And then also maybe the last four digits of my social security number. The credit card company only has so many cards out for activation at any one time, so they don't need all the digits to know which card it is.

There's a 1 in a 100million chance that someone has the same last four digits on their credit card as I do AND the same last four digits of their socia

Re:

[Tubal-Cain]

They asked me for the full card number, but no social.

Re:

[krazytekn0]

Your credit card company has your phone number on file, if you call from that number they generally won't ask for the credit card number or the full number, if you call from a different phone then they will ask for more info. That's why the little stickers say to call from your "home phone" or did in the past few years.

Re:

[jeffmeden]

That's not how they avoided collision. Banks have fully integrated CID data into their AVR systems for a long time now. You called in with the phone registered to that account, they immediately knew the card number that was up for activation but had you confirm it regardless. Likewise, for a bit more security they had you confirm part of your SSN. This is all well and good, until the registered number associated with your account is a cellphone with compromised software that can relay a call from an att

Re:

[Jahava]

Do people actually still give credit card numbers over the phone? I can't think of one time in the last 8 years that I've had a credit card that I've ever given it out over the phone. And not out of fear, either. The situation has just never come up.

I suspect they're talking about strings of touch-tone numbers that are dialed during a phone call. If the string is long enough, an application can infer that it's a credit card number.

This happens all the time with over-the-phone payment systems. True, many of these systems are being supplanted by online payment methods, but many niche services (debt collection, carry-out order, etc.) still use smaller automated phone-based systems.

Re:

[gorzek]

There's no reason this can't be done for spoken numbers, either. Android's built-in voice recognition system could easily be used to monitor whether you've just uttered a string of numbers.

Re:

[Anonymous Coward]

TFS says "typed or spoken", are you guys reading it?

Re:

[GungaDan]

Every time I receive a replacement for an expired credit card I have to phone in to activate it. First thing asked for? Card number.

Are there credit cards that do not require a call to activate?

Re:

[cmiller173]

I have had a few that use the caller ID of the phone I'm calling from first. If I call from the home phone the CC company has on file (yeah I still have a landline) it just replied with "your new card is activated".

Re:

[Lumpy]

Yes. My last 3 were online activation.

I went to the website printed on the card, entered the last 4 digits and followed the prompts. No phone call required.

Plus the BS of "you must call from our home phone" is a crock. I do it from random phones and it works fine.

Re:How many people will this actually affect?

[joebok]

Article and summary say "typed or spoken" - so it is not simply looking for a sequence of tones - which broadens the impact significantly even from official over-the-phone payment systems.

Still, the fact that CC companies have to eat fraudulent transactions over $50 means that even if this were in the wild, it probably would not have major impact. CC companies are pretty good at detecting fraud. Debit cards/banks, however, are not held to the same standard - highly recommend never, ever, using a debit card under any circumstances regardless of this kind of exploit.

Re:How many people will this actually affect?

[cmiller173]

That $50 limit was extended to debit cards some time ago

"That $50 liability limit also applies to ATM and debit cards, though holders of these cards might be liable for up to $500 if they fail to report the card's disappearance within two business days after they learn of the loss or theft of the card. (Debit and ATM card owners can be held responsible for all losses if they fail to report the theft within 60 days of when a bank statement showing unauthorized charges is mailed.) " -- http://www.scambusters.org/creditcard3.html [scambusters.org]

Re:

[tgd]

Debit cards/banks, however, are not held to the same standard

Correct, most are capped at $0 liability.

Re:

[OzPeter]

Do people actually still give credit card numbers over the phone?

When I pay my CC I can call up the companies automated phone line to authorise a transfer from a known bank account. In doing so they want me to give them the CC number. So thats another reason you could give your CC number over the phone.

Re:

[gurps_npc]

Never had to call the credit card company to dispute a bill? They ask for the credit card #. I also guess you don't use a good reward program. I like my reward program (1% cash - same as all the rest - except they put the cash reward directly into a savings account one month after you pay the bill as opposed to year end.) Because if you have a reward program you like, you tend to use it for everything - even buying pizza on the phone.

Re:

[Lumpy]

Do you pay 100% of your balance every month BEFORE the grace period? if not then your 1% cash back is worthless.

IT's dumb to pay 18% interest on something so you can get 1% back.

Re:How many people will this actually affect?

[TheRaven64]

I'm pretty sure everyone likely to read your post already knew that. I have my credit card set up to be paid by direct debit automatically, so 14 days after the end of the billing period (i.e. before they would start charging interest) they take the money. Because it's Direct Debit, it's covered by the Direct Debit guarantee, so my bank can reverse it for me easily. They send me an email each month to remind me to check the bill online (they don't send paper ones).

In effect, I have something that functions like a debit card, but for which I get 1% back and between 14 and 45 days of interest-free loan on every purchase. Since I have an offset mortgage, the money on every purchase I make on my credit card sits in my current account for 14-45 days after I've spent it, reducing the interest that I pay on my mortgage (this saves less than the price of a pint of beer each month, but it's still nice to have for no effort).

Re:

[h4rr4r]

Yes, yes I do. It is my grownup way of sticking it to the man. Also I would pay now where near 18% on any CC I hold.

Re:

[Skater]

I do it frequently. Some places I deal with (campgrounds, mostly) do not have online ordering or whatever.

Re:

[BagOBones]

- Credit card activation
- Bill payment by credit card or first time set-up of automatic payments
- Checking your credit card balance
- Calling in to dispute a charge
- Calling in to find out why a card has been declined (happens to me often when on vacation due to over sensitive fraud protection)
- Calling in to get a lost or stolen card replaced
- Ordering take-out or delivery

Re:

[I8TheWorm]

Not to worry, I gave your credit card number over the phone just last week!

Re:

[MikeDirnt69]

It works on Android. Next question?

People don't expect their phone to be tapped

[perpenso]

different than a Mac/PC keylogger how?

While people are somewhat open to the idea of their computer getting a virus they don't expect their phones to be tapped by thieves. Its a legacy of the analog world, many consider voice to be more secure than submitting a web-based form.

Re:

[h4rr4r]

More secure?

You can tap an analog phone line with stuff you find a radio shack.

Re:

[perpenso]

More secure?

You can tap an analog phone line with stuff you find a radio shack.

Who said "more secure"? I said that people don't expect to have their voice tapped as a legacy of the analog world. Your radio shack parts still have to have one person actively research and target another specific person's analog line. In other words physical activity must be conducted by a person. Most people don't think they are interesting enough to warrant such effort and rightly so.

The difference with digital devices is that there is the opportunity to "tap" (typing on computer, voice on cell phone

Meant "is secure" not "more secure"

[perpenso]

Oops, I meant to type "Who said 'is secure'" not "Who said 'more secure'". I accidentally repeated the parent's phrase. Ie., no one said analog is secure. Just that the physical effort of an analog tap makes it more secure than the automation of a digital tap.

Re:

[delinear]

Or maybe every Tom, Dick and Harry want-to-be hacker already knew about this (it's hardly a great leap from a voice recognition-enabled phone to scanning calls for important information) and these guys have brought it to the public's attention by publishing this.

Re:

[magus_melchior]

To be honest, I'm pretty sure Google can pull trojans off its Market. The victim would have to be stupid enough to (a) download an app from an untrusted source, and (b) click through the "This app has access to this stuff" warning without reading it.

In other words, it's not much more different than PCs.

Re:

[I8TheWorm]

Fanboi much?