[Sreyanth]

I don't completely understand how they do this without exposing the DTMF tones / digits pressed to the carriers.

For example, when I key in my card number, my phone carrier will know it, the routing carriers know it before it reaches Twilio. How is my card information safe? I guess I'm missing something here.

[tyingq]

PCI doesn't currently consider telephones to be public networks. That's why they are okay with fax machines sending CC details, provided they are in a secure area and a few other non tech requirements. Not sure I agree with the practice, but it is what it is.

[Sreyanth]

Never knew that. I assumed VoIP based telephony comes under PCI view.

[StudentStuff]

DTMF is being pulled out of band by Twilio (or more likely the underlying CLECs they partner with), thus the agent should not hear it. This is very common for most VOIP carriers, DTMF is carried in the signaling messages rather than in-band in the audio stream. The only person being protected from having access to your card data is the agent who asked you to key in your card.

[Sreyanth]

I know they do pull it out to a separate band but many VoIP providers log the DTMF sent as digits to debug things - most evident in IVR use cases.

So, if attackers wants to get card details, they need not attack the business or Twilio (because it might redact these when they see <Pay>, but they can simply access logs of the middlemen for DTMFs. Concatenate all those per call, and there we should have all card numbers, expiry dates and CVC/4DBC.

Not sure how Twilio is doing it though. Unless they use some awesome encryption method to encrypt all these numbers so no one in middle can see them.

[IanCal]

Not really sure how these things work so this is an honest question:

Why would they be receiving the tones once the connection is made? Isn't it the same as me just whistling at particular frequencies? I didn't think it was sent in a different manner.

Or do you mean it goes through the carrier just like if you spoke your card number over the phone to someone?

[Sreyanth]

AFAIK, there are two ways in which the tones can be sent.

1. In the regular audio stream (AKA in-band) so anyone who can listen to the phone call, can also listen to these tones. These tones can be mapped to the digits pressed.

2. In a separate RTP payload (AKA out-of-band) so not everyone can read / listen to this stream of signals / tones. RFC 4733 (earlier it was RFC 2833) specifies the format of this RTP payload. This is what the payment via phone systems might be using.

There is a secure RTP with encryption support, but I am not sure if it can be implemented end-to-end to avoid anyone in middle (not a man-in-middle attacker, but a genuine carrier / network) to see these DTMFs. Just unable to imagine how this works :)