It is routine for companies to collect confidential information over the phone (eg, social security numbers to verify accounts, credit card numbers to make purchases, etc). With the prevalence of mobile phones, how secure are communications using a typical phone company (eg, t-mobile, verizon, sprint), to connect to a landline?
While there are a number of encrypted smartphone apps that individuals can use to communicate, the major companies are not using them.
It depends on what your threat model looks like.
For most people, saying your card number or SSN last four over the phone is fine, because it still requires a lot of dedication, at least a few thousand USD of equipment, and maybe a zero-day to eavesdrop on an LTE call. You're more likely to have your identity stolen by the customer support rep on the other end than by someone tapping your phone.
If you are in a position where your adversaries are government spying agencies, you should use an end-to-end encrypted system to discuss confidential information. This is because you're defending against a group of smart, motivated, and well funded people. Examples include: you work in the White House / Capitol Hill, you are the CEO of a company with sought-after trade secrets, ...
I wish I hard data but I do not.
LTE is actually pretty secure from the Client to the Access points. SIP is utilized heavily and like all software there is risk. Debugging tools that are built into specific systems are a bad place for eavesdropping. IOS does a good job of sand boxing. However, Android is another story. I think there are other issue other than just voice coms that might be a little higher priority such as video apps.
I think eavesdropping in generally harder on mobile assets for an active call and the device is not set in developer mode. Also deep linking and utilizing multiple means of targeting you to get data might be a bigger issue with you consenting to the attack. Like sending a link to download an application that does more than what you think.
However, there are a couple of other items to think about. About the call itself.
Captain Obvious:
Here is my general risk rating for these things:
Low: You calling someone you know on a publish and well known number. Low: You calling someone based on a number from a website. Med: Someone calling you after a online transaction. High: Someone calling you and asking you to check an email and click on link. High: Someone calling you out of the blue.
First never give out information to someone who called you. If someone called you from your bank then they will never ask for information that is sensitive. If they do say you will call the main number of the bank and ask for the department.
Also context is important. If someone calls you from a store that you just order something from and they claim the card did not go through; Chances are low-med. However, you card could have when through and the site was actually comprised and they just want to get more data from you.
Conext is important, but so is the initiation of conversation.
Also, I can see emails being sent that also initiate calls or visiting a website that has an embedded number. I put these on the high suspect.
