Slashdot Mirror


Clever Caller ID Tricks With VoIP

An anonymous reader writes "securityfocus.com has an interesting article collecting some clever exploits for VoIP. According to the article, using 'the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider' can be used to fool caller id, and even get caller numbers that are supposed to be private."

8 of 259 comments (clear)

  1. Freaks! by krumms · · Score: 5, Insightful

    Return of the phreak? :P

  2. Countdown by UberOogie · · Score: 3, Insightful

    ... until this is used in another "Open Source is evil" argument by MS, the government, the phone company, or all of the above in 5, 4, 3...

    --
    "Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
  3. Gone Phishing by Mz6 · · Score: 4, Insightful
    "Callers with life-or-death anonymity concerns might consider spoofing just to get a little privacy. For now, Lucky says pranks among friends are the most common use that he's seen of VoIP spoofing, but he believes that identity thieves and other swindlers could have a field day. "I've used it myself to activate my own credit cards, because I never give credit card companies my real number," he says. "One simple spoof, and it's like saying, if you have the guy's phone number, that piece of information is more important than his mother's maiden name and date of birth. If you have the phone number, you don't need anything else."

    Well this is nice. Once again the social engineering tricks will creep up on most once again. However, who's really that stupid to be giving away all of their personal info over the telephone anyway? Does this mean that it's going to start being like the phishing scams now?

    --
    Hmmm.
    1. Re:Gone Phishing by LostCluster · · Score: 5, Insightful

      Who's really that stupid? Big business.

      Call-centers are using the CPN data as an authentication method to recognize customers. Call from somebody else's phone, or in this case appear to be doing so, and instantly that person's account will open on the operator's screen.

      Banks and credit card companies seem to be smart enough to know that they have to ask some other challenge question to make themselves confident enough that they have the right person before discussing anything sensitve... but it just take one merchant willing to charge to an account and ship merchandise based on the the phone data alone and suddenly there's a way to get a charge onto somebody's credit account without even knowing their card number.

      It's a matter of "trust", and a formerly trustworthy system no not so much.

  4. Is this a surprise? by insensitive_clod · · Score: 5, Insightful

    Is this a surprise? From the article, it says that the calling party number is always sent, and there's just a flag set saying "don't look here." If you tell someone they can't or shouldn't do something... that's the best way to insure that they will.

  5. Re:Err... so what? by bhmit1 · · Score: 4, Insightful

    This isn't new. You can do exactly the same thing with a PABX with ISDN ports.

    Read the article. The interesting part isn't that this is some new feature. The interesting part is that you don't have to go out and get a lot of expensive telephone equipment to intercept blocked numbers and impersonate someone else's number.

    And, as was said before, the biggest fear this creates is that someone will start grabbing the ready-to-activate credit cards out of the mail, look up the persons name in a phone book, program their voip with that persons number, and activate that card. And this is only a problem because credit card companies trust that Joe Shmoe was really him when he called from his home number.

  6. Re:Useful part by hackstraw · · Score: 4, Insightful

    You know those idiots (read: bill collectors) who call with "OUT OF AREA" tags on their Caller ID data? Yeah. I wonder if you can reset those to figure out who those are. The possibilities are good here. =^_^=

    First, its much less stressful to just pay your bills.

    Also, I dispise the fact that there can be either "OUT OF AREA", or "Unavailable", or the worst, "Private Name/Private Number". The only reason I answer these on my phone, is because I do sometimes get legitimate business call from people hiding behind these things. I do not answer politely, and I'm ready to start bitching at someone.

    I am required to have a license plate on my car, I have to show ID to do most anything. I certainly would never walk into a store or bank disguising my face, why is this acceptable with a phone call?

  7. Stupid quote by Aumaden · · Score: 3, Insightful
    "A worse case scenario is if you have a blocked number, and you're a victim of stalking, and you're duped into calling a number the stalker set up that was routed through a VoIP line," says Jordana Beebe of the San Diego-based Privacy Right's Clearinghouse. "It could put their life in danger."

    This is so over the top.

    You have a stalker who knows enough about you and/or has enough access to you to trick you into calling this number that allows them to get your phone number. And that endangers your life? I could see it opening the way to harassing phone calls, but endangering your life?

    Isn't the real problem that you have a stalker in the first place?