Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Phones & Identity Theft

Posted by ryuzaki0 on from the only-a-matter-of-time dept.

flaws writes "A CNN story details how phishers are using Internet Phones to expand their identity theft endeavors. The article demonstrates the use of caller-id spoofing to companies such as Western Union to thwart their verification system and successfully launder money. Western Union commented on the situation, stating at this time it's the only way they know how to authenticate the call. The anti-phishing working group states that telecommunications abuse is being used to fool home users into revealing their bank information over the phone."

9 of 98 comments (clear)

  1. Secure Method of Verification by Anonymous Coward · · Score: 3, Informative

    If your bank, investment firm, or other institution calls you on the phone to ask you for any information, all you have to do is ask for a number where you may call them back. Sure, it is possible to hack into a trunk and redirect calls, but that takes a huge amount of effort relative to just phishing. It shouldn't be too hard to verify that number x belongs to institution Y. With a callback number, even if you get scammed, it gives the police something to go on.

    1. Re:Secure Method of Verification by YrWrstNtmr · · Score: 2, Informative
      I've always wondered why google doesn't have a phonebook search, type in a name and get 3000 phone numbers, type in a phone number and get one name.

      They do. Exactly as you describe. Input a phone number, and get a name and address. It is trivial, however, to remove yourself from this 'service'.

  2. Re:Does this affect ANI? by jcocomo · · Score: 2, Informative

    I don't know of any VoIP solutions that will defeat ANI out-of-the-box, but in theory it wouldn't be that hard to mod a VoIP phone to do so.

    ANI is hard to crack on a traditional phone network because it is out-of-band. The user never has any access to it or to the switching information. In a VoIP system, the important letters are "IP." It doesn't take a genius to dissect the IP packets which are carrying both the conversation and the switching data and then recomboobelate the switching data as he sees fit. Ergo, yes, in the grand scheme of things it does affect ANI.

  3. Re:Does this affect ANI? by quetzalc0atl · · Score: 2, Informative

    yes and no - ANI can infact be spoofed.

    Some of the loopholes have been closed, but in essence the technique used was "op diverting" - being redirected from the TSPS console (usually by claiming to be a disabled user) to an 800 number of an outside network. Once being redirected, depending up on the network being switched to, the ANI information would be obliterated and an operator would pop on and ask for your phone number. Any number could be made up, but as a matter of policy, the op won't call a POTS line..

    There were ways around this that were discovered, which I will not elaborate on since that would probably lead to its abuse, were one COULD infact complete a call to another POTS line with a completely spoofed ANI (and with no charges, for that matter).

    this is all using the PSTN...I would imagine that under VOIP the situation is even worse...

  4. Re:Poorly designed/implemented standards by Tony+Hoyle · · Score: 3, Informative

    It's not about VOIP specifically.. this kind of vulnerability has existed for years on the public network. Pretty much anyone with an ISDN PRI can specify their own caller ID... the difference it's cheaper to do it now.

    Anyone relying on caller ID for security is naive and stupid.

  5. Re:ANI by Anonymous Coward · · Score: 1, Informative

    Yeah, you can get a service like this from AT&T. They'll send all of the useful info that's available via ISUP in an encapsulated Q.931 message. You need to be prepared to pay handsomely, though.

  6. Anyone by Exter-C · · Score: 2, Informative

    Anyone that is stupid enough to give anone any details about themselves when they are called almost deserve to have their identity or information stolen and used against them. I remember when I got an account with my bank that had a pin number on my card when I was about 12 (15years ago).. back then the bank said they would NEVER call me to ask for my details. So what is new?... or is it that people dont listen to the paper/information sheets that are given to you with your account?...

    If anyone ever rings me and asks for any personal details I just tell them to get stuffed.. Or if it sounds legit ill request to ring them back on a number that I have for them. Its not that hard to stay safe from bank fraud.

  7. Re:ANI by jmcharry · · Score: 2, Informative

    Last I knew, and I am a few years out of date, there was only one calling number field in a PRI, and it was populated with CLID, if available, with only a fallback to ANI. This could be tested by making an anonymous call and seeing if the privacy bit is set.

  8. Re:The only way they know? by ebrandsberg · · Score: 2, Informative

    Am I the only one that knows what this is about, as I've **actually** used this service? They do call back to verify you are at the number you say you are calling from, and can compare the number that shows up on caller id. The problem relates to a situation I used to xfer cash last week in fact, while I was in London. I called through my company's voip, and used my desk extension which they have on file. They were able to call back, verfying I was in California. I wasn't. This was a legitimate use, as I was just traveling on business, but others can use the same type of systems.