Slashdot Mirror
Internet Phones & Identity Theft
flaws writes "A CNN story details how phishers are using Internet Phones to expand their identity theft endeavors. The article demonstrates the use of caller-id spoofing to companies such as Western Union to thwart their verification system and successfully launder money. Western Union commented on the situation, stating at this time it's the only way they know how to authenticate the call. The anti-phishing working group states that telecommunications abuse is being used to fool home users into revealing their bank information over the phone."
You can spoof caller ID, but can you spoof ANI? Maybe Weastern Union needs to get an 800 number or something.
"Remember, there never were pineapple-almond cookies here."
I have a block for caller ID on my home phone. I know that when I call a 1-800 number though, they still are easily able to discern what my true phone number is. My understanding is that this is by using Automatic Number Identification - ANI. Does Western Union not use this or do VoIP phones allow you to fake this as well as standard caller ID? If the latter, then I think we have bigger problems than Western Union. Most 911 systems use ANI also. Imagine if knuckleheads could make anonymous calls to 911.
I'm a big tall mofo.
No one is who he tells you to be.
Modern forms of communications allow higher levels of anonimity. It should not be this way, but sometimes people have to learn from their mistakes the hard way.
perpetually dwelling in the -1 pits
Has Western Union never heard of calling the number back?
This is really a matter for public education rather than the heavy hand of the law to solve.
I'd like to start a consumer movement where each consumer can generate a set of private and public encryption keys. The consumer can publish the public key and it will be used by credit card issuers to issue new credit card numbers to the consumer. Then, only the consumer can decrypt and use those numbers. If consumers use this as the only means of transferring critical personal information then the phishers will be defeated.
I noticed that when setting up a Cisco Call Manager with a PRI, that I could signal out on the SS7 D-channel pretty much any CLID information I wanted. And the phone switch would accept it.
Phone switch software has to trust certain types of trunk lines. This type of scam was available to PBXs, but the phone companies could trace it to the circuit that introduced the spoof, because they had records of the actual dialed number.
Same thing needs to happen with Vonage and others. They need to install a digital certificate on the box they send you and the call setup needs to have something like a X.509 signature. The soft switch run by the Vonage like company maps where the real box came from, doesn't accept any signatures it doesn't know, and records the originating src-ip address. Sudden and often changes in src-ip address means the customer gets a service message in their account asking them to verify. Just like credit card fraud protection.
And most importantly, the Vonages of the world are held responsible legally for it through legislation.
After all the problems with spoofed emails, you would think that the people that create VOIP standards would specify something more secure. Doesn't anybody learn any lessons?
Perhaps all standards-setting bodies need a "Red Team" group of people that try to find the holes before the standard is set.
Two wrongs don't make a right, but three lefts do.
I work for an an e-commerce software company that processes several million dollars in sales a month.
/ authkey.php
In the past few weeks we've had scam artists targeting our customers offering to do free SEO analysis only to get in and download their customer base.
They claim to be partners of ours, and they tell the business they need admin access to do the study and they'll give them a free report.
Of course they get in, as admin, then they download the order history and customer list and start calling the customers saying "we had a problem with your order can you please verify your credit card number ending in [last 4 digits]" and most honest people happily oblige by repeating the valid credit card number over the phone. Then they ask for the CVV/CID # Yeoch!
Fortunately a lot of our sales go through Paypal which isn't subject to that sort of phraud.
I figure a single break in could easily net them 50,000 valid credit cards. Very scary.
I suspect the calls originate from hacked out IP Phones.
Here's how we fixed the problem so that our customers they could verify the identity of our staff and our legitimate partners:
http://webdoc.zoovy.com/info/index.php?GOTO=guide
Contact lists should include passwords. Smartphones are very well positioned to close all these authentication holes - they can have a single authentication, either password, thumbscan, or other, protecting the whole keyring. If the caller has a smartphone, their phone should get a password - or more likely, a certificate - when they first call. Anyone calling without a certificate, like from a borrowed phone, should get a challenge to enter a password, or leave a voicemail. When any call is made to a person without a certificate, the phone should offer (with a simple "OK"/"Cancel" dialog) the caller to give the recipient a new certificate/password. Make the phones do all the work, with just a simple dialog to OK the issuance of credentials. Let the phones backup to PCs with a single button-push - over the 3G or local - sending only encrypted data to storage.
If every smartphone did this, we'd expand the P2P web of trust exponentially. ID theft would drop, phone spam would plummet, and more people would buy smartphones. The key is making it extremely easy. And considering the hairy ID system we now wrestle with, there's room in this one for just a little UI and transaction structure to actually make it simpler.
--
make install -not war
"I remember when the BBS's used to call you back on the number you provided to verify you were giving them the correct number."
Unlike online banks, BBS operators used to understand security (because they had a real need to as they had constant cracking attempts). Even now, you can recognise the occasional BBS operator with their SSL websites, a web-of-trust that actually works, and a PGP key that has been taken to a keysigning party or two.
Compare to the banks who are still saying "the verisign certificate proves that we are 100% perfectly safe, secure, and hacker-proof", still using simple passwords and public information (e.g. DoB, mother's maiden name) to verify people.
I'm guessing the banks have less need for security because if it fails, they can say "you must have given your password out, we're not liable", or "your computer must have been cracked, we're not liable", or "read the contract, we're not liable". Other peoples' money == no need to secure it.
How else do you explain that your bank account has less security than your Yahoo or SourceForge accounts?
And what a coincidence that we are having a rash of articles trying to demonize and FUDize VOIP and WiFi. Just in time for all this legislation that the telcos and cable companies are trying to push through in many states, legislation that would outlaw municipal wifi, for example.
What a coincidence...
eat shiat and bark at the moon
Hi, I'm an stranger but I can give you a job, all you have to do is send me your entire life story, where you've worked, where you went to school, you age etc...
It won't be long before people start using job advertisements for identity theft, it's just so easy, from the average CV you'd get enough information to pass most security checks, and it only takes a birth certificate to get you mothers maiden name.
The best thing is that the UK government want you to provide even more information to prove you can work, corner shops and take aways will be copying your passport details as soon as you take the job.
thank God the internet isn't a human right.