Slashdot Mirror
Internet Phones & Identity Theft
flaws writes "A CNN story details how phishers are using Internet Phones to expand their identity theft endeavors. The article demonstrates the use of caller-id spoofing to companies such as Western Union to thwart their verification system and successfully launder money. Western Union commented on the situation, stating at this time it's the only way they know how to authenticate the call. The anti-phishing working group states that telecommunications abuse is being used to fool home users into revealing their bank information over the phone."
Just another example of the thieves being ahead of the companies. Regardless of what form of verification a company comes up with, it's going to be broken or cracked by a criminal. As long as it relies on any human input, this will continue.
My sig of choice is Marlboro
I have a block for caller ID on my home phone. I know that when I call a 1-800 number though, they still are easily able to discern what my true phone number is. My understanding is that this is by using Automatic Number Identification - ANI. Does Western Union not use this or do VoIP phones allow you to fake this as well as standard caller ID? If the latter, then I think we have bigger problems than Western Union. Most 911 systems use ANI also. Imagine if knuckleheads could make anonymous calls to 911.
I'm a big tall mofo.
Or a faxed signature, either one will do. If it works for pizza delivery it should work for money transfers.
Oh, and you could also block VOIP services from western union and what not until they will vouch for the identity of their users.
Anonimity on the 'real' phone network is much easier to get than on a VOIP phone, the 'IP' bit will take care of that quite nicely, as long as you can map back between a phone number at any given moment and an IP number.
It's a bit like a DHCP lease by a provider or a WIFI access point, if you know the timestamp and the ID used you should be able to work backwards to get more info out of the system.
MP3 Search Engine
Has Western Union never heard of calling the number back?
I got a call supposedly from a Timothy at Slashdot. The caller indicated they needed my help in verifying some spelling and asked if I recalled seeing a proposed story before. They indicated they needed my social security and mother's maiden name so they could verify my karma level. Needless to say the ThinkGeek coffee mug did not make up for the fact my savings account was drained.
If western union is using caller ID to authenticate financial matters, western union is being stupid. IT's always been possible to fake caller ID.
Let's not blame voip.
I think it's worth pointing out that the *real* problem (as usual) is not just technical issues, but also the end users. As long as people are naive enough to let themselves get talked into revealing personal details, passwords, credit card numbers, PINs (or whatever) over *any* medium (no matter whether it's email, over the phone, in person or anything else), phishing (and, more generally, fraud) *will* continue to be a problem.
Technical measures may seem like they're helping on a short-term scale, but ultimately, they're just masking the real problem, which can only be solved by educating people and making it clear to them that security is something that does affect them directly.
quidquid latine dictum sit altum videtur.
If your bank, investment firm, or other institution calls you on the phone to ask you for any information, all you have to do is ask for a number where you may call them back. Sure, it is possible to hack into a trunk and redirect calls, but that takes a huge amount of effort relative to just phishing. It shouldn't be too hard to verify that number x belongs to institution Y. With a callback number, even if you get scammed, it gives the police something to go on.
This is really a matter for public education rather than the heavy hand of the law to solve.
I'd like to start a consumer movement where each consumer can generate a set of private and public encryption keys. The consumer can publish the public key and it will be used by credit card issuers to issue new credit card numbers to the consumer. Then, only the consumer can decrypt and use those numbers. If consumers use this as the only means of transferring critical personal information then the phishers will be defeated.
I work for an an e-commerce software company that processes several million dollars in sales a month.
/ authkey.php
In the past few weeks we've had scam artists targeting our customers offering to do free SEO analysis only to get in and download their customer base.
They claim to be partners of ours, and they tell the business they need admin access to do the study and they'll give them a free report.
Of course they get in, as admin, then they download the order history and customer list and start calling the customers saying "we had a problem with your order can you please verify your credit card number ending in [last 4 digits]" and most honest people happily oblige by repeating the valid credit card number over the phone. Then they ask for the CVV/CID # Yeoch!
Fortunately a lot of our sales go through Paypal which isn't subject to that sort of phraud.
I figure a single break in could easily net them 50,000 valid credit cards. Very scary.
I suspect the calls originate from hacked out IP Phones.
Here's how we fixed the problem so that our customers they could verify the identity of our staff and our legitimate partners:
http://webdoc.zoovy.com/info/index.php?GOTO=guide
It's not about VOIP specifically.. this kind of vulnerability has existed for years on the public network. Pretty much anyone with an ISDN PRI can specify their own caller ID... the difference it's cheaper to do it now.
Anyone relying on caller ID for security is naive and stupid.
This is what gets me about the entire telemarketing industry -
If you get a phone call and someone tries to sell you something, you have absolutely no idea who they really are, what company they really represent and even if they are in the same country as you, why on earth would anyone give them credit card details to make a purchase?!?
Im surprised this hasn't been going on for decades:
1) Call random people
2) Offer them an amazing deal
3) Take credit card and address details
4) Fucking profit big-time
Add to that, find a country that has no extradition treaties with yours and only call people in that country, the long-distance charge will be worth it from all the money you rake in from total fucking idiots who are prepared to give you their credit card without any credentials.
The fact that there actually is a telemarketing industry proves that some people must be stupid enough. From now on I propose a special 'code word' which will be known among telemarketers and non-stupid people the conversation will go something like this:
A: Good morning sir, Im wondering if you would be interested in this special offer we..
B: Banana!
A: Oh terribly sorry to bother you sir, ill take you off all telemarketing lists immediately, thank you.
This code word has basically told the marketer that you are not a total retard and are not worth calling in the future so that they may remove you from their list and actually save themselves time and money! All the actuall idiots who would fall for this crap can then have more telemarketers calling them and everyone is happy..
This comment does not represent the views or opinions of the user.