New Google Service Manipulates Caller-ID For Free

Lauren Weinstein writes to raise an alarm about a new Google service, Click-to-Call. As he describes it, the service seems ripe for abuse of several kinds. One red flag is that Google falsifies the caller-ID of calls it originates for the service. From the article: "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."

Uh...

[nmb3000]

Not exactly new....

Caller ID is broken in the same way SMTP is broken

[CerebusUS]

Much like SMTP relies on the sending email client/server to not lie about the originators email address, Caller ID relies on the PBX originating the call to set the caller ID value. There's no other way for the phone system to be able to deliver the correct direct-dial extension, only the PBX truly knows what the extension is, the phone company only knows the trunk id that the call comes from. As long as that's the case, there will never be a way to ensure that the originating PBX is telling the truth. DID ranges are (for the most part) not tied directly to outgoing phone lines, so they can't even be verified against those.

Re:This is stupid. It's not an issue.

[42forty-two42]

It's not opt-in anymore. Take a look at maps.google.com - search for a business and they'll ALL have the click-to-call thingy on them.

Star-Eight-Six

[vmfedor]

Although the potential for fraud is there, we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much. Just like anything else you'll get a few jokers but I doubt anyone will start "bringing down" businesses using click-to-call.

Google ambiguously states that Google "takes fraud and spamming very seriously. We use technical methods to prevent future prank calls from the same user within a reasonable period of time. You won't be charged for any such calls." Seems to me that they at least recognize the potential for a problem and at least have some sort of plan for how to handle it.

All-in-all, though, this seems like a pretty lame idea.

Re:Star-Eight-Six

[TubeSteak]

Although the potential for fraud is there, we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much.

IIRC, *86 (or *67) does not actually block your Caller ID, it just tells the other phone to ignore the information.

It won't work on 911 or 1-800 & 1-900 (because they're collect) calls.
My memory is a bit fuzzy, but I don't think I'm wrong.

Re:Star-Eight-Six

[PayPaI]

You are (sortof) wrong. 911,800#,900# don't use CID. I've covered this before Relevant wikipedia article

Re:Star-Eight-Six

[phliar]

IIRC, *86 (or *67) does not actually block your Caller ID, it just tells the other phone to ignore the information.

You do not remember correctly. You are thinking of ANI (Automatic Number Identification). If you call a toll-free number, the business always gets your "ANI" number, since they're paying for the call. "Caller ID" (more correctly called "Calling Line ID or CLID) is different, and is blocked with *86 [whatever the correct code is]. ANI and CLID are different fields in the phone signalling mechanism; kind of like the difference between the "From:" and "Received:" headers in SMTP. One is much easier to spoof/block.

Look up SS7 for more details.

Re:How pissed would the...

[Paradise+Pete]

Otherwise it looks like you said it twice and that's just as annoying.

Only if you begin by reading the subject line. Otherwise it's just confusing. Do you really read the subject line of the posts before you read them?

Re:This is stupid. It's not an issue.

[DAldredge]

800 type numbers do not get Caller ID data - they get Automated Number Identification data which is much hard to change and, as far as I know, click to call doesn't change the ANI information.

Re:ANI

[evilbuny]

Yes you can fake ANI, you just need an account with a VSP and off you go... all it costs is 1 to 2 c per minute usually...

This seems like

[inf4m0usB]

De jajah vu http://www.jajah.com/ , http://slashdot.org/article.pl?sid=06/10/29/193822 6?

Re:Caller ID is broken in the same way SMTP is bro

[CerebusUS]

I agree with you that it's going to be a question of scale, but the dividing line may be lower than you think. I work in a company of only 25 and we've got Caller ID configured to push the extension the call was made from. While restaraunts and offices small enough not to need a "true pbx" solution don't get the opportunity to configure their caller ID, the barrier to entry if you _wanted_ to push caller ID on your own is very low. Even lower with roll-your-own solutions such as Asterix@home being so easy to setup.

In such a world, relying on your caller ID display to tell you the truth is pretty much a bad idea.

Re:How pissed would the...

[Ankur+Dave]

Not to be rude, but it's also annoying when people reply to a short parent and quote part of that parent. That messes up the experimental discussion system, where the first line of each message is shown as a preview.

Did anyone follow the damned link?

[Lord+Kano]

This is from Google's FAQ...

• What is this click-to-call feature? How does it work?
  
  Google is testing a new feature that lets you speak directly over the phone, for free, to businesses you find on Google search results pages. When this feature is available for a business, you'll see a green phone icon in their advertisement or a call link next to their contact information.
  
  Here's how it works: Click the phone icon or call link, and you'll be invited to enter your own phone number into a special field. When you do so and then click Connect for free, Google will call your number almost immediately. Pick up, and you'll hear ringing on the other end as Google connects you to the business you selected. When they answer, you simply talk normally as you would with any other call.

This isn't for prank calls. It's only use is to keep businesses from using their caller-id to amass a list of telephone numbers. They could arguably claim that the "do not call list" doesn't apply because they'd be returning calls to people who have called them.

It can help businesses too. If you're too small of an operation to afford a toll free number, you can have your customers call you for free and place orders from you.

There's no down-side to this.

LK

Google is NOT the problem - this is great!

[arete]

Google is NOT the problem.

The problem is NOT that Google is letting you fake CallerID - it's that CallerID is trusted by anybody, when the telcos don't care a lick about securing it. (There are dozens of for-pay but cheap services to alter your callerID...) I'd even accept a nontechnological solution involving it being both criminally and civilly illegal for you to spoof it. But that clearly doesn't exist, either.

If anything I hope this abuse gets really widespread and callerID gets dropped as a trustworthy source.

And to think that lots of times telcos will let you into your voicemail based ONLY on spoofable callerID, when they could be using a more secure system. (Since legitmate calls to the voicemail on THEIR system would come from THEIR system)

This is a less important version of the SSN problem. The real SSN problem is NOT that some places don't guard your SSN carefully enough. The problem is that you have an ID number that you MUST give to all employers, employees, banks, etc. (fine...) AND which those places have decided to use as a password. It's this second part that completely bonkers and needs to be abolished. My SSN is NOT proof of who I AM! It can't be, I have to give it to dozens and dozens of people. Nor is anything on the public record, like my actual mother's maiden name. (I use a fake one, of course)