Slashdot Mirror
New Google Service Manipulates Caller-ID For Free
Lauren Weinstein writes to raise an alarm about a new Google service, Click-to-Call. As he describes it, the service seems ripe for abuse of several kinds. One red flag is that Google falsifies the caller-ID of calls it originates for the service. From the article: "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."
Not exactly new....
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Much like SMTP relies on the sending email client/server to not lie about the originators email address, Caller ID relies on the PBX originating the call to set the caller ID value. There's no other way for the phone system to be able to deliver the correct direct-dial extension, only the PBX truly knows what the extension is, the phone company only knows the trunk id that the call comes from. As long as that's the case, there will never be a way to ensure that the originating PBX is telling the truth. DID ranges are (for the most part) not tied directly to outgoing phone lines, so they can't even be verified against those.
It's not opt-in anymore. Take a look at maps.google.com - search for a business and they'll ALL have the click-to-call thingy on them.
Although the potential for fraud is there, we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much. Just like anything else you'll get a few jokers but I doubt anyone will start "bringing down" businesses using click-to-call.
Google ambiguously states that Google "takes fraud and spamming very seriously. We use technical methods to prevent future prank calls from the same user within a reasonable period of time. You won't be charged for any such calls." Seems to me that they at least recognize the potential for a problem and at least have some sort of plan for how to handle it.
All-in-all, though, this seems like a pretty lame idea.
I like my women how I like my sugar.. granulated.
800 type numbers do not get Caller ID data - they get Automated Number Identification data which is much hard to change and, as far as I know, click to call doesn't change the ANI information.
Yes you can fake ANI, you just need an account with a VSP and off you go... all it costs is 1 to 2 c per minute usually...
Google is testing a new feature that lets you speak directly over the phone, for free, to businesses you find on Google search results pages. When this feature is available for a business, you'll see a green phone icon in their advertisement or a call link next to their contact information.
Here's how it works: Click the phone icon or call link, and you'll be invited to enter your own phone number into a special field. When you do so and then click Connect for free, Google will call your number almost immediately. Pick up, and you'll hear ringing on the other end as Google connects you to the business you selected. When they answer, you simply talk normally as you would with any other call.
This isn't for prank calls. It's only use is to keep businesses from using their caller-id to amass a list of telephone numbers. They could arguably claim that the "do not call list" doesn't apply because they'd be returning calls to people who have called them.
It can help businesses too. If you're too small of an operation to afford a toll free number, you can have your customers call you for free and place orders from you.
There's no down-side to this.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano