Slashdot Mirror
New Google Service Manipulates Caller-ID For Free
Lauren Weinstein writes to raise an alarm about a new Google service, Click-to-Call. As he describes it, the service seems ripe for abuse of several kinds. One red flag is that Google falsifies the caller-ID of calls it originates for the service. From the article: "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."
Not exactly new....
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Finally, technology that gives power back to the teenage prankster. Now "Hey, did you know your refridgerator is running?" calls will be answered with "Yes Mr. President, I did ... Oh, and by the way, your voice sounds so much younger in person" instead of "Johnny, please hangup the phone before I tell your mother".
Crack - Free with every butt and set of boobs
Scale matters. But control matters too. This is not like the spam problem where the cooperation of thousands of entities with different motives would be necessary to prevent abuse. The service is controlled by a single party that can make changes easily.
It would be very easy for Google to implement a verification mechanism. An automated system could simply ring any added Caller ID number and verbally present a verification code (or ask for a response). If a user can answer a certain number, it's not unreasonable to assume that they could also originate regular calls from that number. In the worst case, it still ties the user to an organization or physical location.
I agree with Weinstein that verification really should be a standard feature. Whoever runs even a simple mailinglist without user verification is considered a spammer these days; the ideas are not new. So it's fair to expect Google to carry out this verification.
However, Google is known for technological innovation so I'm not turning off my phone just yet. They'll probably fix it. Of course, a little public attention may help if they seem unresponsive.
( ^_^)/
This is stupid. It's a non-issue. The advertiser has to opt-in. Hell, I'm guessing that the advertiser is going to have to pay for it (it's part of AdWords). If the advertiser chooses to try it, and gets too much crap, the advertiser can stop it.
As a business owner, if I used AdWords (I don't... too much click fraud), I'd try it, because any way that customers can contact you easier is generally good. But if it gets abused by a bunch of 12 year old's, I'd cut it in a heartbeat.
Personally, I think the verification portion should NEVER call the phone.
However, after telling google you want to use a certain phone, you must dial a number displayed on screen to confirm - it doesn't have to be connected, simply ringing will be enough of a verification and should not cost any money.
liqbase
Much like SMTP relies on the sending email client/server to not lie about the originators email address, Caller ID relies on the PBX originating the call to set the caller ID value. There's no other way for the phone system to be able to deliver the correct direct-dial extension, only the PBX truly knows what the extension is, the phone company only knows the trunk id that the call comes from. As long as that's the case, there will never be a way to ensure that the originating PBX is telling the truth. DID ranges are (for the most part) not tied directly to outgoing phone lines, so they can't even be verified against those.
It's not opt-in anymore. Take a look at maps.google.com - search for a business and they'll ALL have the click-to-call thingy on them.
...by that logic, we ought to outlaw SMTP servers, since one can falsify email headers there more easily than this system allows the falsification of caller-id data...
This message printed on 100% post-consumer recycled electrons.
Although the potential for fraud is there, we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much. Just like anything else you'll get a few jokers but I doubt anyone will start "bringing down" businesses using click-to-call.
Google ambiguously states that Google "takes fraud and spamming very seriously. We use technical methods to prevent future prank calls from the same user within a reasonable period of time. You won't be charged for any such calls." Seems to me that they at least recognize the potential for a problem and at least have some sort of plan for how to handle it.
All-in-all, though, this seems like a pretty lame idea.
I like my women how I like my sugar.. granulated.
CallerID? Weak. Can you set your own ANI? Now THAT'S cloaking.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Comparing CallerID to SMTP is a pretty good analogy. However I don't agree that either of them are "broken". Neither of the two were designed with authentication in mind, nor were they ever advertised as a means of security. Before CID, you had to actually answer the phone to see who was on the other end. CID was introduced as a conveniance feature, not a security feature. It's people's expectations that are broken, not the technologies.
Entrepreneur : (noun), French for "unemployed"
I can see Weinstein's point, although I don't see that it matters much from a practical point of view (unless I'm missing something here). When I look at the Caller ID information on an incoming call, it's more of a whitelist situation - I let the machine get it unless it's one of a few numbers (family, friends). So whether the Caller ID information is valid or not, I'm not going to be answering the phone. Weinstein seems to be looking at it from a blacklist perspective, which I doubt is how most people use their Caller ID.
#DeleteChrome
However, the problem the blogger is concerned about is not the abuse you're thinking of. The problem is that a nefarious user could put click the "Call" link on a Business listing, but put in someone else's phone number. The "Caller-ID spoofing" part comes in here: Google's service calls the phone number entered, but the Caller-ID shows the number of the business that the "attacker" chose.
If, when the person picks up the phone, they are immediately connected to the business, they would assume that the business called them. The blogger is apparently envisioning something of a "Joe job" style attack.
However, this is easily protected against. Instead of connecting to the business directly, all Google has to do is play a recording along the lines of: "This is Google, calling since you entered your phone number on the "Click to Call" service, please press 1 to connect to the business you selected. If you did not initiate this, please hang up or press 2 to disable this service for this phone number."
How pleased would the rest of us be if people would refrain from splitting the first sentence of their post between the subject line and the comment box?
Only if you begin by reading the subject line. Otherwise it's just confusing. Do you really read the subject line of the posts before you read them?
800 type numbers do not get Caller ID data - they get Automated Number Identification data which is much hard to change and, as far as I know, click to call doesn't change the ANI information.
This service can not be abused in the way that you would think. Think about it, even if you can forge the caller-id, the google service calls YOU, and connects you to the number that the caller-id is spoofing. All you would end up being able to do is have the local police station number call a local drug dealer. When they answer, it will ring and call the police station. If you pick up the phone and get a ring, what are you going to do. I know that I am going to hang up unless I am expecting it.
Yes, that's for sure. We shouldn't even have subjects, the subject is the article. People most of the time end up doing stupid things like splitting the post between the subject and the comment, or leaving it as "Re: Subject that doesn't make sense" Because the subject refers to something 3 levels up and the subject has changed by this point. Nobody reads subjects, and hardly anybody puts in a useful subject anyway. It's nice for email, because you can scan your messages and tell which message is about what, but when you're reading posts, it's not worth your time to read all those subjects because 98% of them are Re......
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Do you really read the posts? I only read his post to see what the rest of the sentence was. Otherwise, the subject lines are enough for me, like the summaries.
Or are you implying that you read the articles as well?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
De jajah vu http://www.jajah.com/ , http://slashdot.org/article.pl?sid=06/10/29/193822 6?
I thought for a second that you were making sense. Google isn't the issue, the caller-id/phone system is crap.
it would be a huge improvement for the Phone system to at least be reliable to the same country of origin, but that would hurt the telemarketers, the phone companies won't do that...
If the DMA, etc wants to ever do business with me over the phone again, they will fix caller-id to be 1) a crime if false 2)a meaningful trace, 3) and they will pay for the caller id to be accessible in my house.
to have their customers pay for a unreliable device that is the only method to determine if the person is really calling...
And volume here is crap, every business that has a T1 can determine their own caller-id, that has to be the majority of calls being wide open to caller id manipulation, not the opposite as this article implies.
I think that even the laziest person in the world wouldn't find pressing buttons on a telephone to be too hard of a task.
but what if their fingers are too fat?
ôó
I agree with you that it's going to be a question of scale, but the dividing line may be lower than you think. I work in a company of only 25 and we've got Caller ID configured to push the extension the call was made from. While restaraunts and offices small enough not to need a "true pbx" solution don't get the opportunity to configure their caller ID, the barrier to entry if you _wanted_ to push caller ID on your own is very low. Even lower with roll-your-own solutions such as Asterix@home being so easy to setup.
In such a world, relying on your caller ID display to tell you the truth is pretty much a bad idea.
Not to be rude, but it's also annoying when people reply to a short parent and quote part of that parent. That messes up the experimental discussion system, where the first line of each message is shown as a preview.
I use this service,
I tell google, I wanna speak with toll free information (800) 555-1212
I select the # for toll free information and type in MY phone number,
my phone begins to ring, the caller id on my phone says the # calling me is (800) 555-1212
I answer the phone, and a few momments later I am connected to information.
where's the potential to misuse?
every day http://en.wikipedia.org/wiki/Special:Random
Well I think it's even more annoying...
I only mod funny =D
Google is testing a new feature that lets you speak directly over the phone, for free, to businesses you find on Google search results pages. When this feature is available for a business, you'll see a green phone icon in their advertisement or a call link next to their contact information.
Here's how it works: Click the phone icon or call link, and you'll be invited to enter your own phone number into a special field. When you do so and then click Connect for free, Google will call your number almost immediately. Pick up, and you'll hear ringing on the other end as Google connects you to the business you selected. When they answer, you simply talk normally as you would with any other call.
This isn't for prank calls. It's only use is to keep businesses from using their caller-id to amass a list of telephone numbers. They could arguably claim that the "do not call list" doesn't apply because they'd be returning calls to people who have called them.
It can help businesses too. If you're too small of an operation to afford a toll free number, you can have your customers call you for free and place orders from you.
There's no down-side to this.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
The click to call actually calls you - so if you enter a fake number... your not going to be connected to who you call. So if somebody connected your phone to some sex line... you would see the sex line number and could ignore it. This could be used to annoy but nothing more than current telemarketers. Oh and its free. This is a great service and Lauren needs to re read how to use the service.
How intelligent.
Most people aren't thought about after they're gone. "I wonder where Rob got the plutonium" is better than most get.
I agree with both of you. It is annoying that it screws up the 1st-sentence-preview of the experimental forum, but it's also annoying when you don't have the context.
The obvious solution, of course, is for slashdot to add an official method of quoting (rather than right now, where some people italicize, some prefix with >, some put it in quotation marks, and some just paste the text normally) and then have the experimental forum display the first line of non-quoted text.
Google is NOT the problem.
The problem is NOT that Google is letting you fake CallerID - it's that CallerID is trusted by anybody, when the telcos don't care a lick about securing it. (There are dozens of for-pay but cheap services to alter your callerID...) I'd even accept a nontechnological solution involving it being both criminally and civilly illegal for you to spoof it. But that clearly doesn't exist, either.
If anything I hope this abuse gets really widespread and callerID gets dropped as a trustworthy source.
And to think that lots of times telcos will let you into your voicemail based ONLY on spoofable callerID, when they could be using a more secure system. (Since legitmate calls to the voicemail on THEIR system would come from THEIR system)
This is a less important version of the SSN problem. The real SSN problem is NOT that some places don't guard your SSN carefully enough. The problem is that you have an ID number that you MUST give to all employers, employees, banks, etc. (fine...) AND which those places have decided to use as a password. It's this second part that completely bonkers and needs to be abolished. My SSN is NOT proof of who I AM! It can't be, I have to give it to dozens and dozens of people. Nor is anything on the public record, like my actual mother's maiden name. (I use a fake one, of course)
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot