New Google Service Manipulates Caller-ID For Free

Lauren Weinstein writes to raise an alarm about a new Google service, Click-to-Call. As he describes it, the service seems ripe for abuse of several kinds. One red flag is that Google falsifies the caller-ID of calls it originates for the service. From the article: "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."

Deserves attention, but not a very hard problem.

[glasn0st]

Scale matters. But control matters too. This is not like the spam problem where the cooperation of thousands of entities with different motives would be necessary to prevent abuse. The service is controlled by a single party that can make changes easily.

It would be very easy for Google to implement a verification mechanism. An automated system could simply ring any added Caller ID number and verbally present a verification code (or ask for a response). If a user can answer a certain number, it's not unreasonable to assume that they could also originate regular calls from that number. In the worst case, it still ties the user to an organization or physical location.

I agree with Weinstein that verification really should be a standard feature. Whoever runs even a simple mailinglist without user verification is considered a spammer these days; the ideas are not new. So it's fair to expect Google to carry out this verification.

However, Google is known for technological innovation so I'm not turning off my phone just yet. They'll probably fix it. Of course, a little public attention may help if they seem unresponsive.

Re:Caller ID is broken in the same way SMTP is bro

[XorNand]

Comparing CallerID to SMTP is a pretty good analogy. However I don't agree that either of them are "broken". Neither of the two were designed with authentication in mind, nor were they ever advertised as a means of security. Before CID, you had to actually answer the phone to see who was on the other end. CID was introduced as a conveniance feature, not a security feature. It's people's expectations that are broken, not the technologies.

Re:This is stupid. It's not an issue.

[lenroc]

However, the problem the blogger is concerned about is not the abuse you're thinking of. The problem is that a nefarious user could put click the "Call" link on a Business listing, but put in someone else's phone number. The "Caller-ID spoofing" part comes in here: Google's service calls the phone number entered, but the Caller-ID shows the number of the business that the "attacker" chose.

If, when the person picks up the phone, they are immediately connected to the business, they would assume that the business called them. The blogger is apparently envisioning something of a "Joe job" style attack.

However, this is easily protected against. Instead of connecting to the business directly, all Google has to do is play a recording along the lines of: "This is Google, calling since you entered your phone number on the "Click to Call" service, please press 1 to connect to the business you selected. If you did not initiate this, please hang up or press 2 to disable this service for this phone number."