[asterisk-biz] Vonage 877

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Tue May 22 13:16:18 MST 2007


On 5/22/07, Andres <andres at telesip.net> wrote:
> I think a lot of 'funny business' happens in the land of number
> porting.  Our company is a customer of XO and we in turn have our own
> customers.  A few weeks ago one of our customers ported a number away
> from our network (an XO DID), into some other network.  We were shocked
> that this could happen.   We called up XO and demanded an explanation.
> They dug up the LOA Letter which obviously did not have our signature
> and all that XO could do was apologize.  They tried to get the number
> back but it was impossible.  I could not believe this.  It could have
> been our main sales number or any other critical number.  After this
> incident, we lost all respect for the number porting process.
>

if you want to see how to not do porting, in ireland where I currently
reside, I ported my mobile number from one carrier to another.  The
proof?  my word that it was my number, they didnt even require me to
have my handset.  Because its prepaid there is no bill or proof that
its mine, other than perhaps I have the SIM associated with it.  The
port happened within an hour.  The only trace that my old phone was
ported was that its sim was no longer valid for service.

It is my belief that all the documentation required, LOAs etc, arent
verified very much, and porting is more or less an automatic response,
unless a carrier gets upset and decides to refuse further ports.
Customers complain after the fact, but it can be harder to un-port a
number than it can be to port it away in the first place.

With prepaid accounts, online voip accounts, etc proof can either be
easily faked (printing out a webpage for example ...) or just not
verified in the first place.  Going after someone after the fact can
be just as difficult since there is no physical requirement to be in a
friendly jurisdiction and damage can be done very quickly.  Think
about say porting away a credit card customer service tollfree.  If
there is a terminating POTS or some other way of routing calls to that
call centre, they could record the calls for processing later, gathing
infoto commit large scale fraud.  When you call in to your credit card
company you have to give everything required to authenticate yourself
to the company, which would not be in the hands of fraudsters.

I think the eavesdropping attack is far more likely than taking a
competitors number and routing it to your call centre, and proceeding
as if the customer really called you.

Mischief makers could just route the numbers around like that to cause
havok and none of the parties that got their 'lines crossed' have any
knowledge or understanding as to what happened, but who would believe
that?

The system is weak, although its hard to do anything better and still
provide some level of security.  The best that could possibly happen
would be to have something by physical mail be sent but its not hard
to play games with that and still obfuscate the identity of the person
even though you know the address the request was sent to.  It would
also cause a delay that many would find unacceptable since it seems
that many want to port same day and not wait upto 3 weeks for the
mail.

Online faxing, VoIP, and remailing services all provide someone in
potentially a foreign country to look like they are within the same
country, and fool most due diligence procedures.

-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
Belfast +44 28 9099 6461        US +1 516 687 5200
http://www.trxtel.com the VoIP provider that pays you!


More information about the asterisk-biz mailing list