[asterisk-biz] ANI

[Steve Totaro]

Again, you are confusing ANI with Caller ID.  It is not callerid/ANI
it is caller ID and ANI, they are not the same!

Here is a nice little article that sums up the differences and how to
use spoofed ANI to call premium 900 numbers and bill it to someone
else.  It also mentions 911.  I am going to try both.  If in fact, if
911 has the spoofed location and there are no 900 bills on my PRI,
then there MUST be legislation and regulation.

I will report back with results.

I don't want to hear "It is not possible", anything is possible,
especially if made public via Fox News, CNN and other popular news
outlets.

http://www.totse.com/en/phreak/introduction_to_telecommunications/cid_ani.html

Thanks,
Steve Totaro

On Fri, May 9, 2008 at 8:13 PM, John Scully <jscully at isipi.com> wrote:
> OK - A few people here have touched on the right answer, but I am going to
> say it more bluntly:
>
> No limit on ability to "spoof" outbound callerid/ANI is possible without
> crippling the ability to aggregate traffic from customers.  An aggregator
> has zero ability to determine what PSTN numbers a customer of a customer has
> right to use.  You have a PBX with PSTN numbers, I have a wholesale customer
> who sells you IP trunking for outbound LD.  You set your switch to use the
> proper ANI so people who call back some in on your PSTN lines.
>
> Your direct "LD company" may have no switch, and your PBX may be trunked
> directly to me, but I do not know who you are.  So I have no one to contact
> and verify ANI, the company who does know who you are has no way to verify
> what ANI you send, and in any case, it is none of our business.
>
> You may be an outbound call center making calls for a different company, and
> using their ANI so their customers see the calls as coming from them.
>
> Now, how about our upstream carriers?  We have maybe 30 CLECS over whom we
> can terminate traffic.  Should they all ask us if your ANI is legit?
>
> You see the issue - this one has to be handled with a big stick used to beat
> people who commit abuse, not by blocking the ability of us all to do legit
> business.
> John Scully
> www.isupportisp.com
> 614-372-6511
> Residential and Business VoIP solutions
> Hosted and on Premise IP-PBX systems
> Advanced Voice Applications and IVRs
>
> ----- Original Message -----
> From: "Steve Totaro" <stotaro at totarotechnologies.com>
> To: "Commercial and Business-Oriented Asterisk Discussion"
> <asterisk-biz at lists.digium.com>
> Sent: Friday, May 09, 2008 5:54 PM
> Subject: Re: [asterisk-biz] ANI
>
>
>>
>> On Fri, May 9, 2008 at 5:03 PM, Alex Balashov <abalashov at evaristesys.com>
>> wrote:
>>> Miles Scruggs wrote:
>>>> I'm sorry but your experience is entrenched in the switched based PSTN
>>>> type facilities/termination.  Quite a few years ago major carriers
>>>> (Verizon, ATT, Qwest, Level 3 etc) have allowed termination to them
>>>> via IP. This is for customers that don't even have any DID with the
>>>> carrier (termination only).  How do you propose the carrier would be
>>>> able to verify the correctness of the CID being passed to them?  All
>>>> of these carriers simply pass along the CID/ANI which the customer
>>>> provides, and there is nor can their be any way to verify it.
>>>>
>>>> Welcome to IP baby, you really can't lock it down using the
>>>> traditional methods.  As much as you would like to think that the
>>>> entity converting the IP to PSTN should/would/could/does correctly
>>>> specify the absolute correct ANI/CID it is quite the opposite on a
>>>> large scale.  Unless someone dreams up a new way to enforce or
>>>> efficiently verify CID/ANI and the big boys actually implement it this
>>>> isn't likely to change.
>>>>
>>>> BTW there are actual telemarketing laws that will get you slapped if
>>>> you use CID spoofing in marketing.  Not sure who but someone just got
>>>> slapped with a $500k fine for doing it.  Google around I'm sure you'll
>>>> find it.
>>>>
>>>> Miles
>>>>
>>>> On May 9, 2008, at 11:40 AM, Jay R. Ashworth wrote:
>>>>> On Fri, May 09, 2008 at 11:31:45AM -0700, Nitzan Kon wrote:
>>>>>> I don't see a way to do it otherwise, as a carrier for outgoing
>>>>>> traffic, how exactly are you going to check or verify that the
>>>>>> CID being sent is not the ANI? just because you don't provide
>>>>>> the incoming number doesn't mean it's not valid, and if you do
>>>>>> it still doesn't mean it is. In essence as a carrier you have
>>>>>> no choice but to "trust" the CID you're being fed.
>>>>> Horse hockey.
>>>>>
>>>>> As a carrier, interfacing to the PSTN, *you* are responsible for the
>>>>> DNs that the subscriber is assigned, and neither I nor the FCC sees
>>>>> any
>>>>> reason why you can't validate the numbers you're presented against
>>>>> that
>>>>> list before extending calls into said PSTN.
>>>>>
>>>>>> As far as regulating this - no thanks! I agree there should be
>>>>>> a law out there against FRAUDULENT use, but the last thing any
>>>>>> VoIP carrier needs is regulation on LEGIT use. In essence if
>>>>>> you put a law out there saying "you should prevent your customers
>>>>>> from abusing this" that's fine, but if you put out a law saying
>>>>>> "spoofing CID is illegal" you're basically deeming most VSPs
>>>>>> illegal. Again, just because I "own" the number from provider A
>>>>>> doesn't mean I don't have to "spoof" it for provider B. Incoming
>>>>>> and outgoing are totally separate.
>>>>> Carriers should be (and TTBOMK, are) responsible for the DNs sent out
>>>>> as (at least) ANI on lines they provide to subs, and they should not
>>>>> permit them to be any number the client isn't assigned.  I'm less
>>>>> concerned about CNID, for the reason you cite, though random Murricans
>>>>> probably would not be.
>>>>>
>>>>> There *is* no legitimate reason for spoofing ANI from the subscriber
>>>>> level which does not break the semantics assumed of ANI.
>>>
>>> This is exactly right.  The concept of a BTN and/or charge number
>>> doesn't exist in VoIP.  Sure, when the call goes out ISUP that field is
>>> still populated, but what it's populated with is entirely up to the
>>> carrier and their switch configuration.
>>>
>>>
>>> --
>>> Alex Balashov
>>> Evariste Systems
>>> Web    : http://www.evaristesys.com/
>>> Tel    : (+1) (678) 954-0670
>>> Direct : (+1) (678) 954-0671
>>> Mobile : (+1) (706) 338-8599
>>>
>>
>> That may be the case but it should not be allowed.
>>
>> People pay their bills based on ANI.  If they are being billed
>> incorrectly, then either the customer or the carrier (who really
>> cares) is being ripped off, intentionally or not.
>>
>> A new technology or methodology needs to be introduced to stop this,
>> as there is no real world use for altering ANI.
>>
>> Thanks,
>> Steve Totaro
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>