[Asterisk-Users] calling card application

[Jeremy Hall]

That may be the case in Australia, but at least here in the US of A, the
telco accepts what is sent.  I only have it set up to spoof on prefix 8
to call friends, but they already know that if they see their number,
odds are pretty good that it is me.  :-)

The main "legit" way that is used, is when you have DIDs for numerous
office extensions.  You have to set the Caller ID when you call out so
it shows the correct DID extension to call back on.  Or you can always
send your main switchboard number rather than the individual extension.
There are several methods that are commonly used.

As for why the telcos don't look at the incoming number list for your
account, and verify what you are sending is part of that, I don't know.
I agree with you there, it just seems to be the way it should be.  The
only exception I could see is if you have lines from several providers,
and want to send the incoming number from a different provider than your
outgoing. But then it seems they could evaluate that on a case by case
basis but still protect the data.  They didn't ask me though.

But regardless of what it could, and should, be, caller ID is a very
insecure authentication method as it currently stands.

Jeremy

-----Original Message-----
From: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
Sent: Tuesday, May 25, 2004 12:21 PM
To: asterisk-users at lists.digium.com
Subject: Re: [Asterisk-Users] calling card application



Jeremy Hall wrote:
> If by authentication by mobile number you mean the caller ID received,
> that is not secure at all.  CallerID is very easy to spoof when you
have
> a digital line (certain types, of course.)  For example, when I call
out
> from my Asterisk box, if I prefix the number with 9, it sends my
correct
> CallerID information.  If I prefix the number with 8, it sends the
> number I am calling as the CID.  I can just as easily set that to show
> random numbers, or a mobile number I know will give me pre-paid
minutes
> on XYZ company's long distance account.

Is it really possible to spoof the CID? Shouldn't the PSTN provider (the

company which gave you the E1 link) verfiy that the CID you're sending 
into the PSTN is correct (i.e. is in your number range), and put in a 
correct one if it's false?

I think that's the way it should be in Austria.

regards,
klaus
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users