[Asterisk-Users] VoIP hackers gut Caller ID

Steve Totaro asterisk at totarotechnologies.com
Thu Jul 8 06:10:32 MST 2004


Institutions using caller ID could just impliment a callback feature to
verify identity, but even then a "phone guy" could be sitting outside your
house or business with a butt set.  In all reality, there is no way to ID
someone without knowing them AND conducting a face to face transaction (and
even then, how can you really be sure that you "know" them?)  Username and
password are a joke, voice is easily recorded and manipulated, biometrics
can be fooled with scotch tape or other means.  Someone can swipe your RSA
FOB etc...

I am sure terrorist are using VoIP, they arent stupid (when it comes to
technology).  They have been merging messages into images and posting them
on the internet for years.  That takes more know how than placing a voip
call.

Thanks,
Steve Totaro


----- Original Message ----- 
From: "Brian Cuthie" <brian at systemix.com>
To: <asterisk-users at lists.digium.com>
Sent: Thursday, July 08, 2004 8:28 AM
Subject: Re: [Asterisk-Users] VoIP hackers gut Caller ID


>
> The real problem here is that people shouldn't be using callerid as an
> authentication scheme. Lots of people have had the ability to set
> arbitrary clid for years and yet banks and other institutions have
> stupidly used it to authenticate callers. Complaints should be directed
> to them and not the VoIP industry.
>
> -brian
>
>
> Alex wrote:
>
> >Here is what you can possibly do:
> > - Steal calling cards if they are useing caller id authentication
> >scheme
> > - Get access to personal banking information (Citibank uses callerid
> >as part of authentication process.)
> > - Purchase goods and services backed up by calling verification.
> >
> >I can go on and on for hours. Main point of story that s@#t will hit the
fan
> >and VOIP will be regulated badly. Especially if some known terrorist will
> >confess about using Vonage in Afaganistan.....or some of drug
dealers/weapon
> >traders will be cought .....
> >
> >Bug generraly author of that article is an idiot. He does not understand
the
> >difference beteween VOIP and ISDN PRI.
> >
> >
> >-----Original Message-----
> >From: asterisk-users-admin at lists.digium.com
> >[mailto:asterisk-users-admin at lists.digium.com] On Behalf Of listas iPfone
> >Sent: Wednesday, July 07, 2004 6:26 PM
> >To: asterisk-users at lists.digium.com
> >Subject: Re: [Asterisk-Users] VoIP hackers gut Caller ID
> >
> >This is very interesting...
> >
> >Regulations..USA...
> >
> >But... what can i do faking a caller id? stolen what? what is the point?
> >
> >miklos
> >
> >----- Original Message ----- 
> >From: "Steve Totaro" <asterisk at totarotechnologies.com>
> >To: <asterisk-users at lists.digium.com>
> >Sent: Wednesday, July 07, 2004 12:56 PM
> >Subject: Re: [Asterisk-Users] VoIP hackers gut Caller ID
> >
> >
> >
> >
> >>why regulate?  nobody regulates the return address on a letter sent via
> >>USPS.
> >>
> >>
> >>----- Original Message ----- 
> >>From: "Kevin Walsh" <kevin at cursor.biz>
> >>To: <asterisk-users at lists.digium.com>
> >>Sent: Wednesday, July 07, 2004 10:00 AM
> >>Subject: RE: [Asterisk-Users] VoIP hackers gut Caller ID
> >>
> >>
> >>
> >>
> >>>Adam Hart [adam at teragen.com.au] wrote:
> >>>
> >>>
> >>>>Chris Foster wrote:
> >>>>
> >>>>
> >>>>>The Register is carrying a article written by Kevin Poulsen of
> >>>>>Securtiy Focus, calling asterisk  "..the most powerful tool for
> >>>>>manipulating and accessing CPN data.."
> >>>>>
> >>>>>I hope NuFone doesn't drop asterisk-set-able callerid's after this
> >>>>>article; i've been wanting that feature from voicepluse for a long
> >>>>>time.
> >>>>>
> >>>>>
> >>>>>
> >>>>These kind of things will be reason (excuse) for Voip to be regulated
> >>>>
> >>>>
> >>>>
> >>>Perhaps service providers who allow the Caller*ID to be set should
> >>>insist that customers provide evidence that they own the phone numbers
> >>>that they want to publish, and then limit the customers' choices to
> >>>only the numbers in their approved list.  Calling the customer on the
> >>>provided number(s) would be an easy way to check, and a setup fee
> >>>could be levied to cover the provider's time and expenses, if required.
> >>>
> >>>Being able to discover a "blocked" Caller*ID is another matter.  Both
> >>>are good areas for regulation.
> >>>
> >>>-- 
> >>>   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
> >>>  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
> >>> _/ _/    _/          _/ _/     _/    _/  _/_/    kevin at cursor.biz
> >>>_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/
> >>>
> >>>_______________________________________________
> >>>Asterisk-Users mailing list
> >>>Asterisk-Users at lists.digium.com
> >>>http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>To UNSUBSCRIBE or update options visit:
> >>>   http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>
> >>>
> >>>
> >>_______________________________________________
> >>Asterisk-Users mailing list
> >>Asterisk-Users at lists.digium.com
> >>http://lists.digium.com/mailman/listinfo/asterisk-users
> >>To UNSUBSCRIBE or update options visit:
> >>   http://lists.digium.com/mailman/listinfo/asterisk-users
> >>
> >>
> >>
> >>
> >_______________________________________________
> >Asterisk-Users mailing list
> >Asterisk-Users at lists.digium.com
> >http://lists.digium.com/mailman/listinfo/asterisk-users
> >To UNSUBSCRIBE or update options visit:
> >   http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> >_______________________________________________
> >Asterisk-Users mailing list
> >Asterisk-Users at lists.digium.com
> >http://lists.digium.com/mailman/listinfo/asterisk-users
> >To UNSUBSCRIBE or update options visit:
> >   http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> >
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>




More information about the asterisk-users mailing list