[asterisk-users] How to detect fake CallerID? (8xx?)

Tim S tim.strommen at gmail.com
Wed May 10 23:36:34 CDT 2017


Rather than that, if you're looking for a phone solution - as part of the
customer contract, install an IP phone that registers with your system (use
a VPN tunnel to your phone system).  Think of it like a "red-phone"
hotline.  You own the phone, and you physically install it and it only
talks to your system via a SIP registration.  That way you can confirm the
physical source of the call origination, and you can control what the phone
will be able to call (make a to speed dial a base-64 address - something
that can't be dialed with a conventional phone line, block all other
outgoing numbers).  A nice side effect of this is that you give your
employees/contractors a fixed and predictable way of getting in touch with
management if there is a problem (just another speed-dial number).

Keep in mind that without a "Something you are" factor of authentication,
people have the escape route of telling their coworker "hey log me in...".
Fingerprint, hand scan, or retina reading are the most common ways to
verify the presence of a live person at a fixed point.

It's unfortunate that you have this problem, I've seen it before though.
To paraphrase Jeff Goldbloom's Dr. Malcom in Jurasic Park: "Life finds a
way...".  I have been shocked and amazed at the ingenuity of people to be
lazy and cheat or game a system.  What you are running into is the same
problem we have with websites - if you don't 100% control the end to end
communication and the devices, you can't trust any data coming into your
system!!!

A common way for security patrol auditing is to install iButtons with a
unique 64-bit number and a secure transaction function.  A patrol or
janitor would have to physically touch the read to the iButton at specified
way-points for a read to occur and be logged, and the patrol or janitor
turns in the reader after every shift for download and auditing.

-Tim

On Wed, May 10, 2017 at 8:11 AM, Steve Edwards <asterisk.org at sedwards.com>
wrote:

> I have a 'time and attendance' application. Think janitorial or security
> kind of thing where an employee goes from location to location.
>
> They're supposed to 'clock in' when they get to a site using a phone at
> that site to prove they're there.
>
> Some employees have discovered 'fake caller ID' services can be used to
> say they're on site when they are not.
>
> How can I detect a fake CallerID? The INVITE looks the same to me.
>
> If I have the employees call an 8xx number, can I ask my SIP provider to
> include more headers to show the real ANI? What would that service be
> called?
>
> --
> Thanks in advance,
> -------------------------------------------------------------------------
> Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
>             https://www.linkedin.com/in/steve-edwards-4244281
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170510/d84e8fb8/attachment.html>


More information about the asterisk-users mailing list