[asterisk-users] How to detect fake CallerID? (8xx?)

Thu May 11 06:47:49 CDT 2017

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that gets
> > the ID of the cell tower to which it is connected, and passes it and the
> > SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to
> confirm presence -- not their cell phone with the spoofed CID.

Yes; but the whole point is that the caller ID from the site landline is no 
longer reliable enough as evidence, by itself, that somebody is actually 
there.

A custom app could read the ID of the cell tower to which it was connected -- 
or even the phone's GPS co-ordinates -- and transmit that back to base over 
the Internet.  Preferrably with some sort of precautions to make the request 
harder to forge  (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and 
CID in the query string).  If your app makes its connection via the site's wi-
fi  (which will require the co-operation of the client)  as opposed to the 
mobile network, so much the better, as there will be an IP address against 
which you can match.

If you insist to use the site landline for your authentication, you could 
extend the protocol to a full challenge-and-response as follows:  Play a 
series of digits down the line to the caller, return the call as soon as they 
hang up, and ask them to dial the same digits they just heard.  All this can 
be done in the dialplan  (you might need to record some announcements of your 
own, such as "Please memorise the following digits" and "Please dial the 
digits you heard in the last call").  

Intercepting incoming calls *to* a number is much harder  (usually requiring 
the co-operation of telcos, unless the interloper has access to some equipment 
through which they know that the call will be routed; that potentially 
includes your Asterisk, but any tampering there would be evident)  than 
falsifying outgoing calls *from* a number.  

It would be much more fun to mount a "sting" operation to catch the 
perpetrators red-handed   (say, falsely set off a fire alarm while you know they 
are slacking off down the pub instead of looking after the site like they are 
paid for)  .....  but maybe I have just been watching too many detective 
dramas on TV!

-- 
JM

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .