Dont Believe That Lying Telephone

By Larry Seltzer  |  Posted 2006-08-16 Print this article Print

Opinion: Through the miracle of software, telephony technology is opening up to the masses, including the unscrupulous masses.

Other than me, it seems like you cant trust anything anymore. The latest item on the official "Untrustworthy List" is Caller ID. Ive had a low opinion of it for a long time anyway. A high percentage of calls come from "Private Caller" or "Out of Area" or some such unhelpful designation, and many of these calls are from people I want to talk to.

But it turns out that Caller ID is easily spoofed using modern PBX software, principally the open-source Asterisk system. And it was never really trustworthy to begin with; its no scandal that Asterisk allows spoofing, since spoofing is a feature, not a bug in the system.

Actually, you dont really need a PBX; you can just buy a Spoofcard. Its a pre-paid calling card with 800 service. You call the 800 number and tell it not only the number to call, but the number to display on Caller ID.

They insist that the service is perfectly legal, and Spoofcard has been around for a long time (in technology terms). Legitimate businesses do this sort of thing all the time too in cases where the number making the call isnt the one the business wants the user to call back.

The real news is that Asterisk makes this sort of spoofing, and other attacks, easy and programmable for automated attacks.

As Richi Jennings of analyst group Ferris Research puts it, there are two main telephony threat vectors used by criminals to empty customers bank accounts:
  1. Calling bank customers, pretending to be the bank, trying to steal passwords and other information.
  2. Calling the bank, pretending to be the customer, trying to change addresses, passwords and other credentials.
The second one is particularly stunning for what it says about bank security. Jennings recounted an example of someone who found their billing address on a credit card account changed. It turned out that an attacker had called, spoofing the customers Caller ID, to change the address, and the bank changed it, at least in part because the Caller ID matched.

Even though a caller can spoof Caller ID with a PBX, there are (probably) still records that can cause the call to be traced to him, assuming someone is willing to go to the trouble. There is ANI (Automatic Number Identification) information, used for billing callers of 800 numbers, and other billing records at the telcos, and similar facilities outside of the US.

But these are better-suited to forensic analysis, as opposed to letting a call recipient know who the caller is at the moment. And spoofing is just the begriming of the fraudulent activities that systems like Asterisk enable.

At the recent Black Hat conference, Jay Schulman presented, here in PDF form, on "Phishing with Asterisk PBX." Imagine whole attack-oriented voice response systems, programmed to call users and retrieve their confidential information. Schulman demonstrated shifty techniques, like forwarding the call at the end to the service number of the company being attacked. This might increase credibility in the system.

Voice over IP calls are so cheap these days that its no big deal for the system to make outbound calls too, initiating the sort of emergency described in most phishing attacks, with Caller ID pointing to the actual banks phone number: "Hello. Due to a recent compromise of account information, we are attempting to re-authenticate all users. Please enter your 16-digit account number..." The call could be coming from anywhere, including halfway across the world.

Telephony these days is a perfect storm of fraud-friendly technologies, and the public is ill-prepared for it. With computers, at least they have been trained to know that theres a lot of fraud, but everyone has grown up with telephones, and fraud in the system is not a fact of everyday life. When it all shakes out it could be much worse in impact than computer phishing.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel