Dont Believe That Lying Telephone

Opinion: Through the miracle of software, telephony technology is opening up to the masses, including the unscrupulous masses.

Other than me, it seems like you cant trust anything anymore. The latest item on the official "Untrustworthy List" is Caller ID.

Ive had a low opinion of it for a long time anyway. A high percentage of calls come from "Private Caller" or "Out of Area" or some such unhelpful designation, and many of these calls are from people I want to talk to.

But it turns out that Caller ID is easily spoofed using modern PBX software, principally the open-source Asterisk system. And it was never really trustworthy to begin with; its no scandal that Asterisk allows spoofing, since spoofing is a feature, not a bug in the system.

Actually, you dont really need a PBX; you can just buy a Spoofcard. Its a pre-paid calling card with 800 service. You call the 800 number and tell it not only the number to call, but the number to display on Caller ID.

They insist that the service is perfectly legal, and Spoofcard has been around for a long time (in technology terms). Legitimate businesses do this sort of thing all the time too in cases where the number making the call isnt the one the business wants the user to call back.

The real news is that Asterisk makes this sort of spoofing, and other attacks, easy and programmable for automated attacks.

As Richi Jennings of analyst group Ferris Research puts it, there are two main telephony threat vectors used by criminals to empty customers bank accounts:

  1. Calling bank customers, pretending to be the bank, trying to steal passwords and other information.
  2. Calling the bank, pretending to be the customer, trying to change addresses, passwords and other credentials.
The second one is particularly stunning for what it says about bank security. Jennings recounted an example of someone who found their billing address on a credit card account changed.

It turned out that an attacker had called, spoofing the customers Caller ID, to change the address, and the bank changed it, at least in part because the Caller ID matched.

Even though a caller can spoof Caller ID with a PBX, there are (probably) still records that can cause the call to be traced to him, assuming someone is willing to go to the trouble.

There is ANI (Automatic Number Identification) information, used for billing callers of 800 numbers, and other billing records at the telcos, and similar facilities outside of the US.

But these are better-suited to forensic analysis, as opposed to letting a call recipient know who the caller is at the moment. And spoofing is just the begriming of the fraudulent activities that systems like Asterisk enable.

At the recent Black Hat conference, Jay Schulman presented, here in PDF form, on "Phishing with Asterisk PBX."

Imagine whole attack-oriented voice response systems, programmed to call users and retrieve their confidential information.

Schulman demonstrated shifty techniques, like forwarding the call at the end to the service number of the company being attacked. This might increase credibility in the system.

Voice over IP calls are so cheap these days that its no big deal for the system to make outbound calls too, initiating the sort of emergency described in most phishing attacks, with Caller ID pointing to the actual banks phone number: "Hello. Due to a recent compromise of account information, we are attempting to re-authenticate all users. Please enter your 16-digit account number..." The call could be coming from anywhere, including halfway across the world.

Telephony these days is a perfect storm of fraud-friendly technologies, and the public is ill-prepared for it. With computers, at least they have been trained to know that theres a lot of fraud, but everyone has grown up with telephones, and fraud in the system is not a fact of everyday life. When it all shakes out it could be much worse in impact than computer phishing.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.

28571.gif

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.