I have a 'time and attendance' application. Think janitorial or security
kind of thing where an employee goes from location to location.
They're supposed to 'clock in' when they get to a site using a phone
at
that site to prove they're there.
Some employees have discovered 'fake caller ID' services can be used to
say they're on site when they are not.
How can I detect a fake CallerID? The INVITE looks the same to me.
If I have the employees call an 8xx number, can I ask my SIP provider to
include more headers to show the real ANI? What would that service be
called?
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
https://www.linkedin.com/in/steve-edwards-4244281
>>> I ask my SIP provider to include more headers to show the real ANI? What would that service be >>> called?If it's anything like a PRI provider, I've been told they only way to get true CID, in those instances, would be to provide a 1-800 number (US) for them to call. Then you'd get correct CID, since you're paying for both legs of the call. I do not know if this holds true for a SIP provider, Doug
It's approximately impossible with current infrastructure. https://transition.fcc.gov/cgb/Robocall-Strike-Force-Final-Report.pdf Adam Goldberg AGP, LLC +1-202-507-9900 -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Doug Lytle Sent: Wednesday, May 10, 2017 11:24 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)>>> I ask my SIP provider to include more headers to show the real ANI? >>> What would that service be called?If it's anything like a PRI provider, I've been told they only way to get true CID, in those instances, would be to provide a 1-800 number (US) for them to call. Then you'd get correct CID, since you're paying for both legs of the call. I do not know if this holds true for a SIP provider, Doug -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
On Wed, May 10, 2017 at 10:11 AM, Steve Edwards <asterisk.org at sedwards.com> wrote:> I have a 'time and attendance' application. Think janitorial or security > kind of thing where an employee goes from location to location. > > They're supposed to 'clock in' when they get to a site using a phone at > that site to prove they're there. > > Some employees have discovered 'fake caller ID' services can be used to > say they're on site when they are not. > > How can I detect a fake CallerID? The INVITE looks the same to me. > > If I have the employees call an 8xx number, can I ask my SIP provider to > include more headers to show the real ANI? What would that service be > called? > > -- > Thanks in advance, > ------------------------------------------------------------------------- > Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST > https://www.linkedin.com/in/steve-edwards-4244281 > >For dangerous material sites a call back was used. They call in and get a code, the system calls back and asks for the code. Convoluted yes, the call back was all that was really needed to thwart the fraud. A simple RFID pad setup could be built to use low usage GSM plan to tag in the RFID on site. But this is beyond the scope of telephony. -- - Andrew "lathama" Latham - -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170510/0503168e/attachment.html>
J Montoya or A J Stiles
2017-May-10 16:26 UTC
[asterisk-users] How to detect fake CallerID? (8xx?)
On Wednesday 10 May 2017, Steve Edwards wrote:> I have a 'time and attendance' application. Think janitorial or security > kind of thing where an employee goes from location to location. > > They're supposed to 'clock in' when they get to a site using a phone at > that site to prove they're there. > > Some employees have discovered 'fake caller ID' services can be used to > say they're on site when they are not.There are legitimate reasons for faking an ident. For instance, if you are using multiple services in parallel to connect to the Outside World. While we had such a setup, we arranged with our SIP provider to attach numbers associated with our ISDN-30 line to calls we were making. And if you are providing something like a "transparent call recording" service, you need to lay the ident of the incoming call leg onto the outgoing call. Unfortunately, as you've discovered, the service can be abused .....> How can I detect a fake CallerID? The INVITE looks the same to me.You can't. Only the first telephone company through which the call passes can tell for sure where a call is coming from. The next company through whose equipment it is passing can alter it, and nobody downstream be any the wiser. Remember, even although it's now packet-switched and multiple-redundantly- routed underneath, the whole telephone network is still basically emulating an old-fashioned, circuit-switched network; where calls get connected from the originator's local exchange onto a trunk to pass on to another exchange, and all the next exchange downstream knows for sure is which approximate direction it came in from and where it's going to. Information that would once have been implied by which pair of wires the signal was travelling down, is now sent separately, and subject to modification en passant.> If I have the employees call an 8xx number, can I ask my SIP provider to > include more headers to show the real ANI? What would that service be > called?Not really. You need to backtrack a little and rethink. Caller ID is just not something that you can rely on anymore. Presumably your staff carry mobile phones. What about an app that gets the ID of the cell tower to which it is connected, and passes it and the SIM number in a HTTP request to a server you control? You'll obviously need to do some sort of authentication dance, otherwise anyone could just manually craft a URL representing any location. (But since it's your app, you can effectively embed a different key into every copy; so in the worst case, anyone trying anything naughty is only able to spoof one handset. An .apk file is basically a .zip archive; so you should be able to unzip it into a folder structure, use your favourite scripting language to regenerate the keyfile and zip it back up. This might even scale.) -- JM or AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk .
You have an unusual situation--you suspect caller ID spoofing by a known
person.
Under the Truth in Caller ID Act, FCC rules prohibit any person or entity
from transmitting misleading or inaccurate caller ID information with the
intent to defraud, cause harm, or wrongly obtain anything of value. Anyone
who is illegally spoofing can face penalties of up to $10,000 for each
violation.
Making it clear to your employees that spoofing will result in termination
might be enough.
Requiring employees to have a phone that you can locate would allow you to
check from time to time.
--Don
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Edwards
Sent: Wednesday, May 10, 2017 10:12 AM
To: Asterisk Users Mailing List
Subject: [asterisk-users] How to detect fake CallerID? (8xx?)
I have a 'time and attendance' application. Think janitorial or security
kind of thing where an employee goes from location to location.
They're supposed to 'clock in' when they get to a site using a phone
at that
site to prove they're there.
Some employees have discovered 'fake caller ID' services can be used to
say
they're on site when they are not.
How can I detect a fake CallerID? The INVITE looks the same to me.
If I have the employees call an 8xx number, can I ask my SIP provider to
include more headers to show the real ANI? What would that service be
called?
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
https://www.linkedin.com/in/steve-edwards-4244281
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at:
https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
On Wed, 10 May 2017, J Montoya or A J Stiles wrote:> Presumably your staff carry mobile phones. What about an app that gets > the ID of the cell tower to which it is connected, and passes it and the > SIM number in a HTTP request to a server you control?The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281
Rather than that, if you're looking for a phone solution - as part of the customer contract, install an IP phone that registers with your system (use a VPN tunnel to your phone system). Think of it like a "red-phone" hotline. You own the phone, and you physically install it and it only talks to your system via a SIP registration. That way you can confirm the physical source of the call origination, and you can control what the phone will be able to call (make a to speed dial a base-64 address - something that can't be dialed with a conventional phone line, block all other outgoing numbers). A nice side effect of this is that you give your employees/contractors a fixed and predictable way of getting in touch with management if there is a problem (just another speed-dial number). Keep in mind that without a "Something you are" factor of authentication, people have the escape route of telling their coworker "hey log me in...". Fingerprint, hand scan, or retina reading are the most common ways to verify the presence of a live person at a fixed point. It's unfortunate that you have this problem, I've seen it before though. To paraphrase Jeff Goldbloom's Dr. Malcom in Jurasic Park: "Life finds a way...". I have been shocked and amazed at the ingenuity of people to be lazy and cheat or game a system. What you are running into is the same problem we have with websites - if you don't 100% control the end to end communication and the devices, you can't trust any data coming into your system!!! A common way for security patrol auditing is to install iButtons with a unique 64-bit number and a secure transaction function. A patrol or janitor would have to physically touch the read to the iButton at specified way-points for a read to occur and be logged, and the patrol or janitor turns in the reader after every shift for download and auditing. -Tim On Wed, May 10, 2017 at 8:11 AM, Steve Edwards <asterisk.org at sedwards.com> wrote:> I have a 'time and attendance' application. Think janitorial or security > kind of thing where an employee goes from location to location. > > They're supposed to 'clock in' when they get to a site using a phone at > that site to prove they're there. > > Some employees have discovered 'fake caller ID' services can be used to > say they're on site when they are not. > > How can I detect a fake CallerID? The INVITE looks the same to me. > > If I have the employees call an 8xx number, can I ask my SIP provider to > include more headers to show the real ANI? What would that service be > called? > > -- > Thanks in advance, > ------------------------------------------------------------------------- > Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST > https://www.linkedin.com/in/steve-edwards-4244281 > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170510/d84e8fb8/attachment.html>