On Wed, 10 May 2017, J Montoya or A J Stiles wrote:> Presumably your staff carry mobile phones. What about an app that gets > the ID of the cell tower to which it is connected, and passes it and the > SIM number in a HTTP request to a server you control?The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281
Sebastian Nielsen
2017-May-10 19:45 UTC
[asterisk-users] How to detect fake CallerID? (8xx?)
Use a callback. So when clocking in/out, they will hear a random 4 digit PIN, like "Enter four, three, six, eight at the callback". After they hangup, the phone will ring, and then they will have confirm with the 4 digit PIN. If they arent in presence: the phone at the site will ring, and the person at site (that isn't your employee) cannot carelessly just OK it because they haven't heard the PIN. If they are in presence: the phone at the site will ring, and the employee will be able to enter the PIN they just heard. If they fake the callerID or not at the initial call, does not matter, since you have verified with a callback. -----Ursprungligt meddelande----- Fr?n: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] F?r Steve Edwards Skickat: den 10 maj 2017 19:13 Till: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> ?mne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wed, 10 May 2017, J Montoya or A J Stiles wrote:> Presumably your staff carry mobile phones. What about an app that > gets the ID of the cell tower to which it is connected, and passes it > and the SIM number in a HTTP request to a server you control?The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6298 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170510/dddba1af/attachment.bin>
It's probably not practical to have them answering the client's telephone! At a lot of sites, incoming calls would be handled by auto attendant, diverted to answering service, etc. --Don -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sebastian Nielsen Sent: Wednesday, May 10, 2017 2:46 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Use a callback. So when clocking in/out, they will hear a random 4 digit PIN, like "Enter four, three, six, eight at the callback". After they hangup, the phone will ring, and then they will have confirm with the 4 digit PIN. If they arent in presence: the phone at the site will ring, and the person at site (that isn't your employee) cannot carelessly just OK it because they haven't heard the PIN. If they are in presence: the phone at the site will ring, and the employee will be able to enter the PIN they just heard. If they fake the callerID or not at the initial call, does not matter, since you have verified with a callback. -----Ursprungligt meddelande----- Fr?n: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] F?r Steve Edwards Skickat: den 10 maj 2017 19:13 Till: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> ?mne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wed, 10 May 2017, J Montoya or A J Stiles wrote:> Presumably your staff carry mobile phones. What about an app that > gets the ID of the cell tower to which it is connected, and passes it > and the SIM number in a HTTP request to a server you control?The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
J Montoya or A J Stiles
2017-May-11 11:47 UTC
[asterisk-users] How to detect fake CallerID? (8xx?)
On Wednesday 10 May 2017, Steve Edwards wrote:> On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > > Presumably your staff carry mobile phones. What about an app that gets > > the ID of the cell tower to which it is connected, and passes it and the > > SIM number in a HTTP request to a server you control? > > The problem is that they are supposed to use the 'site landline' to > confirm presence -- not their cell phone with the spoofed CID.Yes; but the whole point is that the caller ID from the site landline is no longer reliable enough as evidence, by itself, that somebody is actually there. A custom app could read the ID of the cell tower to which it was connected -- or even the phone's GPS co-ordinates -- and transmit that back to base over the Internet. Preferrably with some sort of precautions to make the request harder to forge (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in the query string). If your app makes its connection via the site's wi- fi (which will require the co-operation of the client) as opposed to the mobile network, so much the better, as there will be an IP address against which you can match. If you insist to use the site landline for your authentication, you could extend the protocol to a full challenge-and-response as follows: Play a series of digits down the line to the caller, return the call as soon as they hang up, and ask them to dial the same digits they just heard. All this can be done in the dialplan (you might need to record some announcements of your own, such as "Please memorise the following digits" and "Please dial the digits you heard in the last call"). Intercepting incoming calls *to* a number is much harder (usually requiring the co-operation of telcos, unless the interloper has access to some equipment through which they know that the call will be routed; that potentially includes your Asterisk, but any tampering there would be evident) than falsifying outgoing calls *from* a number. It would be much more fun to mount a "sting" operation to catch the perpetrators red-handed (say, falsely set off a fire alarm while you know they are slacking off down the pub instead of looking after the site like they are paid for) ..... but maybe I have just been watching too many detective dramas on TV! -- JM Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk .
Seems like this is the best idea (challenge-response), a callback. No matter the callerid, you don't know where the caller is. But if you place a call BACK to the callerid, it's going to go to the destination. Then you either need the phone to be answered, or the phone to be answered and and the challenge entered. Adam Goldberg AGP, LLC +1-202-507-9900 -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of J Montoya or A J Stiles Sent: Thursday, May 11, 2017 7:48 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wednesday 10 May 2017, Steve Edwards wrote:> On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > > Presumably your staff carry mobile phones. What about an app that > > gets the ID of the cell tower to which it is connected, and passes > > it and the SIM number in a HTTP request to a server you control? > > The problem is that they are supposed to use the 'site landline' to > confirm presence -- not their cell phone with the spoofed CID.Yes; but the whole point is that the caller ID from the site landline is no longer reliable enough as evidence, by itself, that somebody is actually there. A custom app could read the ID of the cell tower to which it was connected -- or even the phone's GPS co-ordinates -- and transmit that back to base over the Internet. Preferrably with some sort of precautions to make the request harder to forge (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in the query string). If your app makes its connection via the site's wi- fi (which will require the co-operation of the client) as opposed to the mobile network, so much the better, as there will be an IP address against which you can match. If you insist to use the site landline for your authentication, you could extend the protocol to a full challenge-and-response as follows: Play a series of digits down the line to the caller, return the call as soon as they hang up, and ask them to dial the same digits they just heard. All this can be done in the dialplan (you might need to record some announcements of your own, such as "Please memorise the following digits" and "Please dial the digits you heard in the last call"). Intercepting incoming calls *to* a number is much harder (usually requiring the co-operation of telcos, unless the interloper has access to some equipment through which they know that the call will be routed; that potentially includes your Asterisk, but any tampering there would be evident) than falsifying outgoing calls *from* a number. It would be much more fun to mount a "sting" operation to catch the perpetrators red-handed (say, falsely set off a fire alarm while you know they are slacking off down the pub instead of looking after the site like they are paid for) ..... but maybe I have just been watching too many detective dramas on TV! -- JM Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users