It's probably not practical to have them answering the client's telephone! At a lot of sites, incoming calls would be handled by auto attendant, diverted to answering service, etc. --Don -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sebastian Nielsen Sent: Wednesday, May 10, 2017 2:46 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Use a callback. So when clocking in/out, they will hear a random 4 digit PIN, like "Enter four, three, six, eight at the callback". After they hangup, the phone will ring, and then they will have confirm with the 4 digit PIN. If they arent in presence: the phone at the site will ring, and the person at site (that isn't your employee) cannot carelessly just OK it because they haven't heard the PIN. If they are in presence: the phone at the site will ring, and the employee will be able to enter the PIN they just heard. If they fake the callerID or not at the initial call, does not matter, since you have verified with a callback. -----Ursprungligt meddelande----- Fr?n: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] F?r Steve Edwards Skickat: den 10 maj 2017 19:13 Till: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> ?mne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wed, 10 May 2017, J Montoya or A J Stiles wrote:> Presumably your staff carry mobile phones. What about an app that > gets the ID of the cell tower to which it is connected, and passes it > and the SIM number in a HTTP request to a server you control?The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Sebastian Nielsen
2017-May-10 20:15 UTC
[asterisk-users] How to detect fake CallerID? (8xx?)
Since the callback happens immediately after hangning up, the risk of answering a call that isn't theirs is minimal. For those sites that divert their incoming calls to a PBX or answering machine, you could have some config/database that excepts these sites from callback verification. (which means these sites run into risk of fake callerID). Another variant could be that they must visit a specific website using a Wifi or computer at the client. You record the IP. Spoofing the IP in a TCP three-way handshake is almost impossible. The thing is then to be able to record which IP is the client, but if your services are ordered by the client via some web form, you could have that IP be recorded as "client IP" and the employee must check in/check out from that IP. This could be used in unison with the phone verification, so the employee can select which fits best for the enviroment. (eg, they choose phone verification or web verification) -----Ursprungligt meddelande----- Fr?n: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] F?r Don Kelly Skickat: den 10 maj 2017 22:08 Till: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users at lists.digium.com> ?mne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) It's probably not practical to have them answering the client's telephone! At a lot of sites, incoming calls would be handled by auto attendant, diverted to answering service, etc. --Don -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sebastian Nielsen Sent: Wednesday, May 10, 2017 2:46 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Use a callback. So when clocking in/out, they will hear a random 4 digit PIN, like "Enter four, three, six, eight at the callback". After they hangup, the phone will ring, and then they will have confirm with the 4 digit PIN. If they arent in presence: the phone at the site will ring, and the person at site (that isn't your employee) cannot carelessly just OK it because they haven't heard the PIN. If they are in presence: the phone at the site will ring, and the employee will be able to enter the PIN they just heard. If they fake the callerID or not at the initial call, does not matter, since you have verified with a callback. -----Ursprungligt meddelande----- Fr?n: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] F?r Steve Edwards Skickat: den 10 maj 2017 19:13 Till: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> ?mne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wed, 10 May 2017, J Montoya or A J Stiles wrote:> Presumably your staff carry mobile phones. What about an app that > gets the ID of the cell tower to which it is connected, and passes it > and the SIM number in a HTTP request to a server you control?The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6298 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170510/3d2c0950/attachment.bin>
On 2017-05-10 04:15 PM, Sebastian Nielsen wrote:> The thing is then to be able to record which IP is the client, but if your > services are ordered by the client via some web form, you could have that IP > be recorded as "client IP" and the employee must check in/check out from > that IP.IPs change. Also, the client may not have ordered the service from the office. They may have bought the service for multiple locations from head office. Too many variables. You may have to think about hardware. Some sort of RF device installed at the client with a unique ID. The employee waves his keychain at the device, it connects to your office and sends the employee's ID and its own. A card reader is another possibility or bar code reader. Of course that's not a phone solution so I guess it is off topic here. -- D'Arcy J.M. Cain Vybe Networks Inc. http://www.VybeNetworks.com/ IM:darcy at Vex.Net VoIP: sip:darcy at VybeNetworks.com