asterisk users - May 2017 - How to detect fake CallerID? (8xx?)

Seems like this is the best idea (challenge-response), a callback.  No matter
the callerid, you don't know where the caller is.  But if you place a call
BACK to the callerid, it's going to go to the destination.  Then you either
need the phone to be answered, or the phone to be answered and and the challenge
entered.


Adam Goldberg
AGP, LLC
+1-202-507-9900

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces
at lists.digium.com] On Behalf Of J Montoya or A J Stiles
Sent: Thursday, May 11, 2017 7:48 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users
at lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that 
> > gets the ID of the cell tower to which it is connected, and passes 
> > it and the SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to
> confirm presence -- not their cell phone with the spoofed CID.
Yes; but the whole point is that the caller ID from the site landline is no
longer reliable enough as evidence, by itself, that somebody is actually there.

A custom app could read the ID of the cell tower to which it was connected -- or
even the phone's GPS co-ordinates -- and transmit that back to base over the
Internet.  Preferrably with some sort of precautions to make the request harder
to forge  (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in
the query string).  If your app makes its connection via the site's wi- fi 
(which will require the co-operation of the client)  as opposed to the mobile
network, so much the better, as there will be an IP address against which you
can match.


If you insist to use the site landline for your authentication, you could extend
the protocol to a full challenge-and-response as follows:  Play a series of
digits down the line to the caller, return the call as soon as they hang up, and
ask them to dial the same digits they just heard.  All this can be done in the
dialplan  (you might need to record some announcements of your own, such as
"Please memorise the following digits" and "Please dial the
digits you heard in the last call").

Intercepting incoming calls *to* a number is much harder  (usually requiring the
co-operation of telcos, unless the interloper has access to some equipment
through which they know that the call will be routed; that potentially includes
your Asterisk, but any tampering there would be evident)  than falsifying
outgoing calls *from* a number.


It would be much more fun to mount a "sting" operation to catch the 
perpetrators red-handed   (say, falsely set off a fire alarm while you know they
are slacking off down the pub instead of looking after the site like they are
paid for)  .....  but maybe I have just been watching too many detective dramas
on TV!

--
JM

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

As a client, I don't want service company personnel answering my phone.

As a service company, I don't want my clients thinking that I do not trust
my employees who are at the client facility.

  --Don


-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Adam Goldberg
Sent: Thursday, May 11, 2017 8:00 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Seems like this is the best idea (challenge-response), a callback.  No
matter the callerid, you don't know where the caller is.  But if you place a
call BACK to the callerid, it's going to go to the destination.  Then you
either need the phone to be answered, or the phone to be answered and and
the challenge entered.


Adam Goldberg
AGP, LLC
+1-202-507-9900

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of J Montoya or A
J Stiles
Sent: Thursday, May 11, 2017 7:48 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that 
> > gets the ID of the cell tower to which it is connected, and passes 
> > it and the SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to
> confirm presence -- not their cell phone with the spoofed CID.
Yes; but the whole point is that the caller ID from the site landline is no
longer reliable enough as evidence, by itself, that somebody is actually
there.

A custom app could read the ID of the cell tower to which it was connected
-- or even the phone's GPS co-ordinates -- and transmit that back to base
over the Internet.  Preferrably with some sort of precautions to make the
request harder to forge  (i.e., *not* just a plain HTTP GET with the MCC,
MNC, LAC and CID in the query string).  If your app makes its connection via
the site's wi- fi  (which will require the co-operation of the client)  as
opposed to the mobile network, so much the better, as there will be an IP
address against which you can match.


If you insist to use the site landline for your authentication, you could
extend the protocol to a full challenge-and-response as follows:  Play a
series of digits down the line to the caller, return the call as soon as
they hang up, and ask them to dial the same digits they just heard.  All
this can be done in the dialplan  (you might need to record some
announcements of your own, such as "Please memorise the following
digits"
and "Please dial the digits you heard in the last call").  

Intercepting incoming calls *to* a number is much harder  (usually requiring
the co-operation of telcos, unless the interloper has access to some
equipment through which they know that the call will be routed; that
potentially includes your Asterisk, but any tampering there would be
evident)  than falsifying outgoing calls *from* a number.  


It would be much more fun to mount a "sting" operation to catch the 
perpetrators red-handed   (say, falsely set off a fire alarm while you know
they 
are slacking off down the pub instead of looking after the site like they
are paid for)  .....  but maybe I have just been watching too many detective
dramas on TV!

--
JM

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Personally, if I was a client, I would rather have the personell answer the
phone than make a outgoing call, if I would choose.
If you think of billing and costs.
So if a client allows outgoing, I don't think they have any problems with
answering a call immediately following either.

But I assume the client will be billed for the time the personell works
there?
And thats why you have this "phone verification system", to avoid
discussion
about how long the company has been there and unfair bills?

Then you could have it this way instead:
1: Give the client (not personell) a PIN code.
2: The client calls and enters PIN.
3: The employee gets a SMS/email/push message/paging tone, that he can start
working.
4: When the employee is done, the client calls again, and enter PIN. This
will stop billing.
5: When billing is stopped, the employee gets a SMS/email/push
message/paging tone he can stop working.


This will be rock solid. The employee only needs to check for the SMSes.
The SMSes prevent the client from cheating the system to get cheaper
service, like claiming to start when client do not, or calling for stop
before the employee is finished, because the employee will only work when he
get start signal, and will stop working at stop signal.

Theres no risk that the client will call in and check in/check out when the
employee is not there, because that would cause the client to
Be billed for rendered services.


-----Ursprungligt meddelande-----
Fr?n: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] F?r Don Kelly
Skickat: den 11 maj 2017 17:04
Till: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users at lists.digium.com>
?mne: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

As a client, I don't want service company personnel answering my phone.

As a service company, I don't want my clients thinking that I do not trust
my employees who are at the client facility.

  --Don


-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Adam Goldberg
Sent: Thursday, May 11, 2017 8:00 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Seems like this is the best idea (challenge-response), a callback.  No
matter the callerid, you don't know where the caller is.  But if you place a
call BACK to the callerid, it's going to go to the destination.  Then you
either need the phone to be answered, or the phone to be answered and and
the challenge entered.


Adam Goldberg
AGP, LLC
+1-202-507-9900

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of J Montoya or A
J Stiles
Sent: Thursday, May 11, 2017 7:48 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that 
> > gets the ID of the cell tower to which it is connected, and passes 
> > it and the SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to
> confirm presence -- not their cell phone with the spoofed CID.
Yes; but the whole point is that the caller ID from the site landline is no
longer reliable enough as evidence, by itself, that somebody is actually
there.

A custom app could read the ID of the cell tower to which it was connected
-- or even the phone's GPS co-ordinates -- and transmit that back to base
over the Internet.  Preferrably with some sort of precautions to make the
request harder to forge  (i.e., *not* just a plain HTTP GET with the MCC,
MNC, LAC and CID in the query string).  If your app makes its connection via
the site's wi- fi  (which will require the co-operation of the client)  as
opposed to the mobile network, so much the better, as there will be an IP
address against which you can match.


If you insist to use the site landline for your authentication, you could
extend the protocol to a full challenge-and-response as follows:  Play a
series of digits down the line to the caller, return the call as soon as
they hang up, and ask them to dial the same digits they just heard.  All
this can be done in the dialplan  (you might need to record some
announcements of your own, such as "Please memorise the following
digits"
and "Please dial the digits you heard in the last call").  

Intercepting incoming calls *to* a number is much harder  (usually requiring
the co-operation of telcos, unless the interloper has access to some
equipment through which they know that the call will be routed; that
potentially includes your Asterisk, but any tampering there would be
evident)  than falsifying outgoing calls *from* a number.  


It would be much more fun to mount a "sting" operation to catch the 
perpetrators red-handed   (say, falsely set off a fire alarm while you know
they
are slacking off down the pub instead of looking after the site like they
are paid for)  .....  but maybe I have just been watching too many detective
dramas on TV!

--
JM

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6298 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170511/83929b7b/attachment.bin>