?

Log in

No account? Create an account
Ramblings Journals I Read Calendar The Dirt MegaZone's Waste of Time Older Older Newer Newer
Don't trust Caller ID too much - MegaZone's Safety Valve
The Ramblings of a Damaged Mind
zonereyrie
zonereyrie
Don't trust Caller ID too much
Bruce Schneier reports on Caller ID Spoofing.

I knew it was possible to do, but I didn't know it had gotten so easy to do. The security implications for companies that use CID as a verification system are major. I know several of my credit card companies use it to activate new cards, without asking for any other credentials - no PIN, nada. Steal a new card, spoof the CID, and you have an active card. If you have any kind of access system that can use CID with an optional PIN - use the PIN.

Tags: ,
I am: thoughtful thoughtful
Current Media: quiet

5 STDOUT || STDIN
Comments
From: bramsmits Date: March 4th, 2006 12:54 pm (UTC) (Direct Link)
I'm amazed that this is news. In another life, about 8 years ago, my responsibilities included the company PABX setups. Even then we could emit any CID we liked on our E1 (ISDN primary) trunks. Even though we had offices in 6 cities and trunks on multiple providers they were all set to send the main number for our head office (ie. in another area code), and when I was playing around setting up a new one I checked that it had no problems accepting my cellphone number, or any other number, as outgoing CID.
I've never bothered trying it on ISDN basic, always had access to trunks.
zonereyrie From: zonereyrie Date: March 5th, 2006 01:55 am (UTC) (Direct Link)
Yeah, it has been possible for ages to do this when you have access to a PBX, but it looks like it is now completely trivial for anyone to do it without needing any special equipment or access.
alange From: alange Date: March 5th, 2006 07:31 am (UTC) (Direct Link)

CID vs ANI

I thought that Caller ID was distinct from the Automatic Number Identification used by 800 numbers. Do the CID spoofing services do the same thing to ANI?
zonereyrie From: zonereyrie Date: March 5th, 2006 07:34 am (UTC) (Direct Link)

Re: CID vs ANI

If they use 800 numbers, and admittedly most do, then they can use ANI which isn't susceptable to the spoofing. But it is up to the receiver to check the ANI.
alange From: alange Date: March 5th, 2006 09:23 am (UTC) (Direct Link)

Re: CID vs ANI

OK, I just wanted to verify the distinction. Every activation I've done has been an 800 number, and I sort of assumed that they'd use ANI. Then again, I usually assume that people (and even groups of people) will do things properly.

5 STDOUT || STDIN