Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror

New Google Service Manipulates Caller-ID For Free 116

Posted by kdawson
from the party-to-whom-you-are-speaking dept.
Lauren Weinstein writes to raise an alarm about a new Google service, Click-to-Call. As he describes it, the service seems ripe for abuse of several kinds. One red flag is that Google falsifies the caller-ID of calls it originates for the service. From the article: "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."
This discussion has been archived. No new comments can be posted.

New Google Service Manipulates Caller-ID For Free

Comments Filter:
  • Uh... (Score:5, Informative)

    by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Saturday November 18, 2006 @07:34PM (#16900626) Homepage Journal
    Not exactly new... [slashdot.org].
  • by Salvance (1014001) * on Saturday November 18, 2006 @07:35PM (#16900634) Homepage Journal
    Finally, technology that gives power back to the teenage prankster. Now "Hey, did you know your refridgerator is running?" calls will be answered with "Yes Mr. President, I did ... Oh, and by the way, your voice sounds so much younger in person" instead of "Johnny, please hangup the phone before I tell your mother".
  • by glasn0st (564873) * on Saturday November 18, 2006 @07:35PM (#16900636) Homepage
    Scale matters. But control matters too. This is not like the spam problem where the cooperation of thousands of entities with different motives would be necessary to prevent abuse. The service is controlled by a single party that can make changes easily.

    It would be very easy for Google to implement a verification mechanism. An automated system could simply ring any added Caller ID number and verbally present a verification code (or ask for a response). If a user can answer a certain number, it's not unreasonable to assume that they could also originate regular calls from that number. In the worst case, it still ties the user to an organization or physical location.

    I agree with Weinstein that verification really should be a standard feature. Whoever runs even a simple mailinglist without user verification is considered a spammer these days; the ideas are not new. So it's fair to expect Google to carry out this verification.

    However, Google is known for technological innovation so I'm not turning off my phone just yet. They'll probably fix it. Of course, a little public attention may help if they seem unresponsive.
    • Personally, I think the verification portion should NEVER call the phone.
      However, after telling google you want to use a certain phone, you must dial a number displayed on screen to confirm - it doesn't have to be connected, simply ringing will be enough of a verification and should not cost any money.
    • by Anonymous Coward
      1. Use the strongest language possible. Calling names is always effective, and four-letter words show that you mean business.

      2. Having a violent opinion of something doesn't require you to actually try it yourself. After all, plenty of people heatedly object to books they haven't read or movies they haven't seen. Heck, you can imagine perfectly well if something is any good.

      3. If it's a positive review that you didn't like, call the reviewer a "fanboy." Do not entertain the notion that the product, service,
    • The service is controlled by a single party that can make changes easily.

      It would be very easy for Google to implement a verification mechanism.

      I thought for a second that you were making sense. Google isn't the issue, the caller-id/phone system is crap.

      it would be a huge improvement for the Phone system to at least be reliable to the same country of origin, but that would hurt the telemarketers, the phone companies won't do that...

      If the DMA, etc wants to ever do business with me over the phone again, the

      • Just earlier today my phone rang with "UNKNOWN/UNKNOWN". Assuming telemarketer or bill collector, I decided to answer anyway (out of boredom).

        Turns out, it was the Indiana State Fraternal Order of Police, soliciting donations. I realize such "non-profit" organisations are exempt from the "Do Not Call" list laws, but why do they chose to hide the caller ID info? For all I know, it could easily be a scammer pretending to be the FOP. I give my CC or bank account number to the random person calling my home, and
        • Re: (Score:1, Offtopic)

          by Dare nMc (468959)

          "Do Not Call" list laws, but why do they chose to hide the caller ID info? For all I know, it could easily be a scammer pretending to be the FOP.

          well the "State Fraternal Order of Police" calls I get are exactly that, basically a scam. They were not a tax deductible contribution, when asked, it was 80% of profits to police widdows or something, they couldn't answer what % of donation that was. I forget, but I was able to find something around 2-5% of the donation in a local papers investigative report. T

          • They were using a speed dialer, so they don't want call backs on the caller-id asking why they called and hung up on ya. because they were a for profit organization raising donations for FOP they wouldn't have even been able to guess who had called for what cause.

            This makes sense to me. For the last week I've been getting "UNKNOWN" calls, never leaving a message (since of course I don't answer calls I don't recognize). Once I finally answered one (partly out of boredom, partly wanting to know who it was) th
            • by Dare nMc (468959)

              and while I don't have anything against the FOP directly, these tactics (stories encouraging guilt/sympathy, blocking caller-ID) don't do much to inspire confidence

              I should have made that clear in my post, I think the real FOP is a really good orginazation (but I am not 100% sure of that.)
              but if only one chapter in a state agrees to take money from a scumm telemarketer (telemarketers are not all scum) then that lends legitimaicy to the telemarketers so they can claim the same higher values of all the FOP ch

    • Google is NOT the problem.

      The problem is NOT that Google is letting you fake CallerID - it's that CallerID is trusted by anybody, when the telcos don't care a lick about securing it. (There are dozens of for-pay but cheap services to alter your callerID...) I'd even accept a nontechnological solution involving it being both criminally and civilly illegal for you to spoof it. But that clearly doesn't exist, either.

      If anything I hope this abuse gets really widespread and callerID gets dropped as a trustwor
    • The whole point of this (really stupid) idea is that the service will be more convenient than picking up the phone and dialing people.

      We we heard about this at work, we spent about 45 minutes setting up crank calls for sex therapists, hair club for men, chinese food joints, etc.
  • by NineNine (235196) on Saturday November 18, 2006 @07:36PM (#16900652)
    This is stupid. It's a non-issue. The advertiser has to opt-in. Hell, I'm guessing that the advertiser is going to have to pay for it (it's part of AdWords). If the advertiser chooses to try it, and gets too much crap, the advertiser can stop it.

    As a business owner, if I used AdWords (I don't... too much click fraud), I'd try it, because any way that customers can contact you easier is generally good. But if it gets abused by a bunch of 12 year old's, I'd cut it in a heartbeat.
    • by 42forty-two42 (532340) <bdonlan@gmail . c om> on Saturday November 18, 2006 @07:41PM (#16900684) Homepage Journal
      It's not opt-in anymore. Take a look at maps.google.com - search for a business and they'll ALL have the click-to-call thingy on them.
    • by lenroc (632180) on Saturday November 18, 2006 @07:59PM (#16900798)

      However, the problem the blogger is concerned about is not the abuse you're thinking of. The problem is that a nefarious user could put click the "Call" link on a Business listing, but put in someone else's phone number. The "Caller-ID spoofing" part comes in here: Google's service calls the phone number entered, but the Caller-ID shows the number of the business that the "attacker" chose.

      If, when the person picks up the phone, they are immediately connected to the business, they would assume that the business called them. The blogger is apparently envisioning something of a "Joe job" [wikipedia.org] style attack.

      However, this is easily protected against. Instead of connecting to the business directly, all Google has to do is play a recording along the lines of: "This is Google, calling since you entered your phone number on the "Click to Call" service, please press 1 to connect to the business you selected. If you did not initiate this, please hang up or press 2 to disable this service for this phone number."

      • They could do what Skype does with its SMS service; before your SMS messages sent from Skype can be identified as coming from your mobile phone, you must validate your phone by entering a code Skype sends to it. If you required a Google account and a single, validated telephone number in order to use click-to-call, this would solve the large majority of casual spoofed/prank calls.
  • by CerebusUS (21051) on Saturday November 18, 2006 @07:41PM (#16900682)
    Much like SMTP relies on the sending email client/server to not lie about the originators email address, Caller ID relies on the PBX originating the call to set the caller ID value. There's no other way for the phone system to be able to deliver the correct direct-dial extension, only the PBX truly knows what the extension is, the phone company only knows the trunk id that the call comes from. As long as that's the case, there will never be a way to ensure that the originating PBX is telling the truth. DID ranges are (for the most part) not tied directly to outgoing phone lines, so they can't even be verified against those.

    • by XorNand (517466) * on Saturday November 18, 2006 @07:59PM (#16900792)
      Comparing CallerID to SMTP is a pretty good analogy. However I don't agree that either of them are "broken". Neither of the two were designed with authentication in mind, nor were they ever advertised as a means of security. Before CID, you had to actually answer the phone to see who was on the other end. CID was introduced as a conveniance feature, not a security feature. It's people's expectations that are broken, not the technologies.
    • by Anonymous Coward
      Get the cheapest digital answering machine you can find. Set it to pick-up after one ring. Ask for the caller to leave his/her name and number, as usual. Hell, you can even mention you're likely in the office or at home.

      Most telemarketers won't do that, and many pranksters won't bother to leave a message. If they do end up leaving a message, then you can easily delete it.

      If the call is valid, and you want to get in touch with that person, pick up the phone before they're done leaving their message, and star
    • Re: (Score:1, Offtopic)

      by Wesley Felter (138342)
      ...there will never be a way to ensure that the originating PBX is telling the truth. DID ranges are (for the most part) not tied directly to outgoing phone lines, so they can't even be verified against those.

      This sounds very similar to the arguments against filtering spoofed packets on the Internet. "Our network is designed such that it needs spoofed packets to work," etc. And yet, responsible ISPs managed to adapt. It's time for the telcos to do the same.
  • Heh... (Score:4, Interesting)

    by setirw (854029) on Saturday November 18, 2006 @07:42PM (#16900692) Homepage
    ...by that logic, we ought to outlaw SMTP servers, since one can falsify email headers there more easily than this system allows the falsification of caller-id data...
  • Star-Eight-Six (Score:4, Informative)

    by vmfedor (586158) on Saturday November 18, 2006 @07:49PM (#16900738)
    Although the potential for fraud is there, we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much. Just like anything else you'll get a few jokers but I doubt anyone will start "bringing down" businesses using click-to-call.

    Google ambiguously states that Google "takes fraud and spamming very seriously. We use technical methods to prevent future prank calls from the same user within a reasonable period of time. You won't be charged for any such calls." Seems to me that they at least recognize the potential for a problem and at least have some sort of plan for how to handle it.

    All-in-all, though, this seems like a pretty lame idea.

    • Re: (Score:3, Informative)

      by TubeSteak (669689)
      Although the potential for fraud is there, we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much.
      IIRC, *86 (or *67) does not actually block your Caller ID, it just tells the other phone to ignore the information.

      It won't work on 911 or 1-800 & 1-900 (because they're collect) calls.
      My memory is a bit fuzzy, but I don't think I'm wrong.
      • Re: (Score:2, Informative)

        by PayPaI (733999)
        You are (sortof) wrong. 911,800#,900# don't use CID. I've covered this before [slashdot.org] Relevant wikipedia article [wikipedia.org]
      • Re: (Score:3, Informative)

        by phliar (87116)

        IIRC, *86 (or *67) does not actually block your Caller ID, it just tells the other phone to ignore the information.

        You do not remember correctly. You are thinking of ANI (Automatic Number Identification). If you call a toll-free number, the business always gets your "ANI" number, since they're paying for the call. "Caller ID" (more correctly called "Calling Line ID or CLID) is different, and is blocked with *86 [whatever the correct code is]. ANI and CLID are different fields in the phone signalling me

      • by nxtw (866177)
        It specifically sets a private flag. The number is still sent over the telephone network, but the origination switch shouldn't (and usually doesn't) send the number to the customer.

        At least one system I have used would transmit Private to the customer's equipment yet still display the calling party's number on the bill.
    • by gregmac (629064)
      Although the potential for fraud is there, we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much.


      Blocking is not the same thing as 'spoofing'. If I can call you and it looks like I'm calling from the local police department, that's quite a different thing than "BLOCKED ID" calling you. If I say "Hi, this is Officer Farva," which one do you think gives me more credibility?
    • we can already block caller ID with star-eighty-six and nobody seems to be abusing that too much.

      I, for one, automatically drop all calls to voicemail that don't present a CLID. That's something I would nolonger be able to do if people were spoofing their CLID instead.
  • ANI (Score:2, Interesting)

    by DNS-and-BIND (461968)
    CallerID? Weak. Can you set your own ANI? Now THAT'S cloaking.
    • Re: (Score:3, Informative)

      by evilbuny (553280)
      Yes you can fake ANI, you just need an account with a VSP and off you go... all it costs is 1 to 2 c per minute usually...
  • by 93 Escort Wagon (326346) on Saturday November 18, 2006 @07:59PM (#16900794)
    I can see Weinstein's point, although I don't see that it matters much from a practical point of view (unless I'm missing something here). When I look at the Caller ID information on an incoming call, it's more of a whitelist situation - I let the machine get it unless it's one of a few numbers (family, friends). So whether the Caller ID information is valid or not, I'm not going to be answering the phone. Weinstein seems to be looking at it from a blacklist perspective, which I doubt is how most people use their Caller ID.

    • I doubt a whitelist would work for a company that may get hundreds, or thousands of calls each day. As I see it the whole idea of this service is that you can attract new customers by letting them contact a company after they have searched for something at Google, not to offer a way for existing customers to phone.

      I think it could be a really valuable service. I know if I see something I want to buy very often I think it would be great to contact the company and ask questions, but I can't be bothered making
  • and thinking, wtf can I possibly do- OTHER than have businesses connected to an enemy/friend I want to prank a few times.

    the manipulation is ENTIRELY going into MY phone, if I use the service.

    I canNOT use it to falsify my Caller ID info going to the business.

    WHAT ALARMING potential does this possibly have? I see naught... can anyone identify a situation where using this service can let me 'get away with something' more intense than a prince albert in a can call?

    • Some voice mail systems, including the one I will no longer be working on in a few months, have a feature that allows customers to login to their voice mailbox without entering a password, it's strictly based on call information delivered to the servers. Some famous people have had their voice mail broken into because of that feature. Oh, that feature was requested by the telco service providers.
      • I use this service,
        I tell google, I wanna speak with toll free information (800) 555-1212

        I select the # for toll free information and type in MY phone number,

        my phone begins to ring, the caller id on my phone says the # calling me is (800) 555-1212

        I answer the phone, and a few momments later I am connected to information.

        where's the potential to misuse?

  • by Anonymous Coward
    From the article quote:
    "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."

    Wrong. That's not what it does.

    You enter your phone number in the box, and Google calls you. If you enter someone else's phone number, it calls them, not you. Fi
  • Useless for abuse (Score:2, Insightful)

    by m.precursor (1029162)
    This service can not be abused in the way that you would think. Think about it, even if you can forge the caller-id, the google service calls YOU, and connects you to the number that the caller-id is spoofing. All you would end up being able to do is have the local police station number call a local drug dealer. When they answer, it will ring and call the police station. If you pick up the phone and get a ring, what are you going to do. I know that I am going to hang up unless I am expecting it.
    • by evilbuny (553280)
      Talk about over rated, this isn't a story, as a poster pointed out, google just has to inject an audio message asking for a 1 to connect, or 2 to reject/flag as spam and there is no problem...
  • This seems like a non-issue to me. Caller-ID is manipulated on the receiving end (i.e. MY PHONE) and not on the calling end. Google obscures outbound CLID to the buisiness I contact and spoofs inbound CLID to me, presenting it as the business. If I enter in an invalid number, the call will die. The only reason someone might enter someone else's number is to do a sort of "niki-niki-nine-doors" phone prank. Since IP's are logged and you have to put a valid number there are a lot of logs that might be present
    • by technos (73414)
      Don't underestimate the utility factor.. A very long time ago I worked for a hardware store. After business hours, the policy was to not answer the phone..

      But when the damn thing wouldn't stop ringing, I'd use another line, ring the pizza place, and conference the lines when the pizza place picked up.

      Half the time the person trying to call us ordered a pizza. The other half the time, whomever calling us took out their rage on the poor pizza guy and demanded to know the number to the hardware store.

      And you'd
      • Re: (Score:1, Interesting)

        by Anonymous Coward
        I hope you realize that you have just invented a new kind of service: the ability to lease your after-hours phone time to various companies that deliver food for impulse buyers! "Oh well, I can't buy that hammer, but mmm, a pizza would be mighty tasty right now, and it would let me forget about the fact that I have to wait until tomorrow to put in the backing board on my new cabinet".

        Imagine if the pizza place gave you a small commission for sending those people their way, in other words.
  • Not news (Score:1, Offtopic)

    by loconet (415875)
    What is actually news is that a girl submitted this!
    • by kfg (145172)
      If you are harboring any ideas about making time with Lauren I strongly suspect that you will be assinged the role of the bitch.

      http://www.vortex.com/lauren1.jpg [vortex.com]

      And it's gas, grass or ass, baby, nobody rides for free.

      KFG
    • by SheeEttin (899897)
      What are you talking about? There are no girls on the Internet, everyone knows that.
  • This is really a non-issue.

    I guess a different form of abuse would be to register a friend as a business and then you have free calls to him, although depending on the description he might get a lot of wrong calls by others finding his listing on google maps.

    Also something I never heard about is google providing free sms.

    http://maps.google.com/support/bin/answer.py?answe r=32461&query=send+to+phone&topic=&type= [google.com]

    And they provide a firefox plugin so you can highlight text and send that.

    http://www.g [google.com]
  • Considering this is for calling selected BUSINESSES only, I have no problem with this. In many states, it is ILLEGAL for businesses to have caller ID. For those that do not, this is a way one can call a business (to reply to an advertisement) anonymously, without providing a name. I find this a good, pro-consumer approach.
    • I believe it's possible- but do you have a cite for In many states, it is ILLEGAL for businesses to have caller ID. further, if google can make the caller ID into you look like the business #, what makes you think they can't make the caller ID to the busness be your phone #??

    • by PCM2 (4486)

      In many states, it is ILLEGAL for businesses to have caller ID.

      I don't know of any state in which that is true. And it seems extremely unlikely ... remember how T-Mobile voicemail boxes could be hacked because the default was to allow access without a password if your Caller ID matched the account's phone number? How could T-Mobile even offer such a service if they were forbidden to have Caller ID in certain states?

      Perhaps you're thinking of the fact that telemarketers are forbidden to block Caller ID

    • by chrwei (771689)
      In many states, it is ILLEGAL for businesses to have caller ID.
      uh, then why do all enterpise class phone systems (and many small systems as well) support inbound caller id with call routing based on it, including some extra-charge features for more advanced call handling? if it were illegal in more than a handfull of places you'd think that phone vendors would spend fewer resources creating such features.
  • free or not, if i wanted to be an asshat like that i'd just pay for it. making it free just levels the playing field. nothing wrong with it.
  • I'd say the best case for abuse would be not towards the business being called but the person who's number you use. Seems it'd be easy to make a google hack that could pretty much disable somebody's phone by issuing click-to-call's every 2 minutes or so. Imagine a friday night out with your girlfriend and every 2 minutes a different strip club starts ringing your phone?
    • by timmarhy (659436)
      dare say the good kids at google have this one covered by limiting the rate at which you call and the number you make per day. you could also report this kind of abuse. that attack is easy to beart by simply picking up the phone. hell i'd love the chance to hurl abuse at them down the phone.
  • This seems like (Score:2, Informative)

    by inf4m0usB (991305)
  • Although Google Does know what ip address the compter entering the information came from. And, Google will keep a track of what numbers are entered to call and connect to. They do make it clear that spamming and fraud are not tolerated.

    "What if someone enters my phone number instead of theirs as a prank call?
    Google takes fraud and spamming very seriously. We use technical methods to prevent future prank calls from the same user within a reasonable period of time. You won't be charged for any such calls. Ple
    • by b0s0z0ku (752509)
      Although Google Does know what ip address the compter entering the information came from.

      Use a "borrowed" WiFi connection or a anonymous proxy. Not much that can do, really.

      -b.

  • There may be some reason for concern here, but not the type of fear mongering the above summary would seem to suggest. There is potential for abuse by someone entering your phone number and connecting you to the advertiser by phone. But nowhere on the Click-to-Call service page does it allow any sort of caller-ID spoofing. You can't just use it as a VOIP portal and call anyone you want. In fact, Caller ID is blocked even to the advertiser you are connecting to. Just read the details, it's all there.
  • After years of the tell-all CID service foiling our evil plots, we can once again order pizzas to be delivered to our annoying neighbors, and the pizzerias will be none the wiser! I suppose this would work for Chinese delivery too. Oh the terror! Ban Google now!
    • After years of the tell-all CID service foiling our evil plots, we can once again order pizzas to be delivered to our annoying neighbors, and the pizzerias will be none the wiser! I suppose this would work for Chinese delivery too. Oh the terror! Ban Google now!

      We used to have a shore house up until 2001 or so. We didn't have a land line phone there, since there was little point in paying for service year round when we only used the place 2 or 3 months out of the year. The problem was that a lot of the

  • by Lord Kano (13027) on Sunday November 19, 2006 @02:14AM (#16902450) Homepage Journal
    This is from Google's FAQ...

    • What is this click-to-call feature? How does it work?

      Google is testing a new feature that lets you speak directly over the phone, for free, to businesses you find on Google search results pages. When this feature is available for a business, you'll see a green phone icon in their advertisement or a call link next to their contact information.

      Here's how it works: Click the phone icon or call link, and you'll be invited to enter your own phone number into a special field. When you do so and then click Connect for free, Google will call your number almost immediately. Pick up, and you'll hear ringing on the other end as Google connects you to the business you selected. When they answer, you simply talk normally as you would with any other call.


    This isn't for prank calls. It's only use is to keep businesses from using their caller-id to amass a list of telephone numbers. They could arguably claim that the "do not call list" doesn't apply because they'd be returning calls to people who have called them.

    It can help businesses too. If you're too small of an operation to afford a toll free number, you can have your customers call you for free and place orders from you.

    There's no down-side to this.

    LK
  • The click to call actually calls you - so if you enter a fake number... your not going to be connected to who you call. So if somebody connected your phone to some sex line... you would see the sex line number and could ignore it. This could be used to annoy but nothing more than current telemarketers. Oh and its free. This is a great service and Lauren needs to re read how to use the service.

    How intelligent.
  • jajah.com provides the same kind of service
  • Yesterday, I looked up an unusual word using the built in Merriam-Webster link in the Konqueror web browser. At the same time, I was logged into my gmail account, since I often don't bother to log out.

    Today, I received some spam into my gmail's "Spam Folder" with that word as the subject line!!!

    The word I had searched for is too unique for any random chance of it popping up just like that. My question who is the culprit? Google? Merriam-Webster? Or me, for trusting Google's login system?
    • by s1rk3ls (720405)
      The culprit would be you for being so naive - stop looking for conspiracies and get a life :)

      As for the Google "click to call" service, this is certainly a non-issue. There is little potential for abuse, along with little incentive in the first place... Lauren claims how CID should NEVER be manipulated, but she doesn't know what she's talking about and should learn a few things before making wild statements such as this.

      As a company who utilizes VoIP to save money, we have several terminating (outgoing) s
  • I work for a phone company. One of our customer's called us last week. This customer was receiving calls from random people around the US that told him they got a call that showed his business name and phone number. There was an automated recording that said to hold on while it connected them to his business. When our customer got the call the CID information came across as Google Inc and had Google's phone number. This would be the Google Click to Call service. The problem is that the people who were
  • I just got this email - spam, like most of them. It has the following body:

    0ur Attorneys have discovered a loop-hole in the banking laws. Applying what
    we have found, we're successfu1 by totally eliminating creditcarddebt with
    out them having to pay another cent, We know that our firm can help you
    with this too.

    You can contact us at :
    1--3 1 3--263--2706

    [[plus that common gibberish that tries to make it look like a real letter from someone...]]


    Fun way to tie up their phone number? Hit Google Maps and start co

Mr. Cole's Axiom: The sum of the intelligence on the planet is a constant; the population is growing.

Working...