New Google Service Manipulates Caller-ID For Free - Slashdot

Please create an account to participate in the Slashdot moderation system

×

New Google Service Manipulates Caller-ID For Free 116

Posted by kdawson on Saturday November 18, 2006 @08:31PM from the party-to-whom-you-are-speaking dept.

Lauren Weinstein writes to raise an alarm about a new Google service, Click-to-Call. As he describes it, the service seems ripe for abuse of several kinds. One red flag is that Google falsifies the caller-ID of calls it originates for the service. From the article: "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."

This discussion has been archived. No new comments can be posted.

New Google Service Manipulates Caller-ID For Free

Search 116 Comments Log In/Create an Account

Comments Filter:

Deserves attention, but not a very hard problem. (Score:5, Insightful)

by glasn0st ( 564873 ) * writes: on Saturday November 18, 2006 @08:35PM (#16900636) Homepage

Scale matters. But control matters too. This is not like the spam problem where the cooperation of thousands of entities with different motives would be necessary to prevent abuse. The service is controlled by a single party that can make changes easily.

It would be very easy for Google to implement a verification mechanism. An automated system could simply ring any added Caller ID number and verbally present a verification code (or ask for a response). If a user can answer a certain number, it's not unreasonable to assume that they could also originate regular calls from that number. In the worst case, it still ties the user to an organization or physical location.

I agree with Weinstein that verification really should be a standard feature. Whoever runs even a simple mailinglist without user verification is considered a spammer these days; the ideas are not new. So it's fair to expect Google to carry out this verification.

However, Google is known for technological innovation so I'm not turning off my phone just yet. They'll probably fix it. Of course, a little public attention may help if they seem unresponsive.

Share
twitter facebook
This is stupid. It's not an issue. (Score:5, Insightful)

by NineNine ( 235196 ) writes: on Saturday November 18, 2006 @08:36PM (#16900652)

This is stupid. It's a non-issue. The advertiser has to opt-in. Hell, I'm guessing that the advertiser is going to have to pay for it (it's part of AdWords). If the advertiser chooses to try it, and gets too much crap, the advertiser can stop it.

As a business owner, if I used AdWords (I don't... too much click fraud), I'd try it, because any way that customers can contact you easier is generally good. But if it gets abused by a bunch of 12 year old's, I'd cut it in a heartbeat.

Share
twitter facebook
Re:Deserves attention, but not a very hard problem (Score:2, Insightful)

by LiquidCoooled ( 634315 ) writes: on Saturday November 18, 2006 @08:40PM (#16900678) Homepage Journal

Personally, I think the verification portion should NEVER call the phone.
However, after telling google you want to use a certain phone, you must dial a number displayed on screen to confirm - it doesn't have to be connected, simply ringing will be enough of a verification and should not cost any money.

Parent Share
twitter facebook
Re:Caller ID is broken in the same way SMTP is bro (Score:5, Insightful)

by XorNand ( 517466 ) * writes: on Saturday November 18, 2006 @08:59PM (#16900792)

Comparing CallerID to SMTP is a pretty good analogy. However I don't agree that either of them are "broken". Neither of the two were designed with authentication in mind, nor were they ever advertised as a means of security. Before CID, you had to actually answer the phone to see who was on the other end. CID was introduced as a conveniance feature, not a security feature. It's people's expectations that are broken, not the technologies.

Parent Share
twitter facebook
Re:This is stupid. It's not an issue. (Score:5, Insightful)

by lenroc ( 632180 ) writes: on Saturday November 18, 2006 @08:59PM (#16900798)

However, the problem the blogger is concerned about is not the abuse you're thinking of. The problem is that a nefarious user could put click the "Call" link on a Business listing, but put in someone else's phone number. The "Caller-ID spoofing" part comes in here: Google's service calls the phone number entered, but the Caller-ID shows the number of the business that the "attacker" chose.

If, when the person picks up the phone, they are immediately connected to the business, they would assume that the business called them. The blogger is apparently envisioning something of a "Joe job" [wikipedia.org] style attack.

However, this is easily protected against. Instead of connecting to the business directly, all Google has to do is play a recording along the lines of: "This is Google, calling since you entered your phone number on the "Click to Call" service, please press 1 to connect to the business you selected. If you did not initiate this, please hang up or press 2 to disable this service for this phone number."

Parent Share
twitter facebook
Re:How pissed would the... (Score:4, Insightful)

by Anonymous Coward writes: on Saturday November 18, 2006 @09:01PM (#16900810)

How pleased would the rest of us be if people would refrain from splitting the first sentence of their post between the subject line and the comment box?

Parent Share
twitter facebook
I;m reading the service page at google (Score:2, Insightful)

by way2trivial ( 601132 ) writes: on Saturday November 18, 2006 @09:02PM (#16900814) Homepage Journal

and thinking, wtf can I possibly do- OTHER than have businesses connected to an enemy/friend I want to prank a few times.

the manipulation is ENTIRELY going into MY phone, if I use the service.

I canNOT use it to falsify my Caller ID info going to the business.

WHAT ALARMING potential does this possibly have? I see naught... can anyone identify a situation where using this service can let me 'get away with something' more intense than a prince albert in a can call?

Share
twitter facebook
Re:How pissed would the... (Score:1, Insightful)

by Anonymous Coward writes: on Saturday November 18, 2006 @09:08PM (#16900844)

receptionist at Google be if EVERYBODY put a call to her(/him)?

It might get the message across.

Why do you think you are justified in harassing? What "message" are you trying to get across?

Parent Share
twitter facebook
Actually, that's not it a all. (Score:1, Insightful)

by Anonymous Coward writes: on Saturday November 18, 2006 @09:31PM (#16900982)

From the article quote:
"Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."

Wrong. That's not what it does.

You enter your phone number in the box, and Google calls you. If you enter someone else's phone number, it calls them, not you. Finally, caller ID is blocked, so the business can't see your phone number. The only abuse would be automated prank calling, not caller ID spoofing.

Share
twitter facebook
Useless for abuse (Score:2, Insightful)

by m.precursor ( 1029162 ) writes: on Saturday November 18, 2006 @09:47PM (#16901070)

This service can not be abused in the way that you would think. Think about it, even if you can forge the caller-id, the google service calls YOU, and connects you to the number that the caller-id is spoofing. All you would end up being able to do is have the local police station number call a local drug dealer. When they answer, it will ring and call the police station. If you pick up the phone and get a ring, what are you going to do. I know that I am going to hang up unless I am expecting it.

Share
twitter facebook
Re:How pissed would the... (Score:5, Insightful)

by CastrTroy ( 595695 ) writes: on Saturday November 18, 2006 @10:30PM (#16901268)

Yes, that's for sure. We shouldn't even have subjects, the subject is the article. People most of the time end up doing stupid things like splitting the post between the subject and the comment, or leaving it as "Re: Subject that doesn't make sense" Because the subject refers to something 3 levels up and the subject has changed by this point. Nobody reads subjects, and hardly anybody puts in a useful subject anyway. It's nice for email, because you can scan your messages and tell which message is about what, but when you're reading posts, it's not worth your time to read all those subjects because 98% of them are Re......

Parent Share
twitter facebook
Ok, still not getting it. (Score:3, Insightful)

by way2trivial ( 601132 ) writes: on Sunday November 19, 2006 @01:24AM (#16902064) Homepage Journal

I use this service,
I tell google, I wanna speak with toll free information (800) 555-1212

I select the # for toll free information and type in MY phone number,

my phone begins to ring, the caller id on my phone says the # calling me is (800) 555-1212

I answer the phone, and a few momments later I am connected to information.

where's the potential to misuse?

Parent Share
twitter facebook
Lauren needs to re-read this service (Score:2, Insightful)

by icedcool ( 446975 ) writes: on Sunday November 19, 2006 @03:34AM (#16902496)

The click to call actually calls you - so if you enter a fake number... your not going to be connected to who you call. So if somebody connected your phone to some sex line... you would see the sex line number and could ignore it. This could be used to annoy but nothing more than current telemarketers. Oh and its free. This is a great service and Lauren needs to re read how to use the service.

How intelligent.

Share
twitter facebook
Re:How pissed would the... (Score:5, Insightful)

by LordKronos ( 470910 ) writes: on Sunday November 19, 2006 @11:28AM (#16904198)

I agree with both of you. It is annoying that it screws up the 1st-sentence-preview of the experimental forum, but it's also annoying when you don't have the context.

The obvious solution, of course, is for slashdot to add an official method of quoting (rather than right now, where some people italicize, some prefix with >, some put it in quotation marks, and some just paste the text normally) and then have the experimental forum display the first line of non-quoted text.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

413 commentsChatGPT Leans Liberal, Research Shows
347 commentsAmazon CEO Says 'It's Probably Not Going To Work Out' For Employees Who Defy Return-to-Office Policy
327 commentsHotel Owners Start To Write Off San Francisco as Business Nosedives
323 commentsChina is Building Nuclear Reactors Faster Than Any Other Country
315 commentsChina is Calling in Loans To Dozens of Countries

Stellar rays prove fibbing never pays. Embezzlement is another matter.