New Google Service Manipulates Caller-ID For Free 116
Lauren Weinstein writes to raise an alarm about a new Google service, Click-to-Call. As he describes it, the service seems ripe for abuse of several kinds. One red flag is that Google falsifies the caller-ID of calls it originates for the service. From the article: "Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."
Deserves attention, but not a very hard problem. (Score:5, Insightful)
It would be very easy for Google to implement a verification mechanism. An automated system could simply ring any added Caller ID number and verbally present a verification code (or ask for a response). If a user can answer a certain number, it's not unreasonable to assume that they could also originate regular calls from that number. In the worst case, it still ties the user to an organization or physical location.
I agree with Weinstein that verification really should be a standard feature. Whoever runs even a simple mailinglist without user verification is considered a spammer these days; the ideas are not new. So it's fair to expect Google to carry out this verification.
However, Google is known for technological innovation so I'm not turning off my phone just yet. They'll probably fix it. Of course, a little public attention may help if they seem unresponsive.
This is stupid. It's not an issue. (Score:5, Insightful)
As a business owner, if I used AdWords (I don't... too much click fraud), I'd try it, because any way that customers can contact you easier is generally good. But if it gets abused by a bunch of 12 year old's, I'd cut it in a heartbeat.
Re:Deserves attention, but not a very hard problem (Score:2, Insightful)
However, after telling google you want to use a certain phone, you must dial a number displayed on screen to confirm - it doesn't have to be connected, simply ringing will be enough of a verification and should not cost any money.
Re:Caller ID is broken in the same way SMTP is bro (Score:5, Insightful)
Re:This is stupid. It's not an issue. (Score:5, Insightful)
However, the problem the blogger is concerned about is not the abuse you're thinking of. The problem is that a nefarious user could put click the "Call" link on a Business listing, but put in someone else's phone number. The "Caller-ID spoofing" part comes in here: Google's service calls the phone number entered, but the Caller-ID shows the number of the business that the "attacker" chose.
If, when the person picks up the phone, they are immediately connected to the business, they would assume that the business called them. The blogger is apparently envisioning something of a "Joe job" [wikipedia.org] style attack.
However, this is easily protected against. Instead of connecting to the business directly, all Google has to do is play a recording along the lines of: "This is Google, calling since you entered your phone number on the "Click to Call" service, please press 1 to connect to the business you selected. If you did not initiate this, please hang up or press 2 to disable this service for this phone number."
Re:How pissed would the... (Score:4, Insightful)
I;m reading the service page at google (Score:2, Insightful)
the manipulation is ENTIRELY going into MY phone, if I use the service.
I canNOT use it to falsify my Caller ID info going to the business.
WHAT ALARMING potential does this possibly have? I see naught... can anyone identify a situation where using this service can let me 'get away with something' more intense than a prince albert in a can call?
Re:How pissed would the... (Score:1, Insightful)
It might get the message across.
Why do you think you are justified in harassing? What "message" are you trying to get across?
Actually, that's not it a all. (Score:1, Insightful)
"Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for large-scale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters."
Wrong. That's not what it does.
You enter your phone number in the box, and Google calls you. If you enter someone else's phone number, it calls them, not you. Finally, caller ID is blocked, so the business can't see your phone number. The only abuse would be automated prank calling, not caller ID spoofing.
Useless for abuse (Score:2, Insightful)
Re:How pissed would the... (Score:5, Insightful)
Ok, still not getting it. (Score:3, Insightful)
I tell google, I wanna speak with toll free information (800) 555-1212
I select the # for toll free information and type in MY phone number,
my phone begins to ring, the caller id on my phone says the # calling me is (800) 555-1212
I answer the phone, and a few momments later I am connected to information.
where's the potential to misuse?
Lauren needs to re-read this service (Score:2, Insightful)
How intelligent.
Re:How pissed would the... (Score:5, Insightful)
The obvious solution, of course, is for slashdot to add an official method of quoting (rather than right now, where some people italicize, some prefix with >, some put it in quotation marks, and some just paste the text normally) and then have the experimental forum display the first line of non-quoted text.