Internet Phones & Identity Theft 98
flaws writes "A CNN story details how phishers are using Internet Phones to expand their identity theft endeavors. The article demonstrates the use of caller-id spoofing to companies such as Western Union to thwart their verification system and successfully launder money. Western Union commented on the situation, stating at this time it's the only way they know how to authenticate the call. The anti-phishing working group states that telecommunications abuse is being used to fool home users into revealing their bank information over the phone."
Just another example (Score:3, Insightful)
Poorly designed/implemented standards (Score:3, Interesting)
Perhaps all standards-setting bodies need a "Red Team" group of people that try to find the holes before the standard is set.
Re:Poorly designed/implemented standards (Score:2, Insightful)
Depending upon standards is tricky.
Especially where the "standard" is created before its niche use has been identified. You could spend hundreds of man hours in a focus group hammering out a standard, and then have the users do something completely different, which just makes a mockery of your standards.
Recently, we have all been pushing for IE to become "standards compliant", but my understanding of a "standard" is one that everybody uses, in this cas
Re:Poorly designed/implemented standards (Score:2)
the IE renderer is the standard - hence so many websites look like shit in FF.
Huh? Most sites I visit with Firefox render pretty nicely. I read websites for the content, not the eye candy (although I do admit to liking shiny things every now and then and semi-transparency and DHTML menu drop shadows are nice to look at).
Re:Poorly designed/implemented standards (Score:1)
It renders perfectly on IE and other browsers which bend the rules slightly.
That tells me that the webmasters in charge have adapted a new standard, and that "standards compliance" isn't all its cracked up to be.
Re:Poorly designed/implemented standards (Score:2)
CSS is nice, though. I wonder how long it will take for Taco et al to finally implement it.
Re:Poorly designed/implemented standards (Score:4, Informative)
Anyone relying on caller ID for security is naive and stupid.
This is nothing. Phisher's are getting really bold (Score:5, Interesting)
In the past few weeks we've had scam artists targeting our customers offering to do free SEO analysis only to get in and download their customer base.
They claim to be partners of ours, and they tell the business they need admin access to do the study and they'll give them a free report.
Of course they get in, as admin, then they download the order history and customer list and start calling the customers saying "we had a problem with your order can you please verify your credit card number ending in [last 4 digits]" and most honest people happily oblige by repeating the valid credit card number over the phone. Then they ask for the CVV/CID # Yeoch!
Fortunately a lot of our sales go through Paypal which isn't subject to that sort of phraud.
I figure a single break in could easily net them 50,000 valid credit cards. Very scary.
I suspect the calls originate from hacked out IP Phones.
Here's how we fixed the problem so that our customers they could verify the identity of our staff and our legitimate partners:
http://webdoc.zoovy.com/info/index.php?GOTO=guide
Re:This is nothing. Phisher's are getting really b (Score:2)
So you send your vendor passwords through the email. If your attackers can crack your customer DB, what's to stop them sniffing your emails and getting the passwords? The insecure system will lead many more customers to trust it.
Re:This is nothing. Phisher's are getting really b (Score:1)
The keys are only good for a few days, the partners (and there are only a handful of them) have a separate login to our extranet that allows them to generate keys based on their company.
The keys are only good for a few days (currently 7) AND they identify the company they came from to customer when they authenticate the key.
Re:This is nothing. Phisher's are getting really b (Score:1)
Re:This is nothing. Phisher's are getting really b (Score:1)
It's just a different word for each account/vendor. And the word expires. And we can tell who's looking up the word. And customers can't remember the word -- so this way they can just look it up.
Re:Just another example (Score:2)
Regardless of what form of verification a company comes up with, it's going to be broken or cracked by a criminal.
Come back when they start using verification - callerID is trivially easy to spoof. Anybody that depends on it is a fool.
Can anyone say SSL? (Score:2)
Got a call from the bank? Is the call signed?
Of course, this would require a user-interface change. We would need some sort of display that shows, not just caller id, but credentials as well...
I'm dreaming huh? Like the U.S. gov is ever going to allow
ANI (Score:3, Interesting)
Re: (Score:2)
Re:ANI (Score:1)
Does anyone have a recommended solution for me to accomplish this in a reasonable and not-too-expensive manner?
Re:ANI (Score:2)
The PRI is going to be the most expensive part of the deal. You're not going to get ANI on anything but that.
Re:ANI (Score:2, Informative)
Re:ANI (Score:1, Informative)
Does this affect ANI? (Score:5, Interesting)
Re:Does this affect ANI? (Score:2, Informative)
ANI is hard to crack on a traditional phone network because it is out-of-band. The user never has any access to it or to the switching information. In a VoIP system, the important letters are "IP." It doesn't take a genius to dissect the IP packets which are carrying both the conversation and the switching data and then recomboobelate the switching data as he sees fit.
Re:Does this affect ANI? (Score:1)
Re:Does this affect ANI? (Score:1)
Re:Does this affect ANI? (Score:2, Informative)
Some of the loopholes have been closed, but in essence the technique used was "op diverting" - being redirected from the TSPS console (usually by claiming to be a disabled user) to an 800 number of an outside network. Once being redirected, depending up on the network being switched to, the ANI information would be obliterated and an operator would pop on and ask for your phone number. Any number could be made up, but as a matter of policy, the op won't call a POT
Re:Does this affect ANI? (Score:2)
A fool and his money... (Score:2, Insightful)
Re:A fool and his money... (Score:1, Insightful)
How you got modded up, I'll never understand.
Re:A fool and his money... (Score:2)
Re:A fool and his money... (Score:1)
Re:A fool and his money... (Score:2)
Re:A fool and his money... (Score:2)
Re:A fool and his money... (Score:1)
Re:A fool and his money... (Score:1)
Re:A fool and his money... (Score:2)
She's been trained for years, as have m
easily solved (Score:5, Insightful)
Or a faxed signature, either one will do. If it works for pizza delivery it should work for money transfers.
Oh, and you could also block VOIP services from western union and what not until they will vouch for the identity of their users.
Anonimity on the 'real' phone network is much easier to get than on a VOIP phone, the 'IP' bit will take care of that quite nicely, as long as you can map back between a phone number at any given moment and an IP number.
It's a bit like a DHCP lease by a provider or a WIFI access point, if you know the timestamp and the ID used you should be able to work backwards to get more info out of the system.
Re:easily solved (Score:3, Funny)
That made me smile, I'm sure it's not quite the wording you're looking for. "I'll have pizza and US dollars, transfer them to my Swiss bank account and go easy on the anchovies.
Re:easily solved (Score:2)
Bingo. While the technology has created a way for phishers to target people, phishing is still, at its roots, a social engineering problem. If the bank just told its customers "We will never call you and ask for your banking information, so only give it when YOU call US." the situation would be fine, unless of course there was a virus that would
Re:easily solved (Score:2)
Only so far as you can trust the pizza delivery boy with an envelope full of money...
Re:easily solved (Score:1)
First rule of the interweb (Score:1, Interesting)
Modern forms of communications allow higher levels of anonimity. It should not be this way, but sometimes people have to learn from their mistakes the hard way.
The only way they know? (Score:5, Interesting)
Re:The only way they know? (Score:2)
Re:The only way they know? (Score:3, Informative)
Can't they... (Score:2, Insightful)
Re:Can't they... (Score:1)
What is more likely -- that the technology department of Western Union, one of the largest financial companies in the world -- hasn't thought of that idea, or that they have, and there is some issue that makes it not as easy as you think?
Above, a poster pointed out that the best you can do with ANI is to verify that the phone call is VoIP. And as for an 800-number, Western Union lets you sen
Re:Can't they... (Score:1)
I fell for one of these (Score:5, Funny)
Umm (Score:5, Insightful)
Let's not blame voip.
Re:Umm (Score:2)
The real problem... (Score:5, Insightful)
Technical measures may seem like they're helping on a short-term scale, but ultimately, they're just masking the real problem, which can only be solved by educating people and making it clear to them that security is something that does affect them directly.
Secure Method of Verification (Score:3, Informative)
People still answer the phone? (Score:2)
Re:People still answer the phone? (Score:1)
Re:Secure Method of Verification (Score:2)
gee sir I notice that my caller Id says Credit Fraud Prevention Services, but the number you gave me to return the info to is listed as Evil Phisher Corp in the Caymen Islands care to explain?
OK I know with call forwarding services you could get arround it but at least it would increase the cost of entry enough to make these guys better targets for prosecution
Re:Secure Method of Verification (Score:3, Informative)
They do. Exactly as you describe. Input a phone number, and get a name and address. It is trivial, however, to remove yourself [google.com] from this 'service'.
Re:Secure Method of Verification (Score:1)
She's Russian.
This would be major red-flag territory had I not MET her in person at the bank, seen that she actually works there, and is totally legit.
She's also cute as hell and has that accent. Grrr. I think it's a secret weapon.
I guess we should give up now (Score:1)
Internet worms that snarl online networks can render VOIP lines unusable, and experts at AT&T (Research) say VOIP conversations can be monitored or altered by outsiders.
They sure went to a reliable source. VOIP can be tapped? Interrupted?? Why, it's impossible to do that with conventional phone lines!!
Caller ID is not reliable. (Score:1)
Back in the days of BBS (Score:1)
Re:Back in the days of BBS (Score:3, Interesting)
Unlike online banks, BBS operators used to understand security (because they had a real need to as they had constant cracking attempts). Even now, you can recognise the occasional BBS operator with their SSL websites, a web-of-trust that actually works, and a PGP key that has been taken to a keysigning party or two.
Compare to the banks who are still saying "the verisign certifica
Re:Back in the days of BBS (Score:1)
Just staying on the line after the BBS hung up and playing a dialtone into the phone, waiting for them to try to dial back, and then answering normally was enough to get around that in the cases where they only had one line.
Sharing Secrets (Score:5, Interesting)
I'd like to start a consumer movement where each consumer can generate a set of private and public encryption keys. The consumer can publish the public key and it will be used by credit card issuers to issue new credit card numbers to the consumer. Then, only the consumer can decrypt and use those numbers. If consumers use this as the only means of transferring critical personal information then the phishers will be defeated.
Re:Sharing Secrets (Score:2)
Hello PRI, hello fruad (Score:3, Interesting)
Phone switch software has to trust certain types of trunk lines. This type of scam was available to PBXs, but the phone companies could trace it to the circuit that introduced the spoof, because they had records of the actual dialed number.
Same thing needs to happen with Vonage and others. They need to install a digital certificate on the box they send you and the call setup needs to have something like a X.509 signature. The soft switch run by the Vonage like company maps where the real box came from, doesn't accept any signatures it doesn't know, and records the originating src-ip address. Sudden and often changes in src-ip address means the customer gets a service message in their account asking them to verify. Just like credit card fraud protection.
And most importantly, the Vonages of the world are held responsible legally for it through legislation.
Universal Remote (Score:3, Interesting)
If every smartphone did this, we'd expand the P2P web of trust exponentially. ID theft would drop, phone spam would plummet, and more people would buy smartphones. The key is making it extremely easy. And considering the hairy ID system we now wrestle with, there's room in this one for just a little UI and transaction structure to actually make it simpler.
Not really suprising (Score:1)
Identification? gnupg! (Score:2)
The problem is the phone system, not the internet (Score:2)
Verifying the VoIP user only works if it becomes mandatory to accurately certify the identity of the caller across the telephone network. Since the phone companies don't do this with each other today, they should start by getting their own house in order first.
Yawn. More Telco FUD & Demonization (Score:3, Interesting)
What a coincidence...
Pure crap. (Score:2)
Furthermore, when logging in to the Western Union website, one has to yell their password by megaphone in the direction of corporate HQ. Western Union spokeswoman Danielle Periera said the company has no other way to verify that transfer requests are
Anyone (Score:3, Informative)
If anyone ever rings me and asks for any personal details I just tell them to get stuffed.. Or if it sounds legit ill request to ring them back on a number that I have for them. Its not that hard to stay safe from bank fraud.
autospoof (Score:2)
Solution (Score:4, Insightful)
If you get a phone call and someone tries to sell you something, you have absolutely no idea who they really are, what company they really represent and even if they are in the same country as you, why on earth would anyone give them credit card details to make a purchase?!?
Im surprised this hasn't been going on for decades:
1) Call random people
2) Offer them an amazing deal
3) Take credit card and address details
4) Fucking profit big-time
Add to that, find a country that has no extradition treaties with yours and only call people in that country, the long-distance charge will be worth it from all the money you rake in from total fucking idiots who are prepared to give you their credit card without any credentials.
The fact that there actually is a telemarketing industry proves that some people must be stupid enough. From now on I propose a special 'code word' which will be known among telemarketers and non-stupid people the conversation will go something like this:
A: Good morning sir, Im wondering if you would be interested in this special offer we..
B: Banana!
A: Oh terribly sorry to bother you sir, ill take you off all telemarketing lists immediately, thank you.
This code word has basically told the marketer that you are not a total retard and are not worth calling in the future so that they may remove you from their list and actually save themselves time and money! All the actuall idiots who would fall for this crap can then have more telemarketers calling them and everyone is happy..
Job Vacncies. (Score:2, Interesting)
It won't be long before people start using job advertisements for identity theft, it's just so easy, from the average CV you'd get enough information to pass most security checks, and it only takes a birth certificate to get you mothers maiden name.
The best thing is that the UK government want you to provide even more information to prove you
Western Union security SUCKS! (Score:1)
Ummm (Score:1)
Caller-ID is a hack, plain and simple. There are two phone numbers that really matter - the one reported as Caller-ID data and the billing telephone number.
For most consumers - the BTN and the Caller-ID number are the same. It only becomes a problem for business but even they can set both ANI delivery and CLID delivery to be the same for all their outbound trunks but few businesses have people in their I.T. and telecom units that would
No other way (Score:2)
I guess nobody at WU has ever heard of PPP [cisco.com] Callback [mppmu.mpg.de]? Nope, wouldn't wanna build on a proven successful technology or anything like that.
I'll throw in my two-cents (Score:1)
In response to someone's post, job ads are already being used for Identity Theft. Monster.com ranks it among their biggest problems- fake companies posing as real companies.
Someone on this forum stated that you would have to be dumb to lose your information. I beg to differ.
No matter how good you are, no matter how vigilant, no matter how much you shred, or don't mail fro