Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Communications

Internet Phones & Identity Theft 98

flaws writes "A CNN story details how phishers are using Internet Phones to expand their identity theft endeavors. The article demonstrates the use of caller-id spoofing to companies such as Western Union to thwart their verification system and successfully launder money. Western Union commented on the situation, stating at this time it's the only way they know how to authenticate the call. The anti-phishing working group states that telecommunications abuse is being used to fool home users into revealing their bank information over the phone."
This discussion has been archived. No new comments can be posted.

Internet Phones & Identity Theft

Comments Filter:
  • by PhreakinPenguin ( 454482 ) on Sunday March 20, 2005 @11:33AM (#11990731) Homepage Journal
    Just another example of the thieves being ahead of the companies. Regardless of what form of verification a company comes up with, it's going to be broken or cracked by a criminal. As long as it relies on any human input, this will continue.
    • After all the problems with spoofed emails, you would think that the people that create VOIP standards would specify something more secure. Doesn't anybody learn any lessons?

      Perhaps all standards-setting bodies need a "Red Team" group of people that try to find the holes before the standard is set.
      • The red team you speak of are commonly the end-users.

        Depending upon standards is tricky.
        Especially where the "standard" is created before its niche use has been identified. You could spend hundreds of man hours in a focus group hammering out a standard, and then have the users do something completely different, which just makes a mockery of your standards.

        Recently, we have all been pushing for IE to become "standards compliant", but my understanding of a "standard" is one that everybody uses, in this cas
      • by Tony Hoyle ( 11698 ) <> on Sunday March 20, 2005 @12:31PM (#11991038) Homepage
        It's not about VOIP specifically.. this kind of vulnerability has existed for years on the public network. Pretty much anyone with an ISDN PRI can specify their own caller ID... the difference it's cheaper to do it now.

        Anyone relying on caller ID for security is naive and stupid.
    • by gru3hunt3r ( 782984 ) on Sunday March 20, 2005 @12:06PM (#11990910) Journal
      I work for an an e-commerce software company that processes several million dollars in sales a month.

      In the past few weeks we've had scam artists targeting our customers offering to do free SEO analysis only to get in and download their customer base.

      They claim to be partners of ours, and they tell the business they need admin access to do the study and they'll give them a free report.

      Of course they get in, as admin, then they download the order history and customer list and start calling the customers saying "we had a problem with your order can you please verify your credit card number ending in [last 4 digits]" and most honest people happily oblige by repeating the valid credit card number over the phone. Then they ask for the CVV/CID # Yeoch!
      Fortunately a lot of our sales go through Paypal which isn't subject to that sort of phraud.

      I figure a single break in could easily net them 50,000 valid credit cards. Very scary.

      I suspect the calls originate from hacked out IP Phones.

      Here's how we fixed the problem so that our customers they could verify the identity of our staff and our legitimate partners: authkey.php []

      • "Simply ask the person on the other end of the line for their "vendor authorization code" or "security code" (emails will always contain a security code)"

        So you send your vendor passwords through the email. If your attackers can crack your customer DB, what's to stop them sniffing your emails and getting the passwords? The insecure system will lead many more customers to trust it.
        • No, for our staff our we have an SSL site to generate the keys.

          The keys are only good for a few days, the partners (and there are only a handful of them) have a separate login to our extranet that allows them to generate keys based on their company.

          The keys are only good for a few days (currently 7) AND they identify the company they came from to customer when they authenticate the key.

      • Why not verify the customer service guy, like the way they verify customers. I mean when u open a account you establish a secret word. The customer verifies the CS by this word. Then the verification of the customer.
    • Regardless of what form of verification a company comes up with, it's going to be broken or cracked by a criminal.

      Come back when they start using verification - callerID is trivially easy to spoof. Anybody that depends on it is a fool.

    • The technology exists to prevent spoofing on IP calls, it is called SSL. Issue certificates with phone numbers instead of web addresses; Verisign could issue CA Certs for the phone companies and the phone companies could issue for phone numbers.

      Got a call from the bank? Is the call signed?

      Of course, this would require a user-interface change. We would need some sort of display that shows, not just caller id, but credentials as well...

      I'm dreaming huh? Like the U.S. gov is ever going to allow
  • ANI (Score:3, Interesting)

    by jpatters ( 883 ) on Sunday March 20, 2005 @11:34AM (#11990738)
    You can spoof caller ID, but can you spoof ANI? Maybe Weastern Union needs to get an 800 number or something.
    • Not sure, but before the VoIP enters the phone lines, can't a computer add a "Anonymous Internet Call" or some tag to the beginning of the caller ID, like mailing lists do, so that users can tell it's comming from the internet? At least that way it can't say "Wachovia Bank" or something on the caller ID without it raising suspisions.
    • You hit the nail on the head, INI is like an IP address and can't really be spoofed, whereas CID is just encapsulated data and if you are running your own equipment you can send anything. I don't know about wanting an 800 #, but I was think about putting in a PBX for this reason (eg. INI data is stripped by the telco's last switch and I could obtain it for any caller by running my own switch).

      Does anyone have a recommended solution for me to accomplish this in a reasonable and not-too-expensive manner?

      • Asterisk, a Digium T1 card, and a PRI from your telco.

        The PRI is going to be the most expensive part of the deal. You're not going to get ANI on anything but that.
        • Re:ANI (Score:2, Informative)

          by jmcharry ( 608079 )
          Last I knew, and I am a few years out of date, there was only one calling number field in a PRI, and it was populated with CLID, if available, with only a fallback to ANI. This could be tested by making an anonymous call and seeing if the privacy bit is set.
      • Re:ANI (Score:1, Informative)

        by Anonymous Coward
        Yeah, you can get a service like this from AT&T. They'll send all of the useful info that's available via ISUP in an encapsulated Q.931 message. You need to be prepared to pay handsomely, though.
  • by bigtallmofo ( 695287 ) on Sunday March 20, 2005 @11:37AM (#11990749)
    I have a block for caller ID on my home phone. I know that when I call a 1-800 number though, they still are easily able to discern what my true phone number is. My understanding is that this is by using Automatic Number Identification - ANI []. Does Western Union not use this or do VoIP phones allow you to fake this as well as standard caller ID? If the latter, then I think we have bigger problems than Western Union. Most 911 systems use ANI also. Imagine if knuckleheads could make anonymous calls to 911.
    • I don't know of any VoIP solutions that will defeat ANI out-of-the-box, but in theory it wouldn't be that hard to mod a VoIP phone to do so.

      ANI is hard to crack on a traditional phone network because it is out-of-band. The user never has any access to it or to the switching information. In a VoIP system, the important letters are "IP." It doesn't take a genius to dissect the IP packets which are carrying both the conversation and the switching data and then recomboobelate the switching data as he sees fit.
      • No, AFAIK spoofing ANI is like spoofing an IP address. If you fake it the call will not be properly routed back to you.
        • True, ANI is inextricably linked to the switching data on the PSTN. However, you don't have to have the PSTN route it all the way back to "you," just to your VoIP provider, which, IIRC, is going to pass the switching data it gets from you via IP. Thus, the IP routing data which gets it back to you is largely independent of PSTN switching data which gets it back to your VoIP provider. (At least that's my understanding of it. Perhaps there a VoIP programmer around who cares to comment?)
    • yes and no - ANI can infact be spoofed.

      Some of the loopholes have been closed, but in essence the technique used was "op diverting" - being redirected from the TSPS console (usually by claiming to be a disabled user) to an 800 number of an outside network. Once being redirected, depending up on the network being switched to, the ANI information would be obliterated and an operator would pop on and ask for your phone number. Any number could be made up, but as a matter of policy, the op won't call a POT
    • Western Union verifies against the ANI number. I use to wire my mom money every month, and the process was annoying, but I always seemed fairly secure. Of course, after awhile, I qualified for their preferred customer status which ironically, did not require the teller to verify the calling telephone number by dialing it. So I'm not certain if they still do that. My thought is that would be one method for preventing this type of fraud. Customer A gives you the phone number, it matches the caller ID or ANI n
  • The anti-phishing working group states that telecommunications abuse is being used to fool home users into revealing their bank information over the phone.

    .. are soon parted.
    • That's a fucking typical Slashdot thing to say. Imagine if it were a retired person on a fixed income. Somebody who is easily targeted. I'm sure your sorry punk ass would be the first to go up to them and say "0wn3d".

      How you got modded up, I'll never understand.
      • All you're saying is that it's OK for "a retired person" to be a fool. I'm not saying it's OK for people to rip off fools. In fact, it's absolutely the business of the service provider to make it easy and safe for everyone, including the large population of fools, to use our systems safely.
        • You still seem to be implying that elderly are fools if they are duped. I hope I am misreading your intentions. The elderly grew up in a different world and it can be difficult for them to keep up with the vulnerabilities opened up by technology they don't understand. Also, some elderly have diminshed mental capacity through no fault of their own. Being duped does not make one a fool.
          • Diminished mental capacity makes you a fool. That doesn't make you deserving of robbery.
    • Everyone, regardless of how smart; regardless of how vigilant can be fooled. Discussions of self-protection, and who can and should use a certain type of service plays little role in this. My mother would never use VoIP, she barely tolerates a telephone with call waiting on it. And she's smart enough to recognize when she doesn't understand a technology, that the technology can be dangerous to her, but her not using VoIP would not protect her from this type of fraud.

      She's been trained for years, as have m
  • easily solved (Score:5, Insightful)

    by jacquesm ( 154384 ) <j&ww,com> on Sunday March 20, 2005 @11:39AM (#11990768) Homepage
    Simply require a phone number to call back to...

    Or a faxed signature, either one will do. If it works for pizza delivery it should work for money transfers.

    Oh, and you could also block VOIP services from western union and what not until they will vouch for the identity of their users.

    Anonimity on the 'real' phone network is much easier to get than on a VOIP phone, the 'IP' bit will take care of that quite nicely, as long as you can map back between a phone number at any given moment and an IP number.

    It's a bit like a DHCP lease by a provider or a WIFI access point, if you know the timestamp and the ID used you should be able to work backwards to get more info out of the system.

    • If it works for pizza delivery it should work for money transfers.

      That made me smile, I'm sure it's not quite the wording you're looking for. "I'll have pizza and US dollars, transfer them to my Swiss bank account and go easy on the anchovies.

    • " Simply require a phone number to call back to... Or a faxed signature, either one will do. If it works for pizza delivery it should work for money transfers."

      Bingo. While the technology has created a way for phishers to target people, phishing is still, at its roots, a social engineering problem. If the bank just told its customers "We will never call you and ask for your banking information, so only give it when YOU call US." the situation would be fine, unless of course there was a virus that would

    • If it works for pizza delivery it should work for money transfers.

      Only so far as you can trust the pizza delivery boy with an envelope full of money...
    • If you work on classified programs the call-back step is mandatory for all phone communications and is advised for e-mail , and thats just for unclassified info! Good security costs smart people very little and dumb people can't buy it for any price.
  • No one is who he tells you to be.

    Modern forms of communications allow higher levels of anonimity. It should not be this way, but sometimes people have to learn from their mistakes the hard way.
  • by arodland ( 127775 ) on Sunday March 20, 2005 @11:45AM (#11990793)
    Has Western Union never heard of calling the number back?
    • They'll probably get sued out of existence for patent infringement if they do that.
    • Am I the only one that knows what this is about, as I've **actually** used this service? They do call back to verify you are at the number you say you are calling from, and can compare the number that shows up on caller id. The problem relates to a situation I used to xfer cash last week in fact, while I was in London. I called through my company's voip, and used my desk extension which they have on file. They were able to call back, verfying I was in California. I wasn't. This was a legitimate use, a
  • Can't they... (Score:2, Insightful)

    Get a goddamned 800 number, and use less-spoofable ANI identification? I mean, really.
    • by Anonymous Coward
      I love how Slashdot always seems to know the answer to everything, in an everybody-is-stupid-except-me kind of way.

      What is more likely -- that the technology department of Western Union, one of the largest financial companies in the world -- hasn't thought of that idea, or that they have, and there is some issue that makes it not as easy as you think?

      Above, a poster pointed out that the best you can do with ANI is to verify that the phone call is VoIP. And as for an 800-number, Western Union lets you sen
    • Since they do use 800 numbers for money transfers I suspect either the author of the article or the person he was talking to was running the two together.
  • by Anonymous Coward on Sunday March 20, 2005 @11:47AM (#11990802)
    I got a call supposedly from a Timothy at Slashdot. The caller indicated they needed my help in verifying some spelling and asked if I recalled seeing a proposed story before. They indicated they needed my social security and mother's maiden name so they could verify my karma level. Needless to say the ThinkGeek coffee mug did not make up for the fact my savings account was drained.
  • Umm (Score:5, Insightful)

    by mindstrm ( 20013 ) on Sunday March 20, 2005 @11:49AM (#11990809)
    If western union is using caller ID to authenticate financial matters, western union is being stupid. IT's always been possible to fake caller ID.

    Let's not blame voip.
    • I agree it's primarily a case of using uselessly weak security measures, to obfuscate the fact that there is no security. Personaly, you'd think that VoIP would be the prefered way of doing this because it would be trivial to extend the standard to allow a unique digital signature to vouche for the calls origin, using a challenge/responce/nonce kinda of a thing.
  • by slavemowgli ( 585321 ) * on Sunday March 20, 2005 @11:50AM (#11990815) Homepage
    I think it's worth pointing out that the *real* problem (as usual) is not just technical issues, but also the end users. As long as people are naive enough to let themselves get talked into revealing personal details, passwords, credit card numbers, PINs (or whatever) over *any* medium (no matter whether it's email, over the phone, in person or anything else), phishing (and, more generally, fraud) *will* continue to be a problem.

    Technical measures may seem like they're helping on a short-term scale, but ultimately, they're just masking the real problem, which can only be solved by educating people and making it clear to them that security is something that does affect them directly.
  • by Anonymous Coward on Sunday March 20, 2005 @11:53AM (#11990835)
    If your bank, investment firm, or other institution calls you on the phone to ask you for any information, all you have to do is ask for a number where you may call them back. Sure, it is possible to hack into a trunk and redirect calls, but that takes a huge amount of effort relative to just phishing. It shouldn't be too hard to verify that number x belongs to institution Y. With a callback number, even if you get scammed, it gives the police something to go on.
    • I get so many auto-dialers and "bank services" calls I don't even answer the phone unless it's one of the few people I want to talk to. On the occasion that I pick up and get caught by some phone salesman, I politely say, "Can you hold on a minute...", then I put the phone down for an hour or so and hopefully they go out of business because of the long distance fees from India.
    • I've always wondered why google doesn't have a phonebook search, type in a name and get 3000 phone numbers, type in a phone number and get one name.

      gee sir I notice that my caller Id says Credit Fraud Prevention Services, but the number you gave me to return the info to is listed as Evil Phisher Corp in the Caymen Islands care to explain?

      OK I know with call forwarding services you could get arround it but at least it would increase the cost of entry enough to make these guys better targets for prosecution
      • I've always wondered why google doesn't have a phonebook search, type in a name and get 3000 phone numbers, type in a phone number and get one name.

        They do. Exactly as you describe. Input a phone number, and get a name and address. It is trivial, however, to remove yourself [] from this 'service'.

    • From time to time, my account rep at my bank calls just to say hi and offer more account add-ons.

      She's Russian.

      This would be major red-flag territory had I not MET her in person at the bank, seen that she actually works there, and is totally legit.

      She's also cute as hell and has that accent. Grrr. I think it's a secret weapon.
  • Internet worms that snarl online networks can render VOIP lines unusable, and experts at AT&T (Research) say VOIP conversations can be monitored or altered by outsiders.

    They sure went to a reliable source. VOIP can be tapped? Interrupted?? Why, it's impossible to do that with conventional phone lines!!

  • Anybody with access to a phone switch can easily spoof Caller ID. It should NOT be used by companies as a form of verification, since it is so easy to spoof. Companies should utilize internal IDs or passwords for sensitive information. It's just plain stupid to depend on Caller ID as a form of verification.
  • I remember when the BBS's used to call you back on the number you provided to verify you were giving them the correct number. Maybe a feature like this would help cut down on these issues.
    • "I remember when the BBS's used to call you back on the number you provided to verify you were giving them the correct number."

      Unlike online banks, BBS operators used to understand security (because they had a real need to as they had constant cracking attempts). Even now, you can recognise the occasional BBS operator with their SSL websites, a web-of-trust that actually works, and a PGP key that has been taken to a keysigning party or two.

      Compare to the banks who are still saying "the verisign certifica
    • Sure do.

      Just staying on the line after the BBS hung up and playing a dialtone into the phone, waiting for them to try to dial back, and then answering normally was enough to get around that in the cases where they only had one line.

  • Sharing Secrets (Score:5, Interesting)

    by wheelbarrow ( 811145 ) on Sunday March 20, 2005 @11:57AM (#11990860)
    This is really a matter for public education rather than the heavy hand of the law to solve.

    I'd like to start a consumer movement where each consumer can generate a set of private and public encryption keys. The consumer can publish the public key and it will be used by credit card issuers to issue new credit card numbers to the consumer. Then, only the consumer can decrypt and use those numbers. If consumers use this as the only means of transferring critical personal information then the phishers will be defeated.
    • Start a movement by writing a piece of software. Make a phone contact manager that keeps a public key in each contact, validating every caller. Make it send a new public key, SMS/email/voicemail, to every authenticated caller (pressing "authenticated" during the call should do it). Every user will be a convert to your movement, without the heavy, polarizing politics. It will deny ID theft, and make you some money - which you could spend lobbying.
  • by GPLDAN ( 732269 ) on Sunday March 20, 2005 @11:59AM (#11990867)
    I noticed that when setting up a Cisco Call Manager with a PRI, that I could signal out on the SS7 D-channel pretty much any CLID information I wanted. And the phone switch would accept it.

    Phone switch software has to trust certain types of trunk lines. This type of scam was available to PBXs, but the phone companies could trace it to the circuit that introduced the spoof, because they had records of the actual dialed number.

    Same thing needs to happen with Vonage and others. They need to install a digital certificate on the box they send you and the call setup needs to have something like a X.509 signature. The soft switch run by the Vonage like company maps where the real box came from, doesn't accept any signatures it doesn't know, and records the originating src-ip address. Sudden and often changes in src-ip address means the customer gets a service message in their account asking them to verify. Just like credit card fraud protection.

    And most importantly, the Vonages of the world are held responsible legally for it through legislation.
  • Universal Remote (Score:3, Interesting)

    by Doc Ruby ( 173196 ) on Sunday March 20, 2005 @12:14PM (#11990934) Homepage Journal
    Contact lists should include passwords. Smartphones are very well positioned to close all these authentication holes - they can have a single authentication, either password, thumbscan, or other, protecting the whole keyring. If the caller has a smartphone, their phone should get a password - or more likely, a certificate - when they first call. Anyone calling without a certificate, like from a borrowed phone, should get a challenge to enter a password, or leave a voicemail. When any call is made to a person without a certificate, the phone should offer (with a simple "OK"/"Cancel" dialog) the caller to give the recipient a new certificate/password. Make the phones do all the work, with just a simple dialog to OK the issuance of credentials. Let the phones backup to PCs with a single button-push - over the 3G or local - sending only encrypted data to storage.

    If every smartphone did this, we'd expand the P2P web of trust exponentially. ID theft would drop, phone spam would plummet, and more people would buy smartphones. The key is making it extremely easy. And considering the hairy ID system we now wrestle with, there's room in this one for just a little UI and transaction structure to actually make it simpler.
  • There are services offering this already online for a monthly fee, some people see them as fun to manipulate caller ID's and prank friends, but because of the anonymity of the service they are already being abused
  • I have been using Gnupg for how many years now? I can not even remember. And some corporations still have the nerve to claim it is not possible to securely identify yourself. In Norway, a insecure and closed system called BankID is currently being forced upon bank customers. This is a system where those who make it know it is insecure to the extent they dare not give anyone the source code or show the inner workings. GNUPG is secure, open and can be tested. It beats me why any bank would use something as st
  • The phone system trusts the sender to send accurate caller-id. Anybody with a good digital connection to a phone company can spoof caller-id to their heart's content.

    Verifying the VoIP user only works if it becomes mandatory to accurately certify the identity of the caller across the telephone network. Since the phone companies don't do this with each other today, they should start by getting their own house in order first.
  • by Cryofan ( 194126 ) on Sunday March 20, 2005 @12:32PM (#11991050) Journal
    And what a coincidence that we are having a rash of articles trying to demonize and FUDize VOIP and WiFi. Just in time for all this legislation that the telcos and cable companies are trying to push through in many states, legislation that would outlaw municipal wifi, for example.

    What a coincidence...
  • Western Union spokeswoman Danielle Periera said the company has no other way to verify that transfer requests are valid.

    "We try hard to stay one step ahead of them and recognize that scam artists are sophisticated and often change their schemes," she said.

    Furthermore, when logging in to the Western Union website, one has to yell their password by megaphone in the direction of corporate HQ. Western Union spokeswoman Danielle Periera said the company has no other way to verify that transfer requests are

  • Anyone (Score:3, Informative)

    by Exter-C ( 310390 ) on Sunday March 20, 2005 @01:01PM (#11991219) Homepage
    Anyone that is stupid enough to give anone any details about themselves when they are called almost deserve to have their identity or information stolen and used against them. I remember when I got an account with my bank that had a pin number on my card when I was about 12 (15years ago).. back then the bank said they would NEVER call me to ask for my details. So what is new?... or is it that people dont listen to the paper/information sheets that are given to you with your account?...

    If anyone ever rings me and asks for any personal details I just tell them to get stuffed.. Or if it sounds legit ill request to ring them back on a number that I have for them. Its not that hard to stay safe from bank fraud.
  • I've got a landline that's set to ring all my phone#s simultaneously, including my mobile phone. I want to call someone from my mobile, but I want them to get my landline#, so they can call me back at whichever phone I've got. I want to "spoof" my own landline#, as a callerID "Reply-To". It's a big mistake to use only one number for replies and authentication.
  • Solution (Score:4, Insightful)

    by t_allardyce ( 48447 ) on Sunday March 20, 2005 @02:20PM (#11991746) Journal
    This is what gets me about the entire telemarketing industry -

    If you get a phone call and someone tries to sell you something, you have absolutely no idea who they really are, what company they really represent and even if they are in the same country as you, why on earth would anyone give them credit card details to make a purchase?!?

    Im surprised this hasn't been going on for decades:
    1) Call random people
    2) Offer them an amazing deal
    3) Take credit card and address details
    4) Fucking profit big-time

    Add to that, find a country that has no extradition treaties with yours and only call people in that country, the long-distance charge will be worth it from all the money you rake in from total fucking idiots who are prepared to give you their credit card without any credentials.

    The fact that there actually is a telemarketing industry proves that some people must be stupid enough. From now on I propose a special 'code word' which will be known among telemarketers and non-stupid people the conversation will go something like this:

    A: Good morning sir, Im wondering if you would be interested in this special offer we..
    B: Banana!
    A: Oh terribly sorry to bother you sir, ill take you off all telemarketing lists immediately, thank you.

    This code word has basically told the marketer that you are not a total retard and are not worth calling in the future so that they may remove you from their list and actually save themselves time and money! All the actuall idiots who would fall for this crap can then have more telemarketers calling them and everyone is happy..

  • Job Vacncies. (Score:2, Interesting)

    Hi, I'm an stranger but I can give you a job, all you have to do is send me your entire life story, where you've worked, where you went to school, you age etc...

    It won't be long before people start using job advertisements for identity theft, it's just so easy, from the average CV you'd get enough information to pass most security checks, and it only takes a birth certificate to get you mothers maiden name.

    The best thing is that the UK government want you to provide even more information to prove you
  • Western Union can be verified via faked phone called, a COB (thats a change of billing), or via chat with a WU rep in some cases.
  • What ever happened to good old fashioned ANI? You can't spoof that.

    Caller-ID is a hack, plain and simple. There are two phone numbers that really matter - the one reported as Caller-ID data and the billing telephone number.

    For most consumers - the BTN and the Caller-ID number are the same. It only becomes a problem for business but even they can set both ANI delivery and CLID delivery to be the same for all their outbound trunks but few businesses have people in their I.T. and telecom units that would
  • Western Union commented on the situation, stating at this time it's the only way they know how to authenticate the call.

    I guess nobody at WU has ever heard of PPP [] Callback []? Nope, wouldn't wanna build on a proven successful technology or anything like that.

  • I present on Identity Theft all over the Western United States, came across this forum, and thought I would throw in my two cents.

    In response to someone's post, job ads are already being used for Identity Theft. ranks it among their biggest problems- fake companies posing as real companies.

    Someone on this forum stated that you would have to be dumb to lose your information. I beg to differ.

    No matter how good you are, no matter how vigilant, no matter how much you shred, or don't mail fro

Never buy from a rich salesman. -- Goldenstern