VoIP and phishing

leichter_jerrold at emc.com leichter_jerrold at emc.com
Thu Apr 27 16:58:43 EDT 2006 

| the other point that should be made about voip is that callerid is
| trivial to spoof.
| 
| so if you are counting on the calling party being who they say the
| are, or even within your company, based on callerid, don't.
| 
| i predict a round of targeted attacks on help desks and customer
| service, as well as more general scams with callerid set to (say)
| "Visa Security".
To open a trouble ticket with IT where I work, you go to a Web page; or,
if you have problems using the network, you can use the phone.  When the
phone is replaced by one that use VoIP, just how will one report network
outages?  I can't wait....

| does anyone know if time ANI from toll free services is still
| unspoofable?
The last I heard, it was fairly easy to *suppress* ANI (using games that
redirected calls the network saw as going to toll-free numbers), but
still difficult to *spoof* it.  Since ANI drives Telco billing - unlike
Caller ID, which is simply delivered to customers - the Telco's have an
interest in making it difficult to fake.  On the other hand, LD revenues
have been falling for years, so the funding to attack LD fraud has
probably been falling, too - given how many people now have "all you
can eat" plans, there's less and less reason to worry about them
stealing.

| some of my clients have been receiving targeted phishes recently that
| correctly name their bank and property address and claim to be about
| their mortgage.  this is information obtainable from public records.
I probably get an offer to refinance my mortgage every other week or
so.  The letters cite real information about me and my mortgage:  They
know its size, or at least the know the amount at the time I took out
the mortgage.

In low-income areas, there's a long history of fraudulent refinancing -
claiming you are getting a better loan for the person but really getting
him deeper and deeper in the hole while you pocket various fees.  I
wouldn't want bet that all the come-on letters I receive are legitimate!
The only difference between some of this stuff and phishing is the
medium used.
							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list