subject:"\[asterisk\-users\] How to detect fake CallerID\? \(8xx\?\)"

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-11 Thread Don Kelly

I've assumed that the client is not present when the cleaners arrive.

  --Don

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Sebastian
Nielsen
Sent: Thursday, May 11, 2017 10:19 AM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Personally, if I was a client, I would rather have the personell answer the
phone than make a outgoing call, if I would choose.
If you think of billing and costs.
So if a client allows outgoing, I don't think they have any problems with
answering a call immediately following either.

But I assume the client will be billed for the time the personell works
there?
And thats why you have this "phone verification system", to avoid discussion
about how long the company has been there and unfair bills?

Then you could have it this way instead:
1: Give the client (not personell) a PIN code.
2: The client calls and enters PIN.
3: The employee gets a SMS/email/push message/paging tone, that he can start
working.
4: When the employee is done, the client calls again, and enter PIN. This
will stop billing.
5: When billing is stopped, the employee gets a SMS/email/push
message/paging tone he can stop working.

This will be rock solid. The employee only needs to check for the SMSes.
The SMSes prevent the client from cheating the system to get cheaper
service, like claiming to start when client do not, or calling for stop
before the employee is finished, because the employee will only work when he
get start signal, and will stop working at stop signal.

Theres no risk that the client will call in and check in/check out when the
employee is not there, because that would cause the client to Be billed for
rendered services.

-Ursprungligt meddelande-
Från: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] För Don Kelly
Skickat: den 11 maj 2017 17:04
Till: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users@lists.digium.com>
Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

As a client, I don't want service company personnel answering my phone.

As a service company, I don't want my clients thinking that I do not trust
my employees who are at the client facility.

  --Don

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Adam Goldberg
Sent: Thursday, May 11, 2017 8:00 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Seems like this is the best idea (challenge-response), a callback.  No
matter the callerid, you don't know where the caller is.  But if you place a
call BACK to the callerid, it's going to go to the destination.  Then you
either need the phone to be answered, or the phone to be answered and and
the challenge entered.

Adam Goldberg
AGP, LLC
+1-202-507-9900

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A
J Stiles
Sent: Thursday, May 11, 2017 7:48 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that 
> > gets the ID of the cell tower to which it is connected, and passes 
> > it and the SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to 
> confirm presence -- not their cell phone with the spoofed CID.

Yes; but the whole point is that the caller ID from the site landline is no
longer reliable enough as evidence, by itself, that somebody is actually
there.

A custom app could read the ID of the cell tower to which it was connected
-- or even the phone's GPS co-ordinates -- and transmit that back to base
over the Internet.  Preferrably with some sort of precautions to make the
request harder to forge  (i.e., *not* just a plain HTTP GET with the MCC,
MNC, LAC and CID in the query string).  If your app makes its connection via
the site's wi- fi  (which will require the co-operation of the client)  as
opposed to the mobile network, so much the better, as there will be an IP
address against which you can match.

If you insist to use the site landline for your authentication, you could
extend the protocol to a full challenge-and-response as follows:  Play a
series of digits down the line to the caller, return the call as soon as
they hang up, and ask them to dial the same digits they just heard.  All
this can be done in the dialplan  (you might need to record some

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-11 Thread Sebastian Nielsen

Personally, if I was a client, I would rather have the personell answer the
phone than make a outgoing call, if I would choose.
If you think of billing and costs.
So if a client allows outgoing, I don't think they have any problems with
answering a call immediately following either.

But I assume the client will be billed for the time the personell works
there?
And thats why you have this "phone verification system", to avoid discussion
about how long the company has been there and unfair bills?

Then you could have it this way instead:
1: Give the client (not personell) a PIN code.
2: The client calls and enters PIN.
3: The employee gets a SMS/email/push message/paging tone, that he can start
working.
4: When the employee is done, the client calls again, and enter PIN. This
will stop billing.
5: When billing is stopped, the employee gets a SMS/email/push
message/paging tone he can stop working.

This will be rock solid. The employee only needs to check for the SMSes.
The SMSes prevent the client from cheating the system to get cheaper
service, like claiming to start when client do not, or calling for stop
before the employee is finished, because the employee will only work when he
get start signal, and will stop working at stop signal.

Theres no risk that the client will call in and check in/check out when the
employee is not there, because that would cause the client to
Be billed for rendered services.

-Ursprungligt meddelande-
Från: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] För Don Kelly
Skickat: den 11 maj 2017 17:04
Till: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users@lists.digium.com>
Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

As a client, I don't want service company personnel answering my phone.

As a service company, I don't want my clients thinking that I do not trust
my employees who are at the client facility.

  --Don

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Adam Goldberg
Sent: Thursday, May 11, 2017 8:00 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Seems like this is the best idea (challenge-response), a callback.  No
matter the callerid, you don't know where the caller is.  But if you place a
call BACK to the callerid, it's going to go to the destination.  Then you
either need the phone to be answered, or the phone to be answered and and
the challenge entered.

Adam Goldberg
AGP, LLC
+1-202-507-9900

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A
J Stiles
Sent: Thursday, May 11, 2017 7:48 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that 
> > gets the ID of the cell tower to which it is connected, and passes 
> > it and the SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to 
> confirm presence -- not their cell phone with the spoofed CID.

Yes; but the whole point is that the caller ID from the site landline is no
longer reliable enough as evidence, by itself, that somebody is actually
there.

A custom app could read the ID of the cell tower to which it was connected
-- or even the phone's GPS co-ordinates -- and transmit that back to base
over the Internet.  Preferrably with some sort of precautions to make the
request harder to forge  (i.e., *not* just a plain HTTP GET with the MCC,
MNC, LAC and CID in the query string).  If your app makes its connection via
the site's wi- fi  (which will require the co-operation of the client)  as
opposed to the mobile network, so much the better, as there will be an IP
address against which you can match.

If you insist to use the site landline for your authentication, you could
extend the protocol to a full challenge-and-response as follows:  Play a
series of digits down the line to the caller, return the call as soon as
they hang up, and ask them to dial the same digits they just heard.  All
this can be done in the dialplan  (you might need to record some
announcements of your own, such as "Please memorise the following digits"
and "Please dial the digits you heard in the last call").  

Intercepting incoming calls *to* a number is much harder  (usually requiring
the co-operation of telcos, unless the interloper has access to some
equipment through which they know that the call will be routed; that
potentially includes your Asterisk, b

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-11 Thread Don Kelly

As a client, I don't want service company personnel answering my phone.

As a service company, I don't want my clients thinking that I do not trust
my employees who are at the client facility.

  --Don

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Adam Goldberg
Sent: Thursday, May 11, 2017 8:00 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Seems like this is the best idea (challenge-response), a callback.  No
matter the callerid, you don't know where the caller is.  But if you place a
call BACK to the callerid, it's going to go to the destination.  Then you
either need the phone to be answered, or the phone to be answered and and
the challenge entered.

Adam Goldberg
AGP, LLC
+1-202-507-9900

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A
J Stiles
Sent: Thursday, May 11, 2017 7:48 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that 
> > gets the ID of the cell tower to which it is connected, and passes 
> > it and the SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to 
> confirm presence -- not their cell phone with the spoofed CID.

Yes; but the whole point is that the caller ID from the site landline is no
longer reliable enough as evidence, by itself, that somebody is actually
there.

A custom app could read the ID of the cell tower to which it was connected
-- or even the phone's GPS co-ordinates -- and transmit that back to base
over the Internet.  Preferrably with some sort of precautions to make the
request harder to forge  (i.e., *not* just a plain HTTP GET with the MCC,
MNC, LAC and CID in the query string).  If your app makes its connection via
the site's wi- fi  (which will require the co-operation of the client)  as
opposed to the mobile network, so much the better, as there will be an IP
address against which you can match.

If you insist to use the site landline for your authentication, you could
extend the protocol to a full challenge-and-response as follows:  Play a
series of digits down the line to the caller, return the call as soon as
they hang up, and ask them to dial the same digits they just heard.  All
this can be done in the dialplan  (you might need to record some
announcements of your own, such as "Please memorise the following digits"
and "Please dial the digits you heard in the last call").  

Intercepting incoming calls *to* a number is much harder  (usually requiring
the co-operation of telcos, unless the interloper has access to some
equipment through which they know that the call will be routed; that
potentially includes your Asterisk, but any tampering there would be
evident)  than falsifying outgoing calls *from* a number.  

It would be much more fun to mount a "sting" operation to catch the 
perpetrators red-handed   (say, falsely set off a fire alarm while you know
they 
are slacking off down the pub instead of looking after the site like they
are paid for)  .  but maybe I have just been watching too many detective
dramas on TV!

--
JM

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-11 Thread Adam Goldberg

Seems like this is the best idea (challenge-response), a callback.  No matter 
the callerid, you don't know where the caller is.  But if you place a call BACK 
to the callerid, it's going to go to the destination.  Then you either need the 
phone to be answered, or the phone to be answered and and the challenge entered.

Adam Goldberg
AGP, LLC
+1-202-507-9900

-Original Message-
From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A J 
Stiles
Sent: Thursday, May 11, 2017 7:48 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion 
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that 
> > gets the ID of the cell tower to which it is connected, and passes 
> > it and the SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to 
> confirm presence -- not their cell phone with the spoofed CID.

Yes; but the whole point is that the caller ID from the site landline is no 
longer reliable enough as evidence, by itself, that somebody is actually there.

A custom app could read the ID of the cell tower to which it was connected -- 
or even the phone's GPS co-ordinates -- and transmit that back to base over the 
Internet.  Preferrably with some sort of precautions to make the request harder 
to forge  (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in 
the query string).  If your app makes its connection via the site's wi- fi  
(which will require the co-operation of the client)  as opposed to the mobile 
network, so much the better, as there will be an IP address against which you 
can match.

If you insist to use the site landline for your authentication, you could 
extend the protocol to a full challenge-and-response as follows:  Play a series 
of digits down the line to the caller, return the call as soon as they hang up, 
and ask them to dial the same digits they just heard.  All this can be done in 
the dialplan  (you might need to record some announcements of your own, such as 
"Please memorise the following digits" and "Please dial the digits you heard in 
the last call").  

Intercepting incoming calls *to* a number is much harder  (usually requiring 
the co-operation of telcos, unless the interloper has access to some equipment 
through which they know that the call will be routed; that potentially includes 
your Asterisk, but any tampering there would be evident)  than falsifying 
outgoing calls *from* a number.  

It would be much more fun to mount a "sting" operation to catch the 
perpetrators red-handed   (say, falsely set off a fire alarm while you know 
they 
are slacking off down the pub instead of looking after the site like they are 
paid for)  .  but maybe I have just been watching too many detective dramas 
on TV!

--
JM

Note:  Originating address only accepts e-mail from list!  If replying off- 
list, change address to asterisk1list at earthshod dot co dot uk .

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-11 Thread J Montoya or A J Stiles

On Wednesday 10 May 2017, Steve Edwards wrote:
> On Wed, 10 May 2017, J Montoya or A J Stiles wrote:
> > Presumably your staff carry mobile phones.  What about an app that gets
> > the ID of the cell tower to which it is connected, and passes it and the
> > SIM number in a HTTP request to a server you control?
> 
> The problem is that they are supposed to use the 'site landline' to
> confirm presence -- not their cell phone with the spoofed CID.

Yes; but the whole point is that the caller ID from the site landline is no 
longer reliable enough as evidence, by itself, that somebody is actually 
there.

A custom app could read the ID of the cell tower to which it was connected -- 
or even the phone's GPS co-ordinates -- and transmit that back to base over 
the Internet.  Preferrably with some sort of precautions to make the request 
harder to forge  (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and 
CID in the query string).  If your app makes its connection via the site's wi-
fi  (which will require the co-operation of the client)  as opposed to the 
mobile network, so much the better, as there will be an IP address against 
which you can match.

If you insist to use the site landline for your authentication, you could 
extend the protocol to a full challenge-and-response as follows:  Play a 
series of digits down the line to the caller, return the call as soon as they 
hang up, and ask them to dial the same digits they just heard.  All this can 
be done in the dialplan  (you might need to record some announcements of your 
own, such as "Please memorise the following digits" and "Please dial the 
digits you heard in the last call").  

Intercepting incoming calls *to* a number is much harder  (usually requiring 
the co-operation of telcos, unless the interloper has access to some equipment 
through which they know that the call will be routed; that potentially 
includes your Asterisk, but any tampering there would be evident)  than 
falsifying outgoing calls *from* a number.  

It would be much more fun to mount a "sting" operation to catch the 
perpetrators red-handed   (say, falsely set off a fire alarm while you know 
they 
are slacking off down the pub instead of looking after the site like they are 
paid for)  .  but maybe I have just been watching too many detective 
dramas on TV!

-- 
JM

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Tim S

Rather than that, if you're looking for a phone solution - as part of the
customer contract, install an IP phone that registers with your system (use
a VPN tunnel to your phone system).  Think of it like a "red-phone"
hotline.  You own the phone, and you physically install it and it only
talks to your system via a SIP registration.  That way you can confirm the
physical source of the call origination, and you can control what the phone
will be able to call (make a to speed dial a base-64 address - something
that can't be dialed with a conventional phone line, block all other
outgoing numbers).  A nice side effect of this is that you give your
employees/contractors a fixed and predictable way of getting in touch with
management if there is a problem (just another speed-dial number).

Keep in mind that without a "Something you are" factor of authentication,
people have the escape route of telling their coworker "hey log me in...".
Fingerprint, hand scan, or retina reading are the most common ways to
verify the presence of a live person at a fixed point.

It's unfortunate that you have this problem, I've seen it before though.
To paraphrase Jeff Goldbloom's Dr. Malcom in Jurasic Park: "Life finds a
way...".  I have been shocked and amazed at the ingenuity of people to be
lazy and cheat or game a system.  What you are running into is the same
problem we have with websites - if you don't 100% control the end to end
communication and the devices, you can't trust any data coming into your
system!!!

A common way for security patrol auditing is to install iButtons with a
unique 64-bit number and a secure transaction function.  A patrol or
janitor would have to physically touch the read to the iButton at specified
way-points for a read to occur and be logged, and the patrol or janitor
turns in the reader after every shift for download and auditing.

-Tim

On Wed, May 10, 2017 at 8:11 AM, Steve Edwards 
wrote:

> I have a 'time and attendance' application. Think janitorial or security
> kind of thing where an employee goes from location to location.
>
> They're supposed to 'clock in' when they get to a site using a phone at
> that site to prove they're there.
>
> Some employees have discovered 'fake caller ID' services can be used to
> say they're on site when they are not.
>
> How can I detect a fake CallerID? The INVITE looks the same to me.
>
> If I have the employees call an 8xx number, can I ask my SIP provider to
> include more headers to show the real ANI? What would that service be
> called?
>
> --
> Thanks in advance,
> -
> Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
> https://www.linkedin.com/in/steve-edwards-4244281
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>  https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread D'Arcy Cain


On 2017-05-10 04:15 PM, Sebastian Nielsen wrote:

The thing is then to be able to record which IP is the client, but if your
services are ordered by the client via some web form, you could have that IP
be recorded as "client IP" and the employee must check in/check out from
that IP.


IPs change.  Also, the client may not have ordered the service from the 
office.  They may have bought the service for multiple locations from 
head office.  Too many variables.


You may have to think about hardware.  Some sort of RF device installed 
at the client with a unique ID.  The employee waves his keychain at the 
device, it connects to your office and sends the employee's ID and its 
own.  A card reader is another possibility or bar code reader.


Of course that's not a phone solution so I guess it is off topic here.

--
D'Arcy J.M. Cain
Vybe Networks Inc.
http://www.VybeNetworks.com/
IM:da...@vex.net VoIP: sip:da...@vybenetworks.com

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Sebastian Nielsen

Since the callback happens immediately after hangning up, the risk of
answering a call that isn't theirs is minimal.
For those sites that divert their incoming calls to a PBX or answering
machine, you could have some config/database that excepts these sites from
callback verification.
(which means these sites run into risk of fake callerID).

Another variant could be that they must visit a specific website using a
Wifi or computer at the client. You record the IP.
Spoofing the IP in a TCP three-way handshake is almost impossible.

The thing is then to be able to record which IP is the client, but if your
services are ordered by the client via some web form, you could have that IP
be recorded as "client IP" and the employee must check in/check out from
that IP.

This could be used in unison with the phone verification, so the employee
can select which fits best for the enviroment.
(eg, they choose phone verification or web verification)

-Ursprungligt meddelande-
Från: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] För Don Kelly
Skickat: den 10 maj 2017 22:08
Till: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users@lists.digium.com>
Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

It's probably not practical to have them answering the client's telephone!
At a lot of sites, incoming calls would be handled by auto attendant,
diverted to answering service, etc.

  --Don

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Sebastian
Nielsen
Sent: Wednesday, May 10, 2017 2:46 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Use a callback.
So when clocking in/out, they will hear a random 4 digit PIN, like "Enter
four, three, six, eight at the callback".
After they hangup, the phone will ring, and then they will have confirm with
the 4 digit PIN.

If they arent in presence: the phone at the site will ring, and the person
at site (that isn't your employee) cannot carelessly just OK it because they
haven't heard the PIN.
If they are in presence: the phone at the site will ring, and the employee
will be able to enter the PIN they just heard. If they fake the callerID or
not at the initial call, does not matter, since you have verified with a
callback.

-Ursprungligt meddelande-
Från: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] För Steve Edwards
Skickat: den 10 maj 2017 19:13
Till: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wed, 10 May 2017, J Montoya or A J Stiles wrote:

> Presumably your staff carry mobile phones.  What about an app that 
> gets the ID of the cell tower to which it is connected, and passes it 
> and the SIM number in a HTTP request to a server you control?

The problem is that they are supposed to use the 'site landline' to confirm
presence -- not their cell phone with the spoofed CID.

--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
 https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

smime.p7s
Description: S/MIME Cryptographic Signature
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Don Kelly

It's probably not practical to have them answering the client's telephone!
At a lot of sites, incoming calls would be handled by auto attendant,
diverted to answering service, etc.

  --Don

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Sebastian
Nielsen
Sent: Wednesday, May 10, 2017 2:46 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Use a callback.
So when clocking in/out, they will hear a random 4 digit PIN, like "Enter
four, three, six, eight at the callback".
After they hangup, the phone will ring, and then they will have confirm with
the 4 digit PIN.

If they arent in presence: the phone at the site will ring, and the person
at site (that isn't your employee) cannot carelessly just OK it because they
haven't heard the PIN.
If they are in presence: the phone at the site will ring, and the employee
will be able to enter the PIN they just heard. If they fake the callerID or
not at the initial call, does not matter, since you have verified with a
callback.

-Ursprungligt meddelande-
Från: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] För Steve Edwards
Skickat: den 10 maj 2017 19:13
Till: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wed, 10 May 2017, J Montoya or A J Stiles wrote:

> Presumably your staff carry mobile phones.  What about an app that 
> gets the ID of the cell tower to which it is connected, and passes it 
> and the SIM number in a HTTP request to a server you control?

The problem is that they are supposed to use the 'site landline' to confirm
presence -- not their cell phone with the spoofed CID.

--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
 https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Sebastian Nielsen

Use a callback.
So when clocking in/out, they will hear a random 4 digit PIN, like "Enter
four, three, six, eight at the callback".
After they hangup, the phone will ring, and then they will have confirm with
the 4 digit PIN.

If they arent in presence: the phone at the site will ring, and the person
at site (that isn't your employee) cannot carelessly just OK it because they
haven't heard the PIN.
If they are in presence: the phone at the site will ring, and the employee
will be able to enter the PIN they just heard. If they fake the callerID or
not at the initial call, does not matter, since you have verified with a
callback.

-Ursprungligt meddelande-
Från: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] För Steve Edwards
Skickat: den 10 maj 2017 19:13
Till: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

On Wed, 10 May 2017, J Montoya or A J Stiles wrote:

> Presumably your staff carry mobile phones.  What about an app that 
> gets the ID of the cell tower to which it is connected, and passes it 
> and the SIM number in a HTTP request to a server you control?

The problem is that they are supposed to use the 'site landline' to confirm
presence -- not their cell phone with the spoofed CID.

--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
 https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

smime.p7s
Description: S/MIME Cryptographic Signature
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Steve Edwards


On Wed, 10 May 2017, J Montoya or A J Stiles wrote:

Presumably your staff carry mobile phones.  What about an app that gets 
the ID of the cell tower to which it is connected, and passes it and the 
SIM number in a HTTP request to a server you control?


The problem is that they are supposed to use the 'site landline' to 
confirm presence -- not their cell phone with the spoofed CID.


--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Don Kelly

You have an unusual situation--you suspect caller ID spoofing by a known
person. 

Under the Truth in Caller ID Act, FCC rules prohibit any person or entity
from transmitting misleading or inaccurate caller ID information with the
intent to defraud, cause harm, or wrongly obtain anything of value. Anyone
who is illegally spoofing can face penalties of up to $10,000 for each
violation.

Making it clear to your employees that spoofing will result in termination
might be enough.

Requiring employees to have a phone that you can locate would allow you to
check from time to time.

  --Don





-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Steve Edwards
Sent: Wednesday, May 10, 2017 10:12 AM
To: Asterisk Users Mailing List
Subject: [asterisk-users] How to detect fake CallerID? (8xx?)

I have a 'time and attendance' application. Think janitorial or security
kind of thing where an employee goes from location to location.

They're supposed to 'clock in' when they get to a site using a phone at that
site to prove they're there.

Some employees have discovered 'fake caller ID' services can be used to say
they're on site when they are not.

How can I detect a fake CallerID? The INVITE looks the same to me.

If I have the employees call an 8xx number, can I ask my SIP provider to
include more headers to show the real ANI? What would that service be
called?

--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
 https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread J Montoya or A J Stiles

On Wednesday 10 May 2017, Steve Edwards wrote:
> I have a 'time and attendance' application. Think janitorial or security
> kind of thing where an employee goes from location to location.
> 
> They're supposed to 'clock in' when they get to a site using a phone at
> that site to prove they're there.
> 
> Some employees have discovered 'fake caller ID' services can be used to
> say they're on site when they are not.

There are legitimate reasons for faking an ident.  For instance, if you are 
using multiple services in parallel to connect to the Outside World.  While we 
had such a setup, we arranged with our SIP provider to attach numbers 
associated with our ISDN-30 line to calls we were making.  And if you are 
providing something like a "transparent call recording" service, you need to 
lay the ident of the incoming call leg onto the outgoing call.

Unfortunately, as you've discovered, the service can be abused .

> How can I detect a fake CallerID? The INVITE looks the same to me.

You can't.  Only the first telephone company through which the call passes can 
tell for sure where a call is coming from.  The next company through whose 
equipment it is passing can alter it, and nobody downstream be any the wiser.

Remember, even although it's now packet-switched and multiple-redundantly-
routed underneath, the whole telephone network is still basically emulating an 
old-fashioned, circuit-switched network; where calls get connected from the 
originator's local exchange onto a trunk to pass on to another exchange, and 
all the next exchange downstream knows for sure is which approximate direction 
it came in from and where it's going to.  Information that would once have 
been implied by which pair of wires the signal was travelling down, is now 
sent separately, and subject to modification en passant.

> If I have the employees call an 8xx number, can I ask my SIP provider to
> include more headers to show the real ANI? What would that service be
> called?

Not really.  You need to backtrack a little and rethink.  Caller ID is just 
not something that you can rely on anymore.

Presumably your staff carry mobile phones.  What about an app that gets the ID 
of the cell tower to which it is connected, and passes it and the SIM number 
in a HTTP request to a server you control?  You'll obviously need to do some 
sort of authentication dance, otherwise anyone could just manually craft a URL 
representing any location.  (But since it's your app, you can effectively embed 
a different key into every copy; so in the worst case, anyone trying anything 
naughty is only able to spoof one handset.  An .apk file is basically a .zip 
archive; so you should be able to unzip it into a folder structure, use your 
favourite scripting language to regenerate the keyfile and zip it back up.  
This might even scale.)

-- 
JM or AJS

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Andrew Latham

On Wed, May 10, 2017 at 10:11 AM, Steve Edwards 
wrote:

> I have a 'time and attendance' application. Think janitorial or security
> kind of thing where an employee goes from location to location.
>
> They're supposed to 'clock in' when they get to a site using a phone at
> that site to prove they're there.
>
> Some employees have discovered 'fake caller ID' services can be used to
> say they're on site when they are not.
>
> How can I detect a fake CallerID? The INVITE looks the same to me.
>
> If I have the employees call an 8xx number, can I ask my SIP provider to
> include more headers to show the real ANI? What would that service be
> called?
>
> --
> Thanks in advance,
> -
> Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
> https://www.linkedin.com/in/steve-edwards-4244281
>
>
For dangerous material sites a call back was used. They call in and get a
code, the system calls back and asks for the code. Convoluted yes, the call
back was all that was really needed to thwart the fraud. A simple RFID pad
setup could be built to use low usage GSM plan to tag in the RFID on site.
But this is beyond the scope of telephony.

-- 
- Andrew "lathama" Latham  -
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Adam Goldberg

It's approximately impossible with current infrastructure.

https://transition.fcc.gov/cgb/Robocall-Strike-Force-Final-Report.pdf



Adam Goldberg
AGP, LLC
+1-202-507-9900

-Original Message-
From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Doug Lytle
Sent: Wednesday, May 10, 2017 11:24 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion 
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?)

>>> I ask my SIP provider to include more headers to show the real ANI? 
>>> What would that service be called?

If it's anything like a PRI provider, I've been told they only way to get true 
CID, in those instances, would be to provide a 1-800 number (US) for them to 
call. Then you'd get correct CID, since you're paying for both legs of the call.

I do not know if this holds true for a SIP provider,

Doug

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Doug Lytle

>>> I ask my SIP provider to include more headers to show the real ANI? What 
>>> would that service be 
>>> called?

If it's anything like a PRI provider, I've been told they only way to get true 
CID, in those instances, would be to provide a 1-800 number (US) for them to 
call. Then you'd get correct CID, since you're paying for both legs of the call.

I do not know if this holds true for a SIP provider,

Doug

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] How to detect fake CallerID? (8xx?)

2017-05-10 Thread Steve Edwards

I have a 'time and attendance' application. Think janitorial or security 
kind of thing where an employee goes from location to location.


They're supposed to 'clock in' when they get to a site using a phone at 
that site to prove they're there.


Some employees have discovered 'fake caller ID' services can be used to 
say they're on site when they are not.


How can I detect a fake CallerID? The INVITE looks the same to me.

If I have the employees call an 8xx number, can I ask my SIP provider to 
include more headers to show the real ANI? What would that service be 
called?


--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

Re: [asterisk-users] How to detect fake CallerID? (8xx?)

[asterisk-users] How to detect fake CallerID? (8xx?)

17 matches

Site Navigation

Mail list logo

Footer information