Re: [asterisk-users] How to detect fake CallerID? (8xx?)
I've assumed that the client is not present when the cleaners arrive. --Don -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Sebastian Nielsen Sent: Thursday, May 11, 2017 10:19 AM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Personally, if I was a client, I would rather have the personell answer the phone than make a outgoing call, if I would choose. If you think of billing and costs. So if a client allows outgoing, I don't think they have any problems with answering a call immediately following either. But I assume the client will be billed for the time the personell works there? And thats why you have this "phone verification system", to avoid discussion about how long the company has been there and unfair bills? Then you could have it this way instead: 1: Give the client (not personell) a PIN code. 2: The client calls and enters PIN. 3: The employee gets a SMS/email/push message/paging tone, that he can start working. 4: When the employee is done, the client calls again, and enter PIN. This will stop billing. 5: When billing is stopped, the employee gets a SMS/email/push message/paging tone he can stop working. This will be rock solid. The employee only needs to check for the SMSes. The SMSes prevent the client from cheating the system to get cheaper service, like claiming to start when client do not, or calling for stop before the employee is finished, because the employee will only work when he get start signal, and will stop working at stop signal. Theres no risk that the client will call in and check in/check out when the employee is not there, because that would cause the client to Be billed for rendered services. -Ursprungligt meddelande- Från: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] För Don Kelly Skickat: den 11 maj 2017 17:04 Till: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users@lists.digium.com> Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) As a client, I don't want service company personnel answering my phone. As a service company, I don't want my clients thinking that I do not trust my employees who are at the client facility. --Don -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Adam Goldberg Sent: Thursday, May 11, 2017 8:00 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Seems like this is the best idea (challenge-response), a callback. No matter the callerid, you don't know where the caller is. But if you place a call BACK to the callerid, it's going to go to the destination. Then you either need the phone to be answered, or the phone to be answered and and the challenge entered. Adam Goldberg AGP, LLC +1-202-507-9900 -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A J Stiles Sent: Thursday, May 11, 2017 7:48 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wednesday 10 May 2017, Steve Edwards wrote: > On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > > Presumably your staff carry mobile phones. What about an app that > > gets the ID of the cell tower to which it is connected, and passes > > it and the SIM number in a HTTP request to a server you control? > > The problem is that they are supposed to use the 'site landline' to > confirm presence -- not their cell phone with the spoofed CID. Yes; but the whole point is that the caller ID from the site landline is no longer reliable enough as evidence, by itself, that somebody is actually there. A custom app could read the ID of the cell tower to which it was connected -- or even the phone's GPS co-ordinates -- and transmit that back to base over the Internet. Preferrably with some sort of precautions to make the request harder to forge (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in the query string). If your app makes its connection via the site's wi- fi (which will require the co-operation of the client) as opposed to the mobile network, so much the better, as there will be an IP address against which you can match. If you insist to use the site landline for your authentication, you could extend the protocol to a full challenge-and-response as follows: Play a series of digits down the line to the caller, return the call as soon as they hang up, and ask them to dial the same digits they just heard. All this can be done in the dialplan (you might need to record some
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
Personally, if I was a client, I would rather have the personell answer the phone than make a outgoing call, if I would choose. If you think of billing and costs. So if a client allows outgoing, I don't think they have any problems with answering a call immediately following either. But I assume the client will be billed for the time the personell works there? And thats why you have this "phone verification system", to avoid discussion about how long the company has been there and unfair bills? Then you could have it this way instead: 1: Give the client (not personell) a PIN code. 2: The client calls and enters PIN. 3: The employee gets a SMS/email/push message/paging tone, that he can start working. 4: When the employee is done, the client calls again, and enter PIN. This will stop billing. 5: When billing is stopped, the employee gets a SMS/email/push message/paging tone he can stop working. This will be rock solid. The employee only needs to check for the SMSes. The SMSes prevent the client from cheating the system to get cheaper service, like claiming to start when client do not, or calling for stop before the employee is finished, because the employee will only work when he get start signal, and will stop working at stop signal. Theres no risk that the client will call in and check in/check out when the employee is not there, because that would cause the client to Be billed for rendered services. -Ursprungligt meddelande- Från: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] För Don Kelly Skickat: den 11 maj 2017 17:04 Till: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users@lists.digium.com> Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) As a client, I don't want service company personnel answering my phone. As a service company, I don't want my clients thinking that I do not trust my employees who are at the client facility. --Don -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Adam Goldberg Sent: Thursday, May 11, 2017 8:00 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Seems like this is the best idea (challenge-response), a callback. No matter the callerid, you don't know where the caller is. But if you place a call BACK to the callerid, it's going to go to the destination. Then you either need the phone to be answered, or the phone to be answered and and the challenge entered. Adam Goldberg AGP, LLC +1-202-507-9900 -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A J Stiles Sent: Thursday, May 11, 2017 7:48 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wednesday 10 May 2017, Steve Edwards wrote: > On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > > Presumably your staff carry mobile phones. What about an app that > > gets the ID of the cell tower to which it is connected, and passes > > it and the SIM number in a HTTP request to a server you control? > > The problem is that they are supposed to use the 'site landline' to > confirm presence -- not their cell phone with the spoofed CID. Yes; but the whole point is that the caller ID from the site landline is no longer reliable enough as evidence, by itself, that somebody is actually there. A custom app could read the ID of the cell tower to which it was connected -- or even the phone's GPS co-ordinates -- and transmit that back to base over the Internet. Preferrably with some sort of precautions to make the request harder to forge (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in the query string). If your app makes its connection via the site's wi- fi (which will require the co-operation of the client) as opposed to the mobile network, so much the better, as there will be an IP address against which you can match. If you insist to use the site landline for your authentication, you could extend the protocol to a full challenge-and-response as follows: Play a series of digits down the line to the caller, return the call as soon as they hang up, and ask them to dial the same digits they just heard. All this can be done in the dialplan (you might need to record some announcements of your own, such as "Please memorise the following digits" and "Please dial the digits you heard in the last call"). Intercepting incoming calls *to* a number is much harder (usually requiring the co-operation of telcos, unless the interloper has access to some equipment through which they know that the call will be routed; that potentially includes your Asterisk, b
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
As a client, I don't want service company personnel answering my phone. As a service company, I don't want my clients thinking that I do not trust my employees who are at the client facility. --Don -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Adam Goldberg Sent: Thursday, May 11, 2017 8:00 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Seems like this is the best idea (challenge-response), a callback. No matter the callerid, you don't know where the caller is. But if you place a call BACK to the callerid, it's going to go to the destination. Then you either need the phone to be answered, or the phone to be answered and and the challenge entered. Adam Goldberg AGP, LLC +1-202-507-9900 -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A J Stiles Sent: Thursday, May 11, 2017 7:48 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wednesday 10 May 2017, Steve Edwards wrote: > On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > > Presumably your staff carry mobile phones. What about an app that > > gets the ID of the cell tower to which it is connected, and passes > > it and the SIM number in a HTTP request to a server you control? > > The problem is that they are supposed to use the 'site landline' to > confirm presence -- not their cell phone with the spoofed CID. Yes; but the whole point is that the caller ID from the site landline is no longer reliable enough as evidence, by itself, that somebody is actually there. A custom app could read the ID of the cell tower to which it was connected -- or even the phone's GPS co-ordinates -- and transmit that back to base over the Internet. Preferrably with some sort of precautions to make the request harder to forge (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in the query string). If your app makes its connection via the site's wi- fi (which will require the co-operation of the client) as opposed to the mobile network, so much the better, as there will be an IP address against which you can match. If you insist to use the site landline for your authentication, you could extend the protocol to a full challenge-and-response as follows: Play a series of digits down the line to the caller, return the call as soon as they hang up, and ask them to dial the same digits they just heard. All this can be done in the dialplan (you might need to record some announcements of your own, such as "Please memorise the following digits" and "Please dial the digits you heard in the last call"). Intercepting incoming calls *to* a number is much harder (usually requiring the co-operation of telcos, unless the interloper has access to some equipment through which they know that the call will be routed; that potentially includes your Asterisk, but any tampering there would be evident) than falsifying outgoing calls *from* a number. It would be much more fun to mount a "sting" operation to catch the perpetrators red-handed (say, falsely set off a fire alarm while you know they are slacking off down the pub instead of looking after the site like they are paid for) . but maybe I have just been watching too many detective dramas on TV! -- JM Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
Seems like this is the best idea (challenge-response), a callback. No matter the callerid, you don't know where the caller is. But if you place a call BACK to the callerid, it's going to go to the destination. Then you either need the phone to be answered, or the phone to be answered and and the challenge entered. Adam Goldberg AGP, LLC +1-202-507-9900 -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of J Montoya or A J Stiles Sent: Thursday, May 11, 2017 7:48 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wednesday 10 May 2017, Steve Edwards wrote: > On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > > Presumably your staff carry mobile phones. What about an app that > > gets the ID of the cell tower to which it is connected, and passes > > it and the SIM number in a HTTP request to a server you control? > > The problem is that they are supposed to use the 'site landline' to > confirm presence -- not their cell phone with the spoofed CID. Yes; but the whole point is that the caller ID from the site landline is no longer reliable enough as evidence, by itself, that somebody is actually there. A custom app could read the ID of the cell tower to which it was connected -- or even the phone's GPS co-ordinates -- and transmit that back to base over the Internet. Preferrably with some sort of precautions to make the request harder to forge (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in the query string). If your app makes its connection via the site's wi- fi (which will require the co-operation of the client) as opposed to the mobile network, so much the better, as there will be an IP address against which you can match. If you insist to use the site landline for your authentication, you could extend the protocol to a full challenge-and-response as follows: Play a series of digits down the line to the caller, return the call as soon as they hang up, and ask them to dial the same digits they just heard. All this can be done in the dialplan (you might need to record some announcements of your own, such as "Please memorise the following digits" and "Please dial the digits you heard in the last call"). Intercepting incoming calls *to* a number is much harder (usually requiring the co-operation of telcos, unless the interloper has access to some equipment through which they know that the call will be routed; that potentially includes your Asterisk, but any tampering there would be evident) than falsifying outgoing calls *from* a number. It would be much more fun to mount a "sting" operation to catch the perpetrators red-handed (say, falsely set off a fire alarm while you know they are slacking off down the pub instead of looking after the site like they are paid for) . but maybe I have just been watching too many detective dramas on TV! -- JM Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
On Wednesday 10 May 2017, Steve Edwards wrote: > On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > > Presumably your staff carry mobile phones. What about an app that gets > > the ID of the cell tower to which it is connected, and passes it and the > > SIM number in a HTTP request to a server you control? > > The problem is that they are supposed to use the 'site landline' to > confirm presence -- not their cell phone with the spoofed CID. Yes; but the whole point is that the caller ID from the site landline is no longer reliable enough as evidence, by itself, that somebody is actually there. A custom app could read the ID of the cell tower to which it was connected -- or even the phone's GPS co-ordinates -- and transmit that back to base over the Internet. Preferrably with some sort of precautions to make the request harder to forge (i.e., *not* just a plain HTTP GET with the MCC, MNC, LAC and CID in the query string). If your app makes its connection via the site's wi- fi (which will require the co-operation of the client) as opposed to the mobile network, so much the better, as there will be an IP address against which you can match. If you insist to use the site landline for your authentication, you could extend the protocol to a full challenge-and-response as follows: Play a series of digits down the line to the caller, return the call as soon as they hang up, and ask them to dial the same digits they just heard. All this can be done in the dialplan (you might need to record some announcements of your own, such as "Please memorise the following digits" and "Please dial the digits you heard in the last call"). Intercepting incoming calls *to* a number is much harder (usually requiring the co-operation of telcos, unless the interloper has access to some equipment through which they know that the call will be routed; that potentially includes your Asterisk, but any tampering there would be evident) than falsifying outgoing calls *from* a number. It would be much more fun to mount a "sting" operation to catch the perpetrators red-handed (say, falsely set off a fire alarm while you know they are slacking off down the pub instead of looking after the site like they are paid for) . but maybe I have just been watching too many detective dramas on TV! -- JM Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
Rather than that, if you're looking for a phone solution - as part of the customer contract, install an IP phone that registers with your system (use a VPN tunnel to your phone system). Think of it like a "red-phone" hotline. You own the phone, and you physically install it and it only talks to your system via a SIP registration. That way you can confirm the physical source of the call origination, and you can control what the phone will be able to call (make a to speed dial a base-64 address - something that can't be dialed with a conventional phone line, block all other outgoing numbers). A nice side effect of this is that you give your employees/contractors a fixed and predictable way of getting in touch with management if there is a problem (just another speed-dial number). Keep in mind that without a "Something you are" factor of authentication, people have the escape route of telling their coworker "hey log me in...". Fingerprint, hand scan, or retina reading are the most common ways to verify the presence of a live person at a fixed point. It's unfortunate that you have this problem, I've seen it before though. To paraphrase Jeff Goldbloom's Dr. Malcom in Jurasic Park: "Life finds a way...". I have been shocked and amazed at the ingenuity of people to be lazy and cheat or game a system. What you are running into is the same problem we have with websites - if you don't 100% control the end to end communication and the devices, you can't trust any data coming into your system!!! A common way for security patrol auditing is to install iButtons with a unique 64-bit number and a secure transaction function. A patrol or janitor would have to physically touch the read to the iButton at specified way-points for a read to occur and be logged, and the patrol or janitor turns in the reader after every shift for download and auditing. -Tim On Wed, May 10, 2017 at 8:11 AM, Steve Edwardswrote: > I have a 'time and attendance' application. Think janitorial or security > kind of thing where an employee goes from location to location. > > They're supposed to 'clock in' when they get to a site using a phone at > that site to prove they're there. > > Some employees have discovered 'fake caller ID' services can be used to > say they're on site when they are not. > > How can I detect a fake CallerID? The INVITE looks the same to me. > > If I have the employees call an 8xx number, can I ask my SIP provider to > include more headers to show the real ANI? What would that service be > called? > > -- > Thanks in advance, > - > Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST > https://www.linkedin.com/in/steve-edwards-4244281 > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
On 2017-05-10 04:15 PM, Sebastian Nielsen wrote: The thing is then to be able to record which IP is the client, but if your services are ordered by the client via some web form, you could have that IP be recorded as "client IP" and the employee must check in/check out from that IP. IPs change. Also, the client may not have ordered the service from the office. They may have bought the service for multiple locations from head office. Too many variables. You may have to think about hardware. Some sort of RF device installed at the client with a unique ID. The employee waves his keychain at the device, it connects to your office and sends the employee's ID and its own. A card reader is another possibility or bar code reader. Of course that's not a phone solution so I guess it is off topic here. -- D'Arcy J.M. Cain Vybe Networks Inc. http://www.VybeNetworks.com/ IM:da...@vex.net VoIP: sip:da...@vybenetworks.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
Since the callback happens immediately after hangning up, the risk of answering a call that isn't theirs is minimal. For those sites that divert their incoming calls to a PBX or answering machine, you could have some config/database that excepts these sites from callback verification. (which means these sites run into risk of fake callerID). Another variant could be that they must visit a specific website using a Wifi or computer at the client. You record the IP. Spoofing the IP in a TCP three-way handshake is almost impossible. The thing is then to be able to record which IP is the client, but if your services are ordered by the client via some web form, you could have that IP be recorded as "client IP" and the employee must check in/check out from that IP. This could be used in unison with the phone verification, so the employee can select which fits best for the enviroment. (eg, they choose phone verification or web verification) -Ursprungligt meddelande- Från: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] För Don Kelly Skickat: den 10 maj 2017 22:08 Till: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users@lists.digium.com> Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) It's probably not practical to have them answering the client's telephone! At a lot of sites, incoming calls would be handled by auto attendant, diverted to answering service, etc. --Don -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Sebastian Nielsen Sent: Wednesday, May 10, 2017 2:46 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Use a callback. So when clocking in/out, they will hear a random 4 digit PIN, like "Enter four, three, six, eight at the callback". After they hangup, the phone will ring, and then they will have confirm with the 4 digit PIN. If they arent in presence: the phone at the site will ring, and the person at site (that isn't your employee) cannot carelessly just OK it because they haven't heard the PIN. If they are in presence: the phone at the site will ring, and the employee will be able to enter the PIN they just heard. If they fake the callerID or not at the initial call, does not matter, since you have verified with a callback. -Ursprungligt meddelande- Från: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] För Steve Edwards Skickat: den 10 maj 2017 19:13 Till: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > Presumably your staff carry mobile phones. What about an app that > gets the ID of the cell tower to which it is connected, and passes it > and the SIM number in a HTTP request to a server you control? The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users smime.p7s Description: S/MIME Cryptographic Signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
It's probably not practical to have them answering the client's telephone! At a lot of sites, incoming calls would be handled by auto attendant, diverted to answering service, etc. --Don -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Sebastian Nielsen Sent: Wednesday, May 10, 2017 2:46 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) Use a callback. So when clocking in/out, they will hear a random 4 digit PIN, like "Enter four, three, six, eight at the callback". After they hangup, the phone will ring, and then they will have confirm with the 4 digit PIN. If they arent in presence: the phone at the site will ring, and the person at site (that isn't your employee) cannot carelessly just OK it because they haven't heard the PIN. If they are in presence: the phone at the site will ring, and the employee will be able to enter the PIN they just heard. If they fake the callerID or not at the initial call, does not matter, since you have verified with a callback. -Ursprungligt meddelande- Från: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] För Steve Edwards Skickat: den 10 maj 2017 19:13 Till: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > Presumably your staff carry mobile phones. What about an app that > gets the ID of the cell tower to which it is connected, and passes it > and the SIM number in a HTTP request to a server you control? The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
Use a callback. So when clocking in/out, they will hear a random 4 digit PIN, like "Enter four, three, six, eight at the callback". After they hangup, the phone will ring, and then they will have confirm with the 4 digit PIN. If they arent in presence: the phone at the site will ring, and the person at site (that isn't your employee) cannot carelessly just OK it because they haven't heard the PIN. If they are in presence: the phone at the site will ring, and the employee will be able to enter the PIN they just heard. If they fake the callerID or not at the initial call, does not matter, since you have verified with a callback. -Ursprungligt meddelande- Från: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] För Steve Edwards Skickat: den 10 maj 2017 19:13 Till: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Ämne: Re: [asterisk-users] How to detect fake CallerID? (8xx?) On Wed, 10 May 2017, J Montoya or A J Stiles wrote: > Presumably your staff carry mobile phones. What about an app that > gets the ID of the cell tower to which it is connected, and passes it > and the SIM number in a HTTP request to a server you control? The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users smime.p7s Description: S/MIME Cryptographic Signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
On Wed, 10 May 2017, J Montoya or A J Stiles wrote: Presumably your staff carry mobile phones. What about an app that gets the ID of the cell tower to which it is connected, and passes it and the SIM number in a HTTP request to a server you control? The problem is that they are supposed to use the 'site landline' to confirm presence -- not their cell phone with the spoofed CID. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
You have an unusual situation--you suspect caller ID spoofing by a known person. Under the Truth in Caller ID Act, FCC rules prohibit any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of value. Anyone who is illegally spoofing can face penalties of up to $10,000 for each violation. Making it clear to your employees that spoofing will result in termination might be enough. Requiring employees to have a phone that you can locate would allow you to check from time to time. --Don -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Steve Edwards Sent: Wednesday, May 10, 2017 10:12 AM To: Asterisk Users Mailing List Subject: [asterisk-users] How to detect fake CallerID? (8xx?) I have a 'time and attendance' application. Think janitorial or security kind of thing where an employee goes from location to location. They're supposed to 'clock in' when they get to a site using a phone at that site to prove they're there. Some employees have discovered 'fake caller ID' services can be used to say they're on site when they are not. How can I detect a fake CallerID? The INVITE looks the same to me. If I have the employees call an 8xx number, can I ask my SIP provider to include more headers to show the real ANI? What would that service be called? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
On Wednesday 10 May 2017, Steve Edwards wrote: > I have a 'time and attendance' application. Think janitorial or security > kind of thing where an employee goes from location to location. > > They're supposed to 'clock in' when they get to a site using a phone at > that site to prove they're there. > > Some employees have discovered 'fake caller ID' services can be used to > say they're on site when they are not. There are legitimate reasons for faking an ident. For instance, if you are using multiple services in parallel to connect to the Outside World. While we had such a setup, we arranged with our SIP provider to attach numbers associated with our ISDN-30 line to calls we were making. And if you are providing something like a "transparent call recording" service, you need to lay the ident of the incoming call leg onto the outgoing call. Unfortunately, as you've discovered, the service can be abused . > How can I detect a fake CallerID? The INVITE looks the same to me. You can't. Only the first telephone company through which the call passes can tell for sure where a call is coming from. The next company through whose equipment it is passing can alter it, and nobody downstream be any the wiser. Remember, even although it's now packet-switched and multiple-redundantly- routed underneath, the whole telephone network is still basically emulating an old-fashioned, circuit-switched network; where calls get connected from the originator's local exchange onto a trunk to pass on to another exchange, and all the next exchange downstream knows for sure is which approximate direction it came in from and where it's going to. Information that would once have been implied by which pair of wires the signal was travelling down, is now sent separately, and subject to modification en passant. > If I have the employees call an 8xx number, can I ask my SIP provider to > include more headers to show the real ANI? What would that service be > called? Not really. You need to backtrack a little and rethink. Caller ID is just not something that you can rely on anymore. Presumably your staff carry mobile phones. What about an app that gets the ID of the cell tower to which it is connected, and passes it and the SIM number in a HTTP request to a server you control? You'll obviously need to do some sort of authentication dance, otherwise anyone could just manually craft a URL representing any location. (But since it's your app, you can effectively embed a different key into every copy; so in the worst case, anyone trying anything naughty is only able to spoof one handset. An .apk file is basically a .zip archive; so you should be able to unzip it into a folder structure, use your favourite scripting language to regenerate the keyfile and zip it back up. This might even scale.) -- JM or AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
On Wed, May 10, 2017 at 10:11 AM, Steve Edwardswrote: > I have a 'time and attendance' application. Think janitorial or security > kind of thing where an employee goes from location to location. > > They're supposed to 'clock in' when they get to a site using a phone at > that site to prove they're there. > > Some employees have discovered 'fake caller ID' services can be used to > say they're on site when they are not. > > How can I detect a fake CallerID? The INVITE looks the same to me. > > If I have the employees call an 8xx number, can I ask my SIP provider to > include more headers to show the real ANI? What would that service be > called? > > -- > Thanks in advance, > - > Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST > https://www.linkedin.com/in/steve-edwards-4244281 > > For dangerous material sites a call back was used. They call in and get a code, the system calls back and asks for the code. Convoluted yes, the call back was all that was really needed to thwart the fraud. A simple RFID pad setup could be built to use low usage GSM plan to tag in the RFID on site. But this is beyond the scope of telephony. -- - Andrew "lathama" Latham - -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
It's approximately impossible with current infrastructure. https://transition.fcc.gov/cgb/Robocall-Strike-Force-Final-Report.pdf Adam Goldberg AGP, LLC +1-202-507-9900 -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Doug Lytle Sent: Wednesday, May 10, 2017 11:24 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] How to detect fake CallerID? (8xx?) >>> I ask my SIP provider to include more headers to show the real ANI? >>> What would that service be called? If it's anything like a PRI provider, I've been told they only way to get true CID, in those instances, would be to provide a 1-800 number (US) for them to call. Then you'd get correct CID, since you're paying for both legs of the call. I do not know if this holds true for a SIP provider, Doug -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to detect fake CallerID? (8xx?)
>>> I ask my SIP provider to include more headers to show the real ANI? What >>> would that service be >>> called? If it's anything like a PRI provider, I've been told they only way to get true CID, in those instances, would be to provide a 1-800 number (US) for them to call. Then you'd get correct CID, since you're paying for both legs of the call. I do not know if this holds true for a SIP provider, Doug -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] How to detect fake CallerID? (8xx?)
I have a 'time and attendance' application. Think janitorial or security kind of thing where an employee goes from location to location. They're supposed to 'clock in' when they get to a site using a phone at that site to prove they're there. Some employees have discovered 'fake caller ID' services can be used to say they're on site when they are not. How can I detect a fake CallerID? The INVITE looks the same to me. If I have the employees call an 8xx number, can I ask my SIP provider to include more headers to show the real ANI? What would that service be called? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users