Skip to content ↓ | Skip to navigation ↓

 

With technology, we are constantly looking to improve security. We moved from HTTP to HTTPS to help secure online transactions and mitigate man-in-the-middle attacks. With DNS, we have started to implement DNSSEC. Why are we not looking backward at the cornerstone of modern communication, the device that still ties everyone together? The telephone.

There have been minor updates to user experience but there are definitely security enhancements that need to be made. Today, we have auto-dialers claiming to be companies we know and trust, like a Canadian airline WestJet. These scammers mask their true number with spoofed caller ID, which makes them impossible to block. We can improve the end user telephone experience by looking at the basics of computer security and implementing a Triple-A approach to telephone security: authentication, authorization, and accounting.

Automated Messages Bypassing Triple-A

Any auto-dial system claiming to be WestJet is successful because there is currently no way to verify whether the message is actually from WestJet. The ease of Caller ID spoofing means that Caller ID is not a valid means to authenticate a caller.

The best way to attempt to verify that the auto-dial system has been authorized by the company is to call them or visit their website. For example, WestJet has been a victim of an ongoing scam, which caused them to receive a lot of complaints and they posted information on their blog about the scam. While this confirms that it isn’t the vendor, there is currently no way to verify if a company (or political party) has authorized an auto-dialer.

It is quite difficult to log how many times an auto-dialer has called a certain number. With the spoofing of numbers, we will not be able to tell if it is the same auto-dialer or another. As long as numbers can be spoofed, an auto-dialer could have its message changed and be used for another scam.

Authentication on Phones

There is a way to add authentication to determine whether a caller is actually a human. We can do this if you have an OBi110 and a RasPBX. Depending on the settings that are enabled, an auto-dialer won’t be able to input the requirements.

The system works by having the home phone plugged into the OBi110 as an intermediate device. When a call is received and if the number is unknown the user is then asked to enter their number. The number the user has entered is then set as the Caller ID. You can also set up an after-hours system between two times that you have specified. This allows you to authenticate whether the caller is a person, since most automated systems won’t enter a valid number to continue the call.

This system doesn’t authenticate the validity of the phone number that the user has specified but whether or not the user is a machine. This system still relies on the user on the other end being honest about their phone number. It would be best if we could determine the actual phone number of the caller and if the caller is an auto-dialer automatically without having to place the OBi110 as an intermediate device.

If you want to improve your home phone system you can look at http://www.liquidstate.net/blocking-silent-and-nuisance-calls-with-an-obi110-raspbx-asterisk-pbx/.

Authorization on Phones

There are a couple options on a cell phone to protect you against unauthorized phone calls. Restricting calls can allow you some peace of mind if the call is originating from the same number, which would make everyone else authorized to call your phone, excluding that one number. There are also blocking modes that allow you to create a list of authorized numbers.

This really only works if the number you are being harassed by is calling from the same number every time they call. Unauthorized calls can be mitigated by removing the ability to spoof the Caller ID and make it always show the correct number. Then, we would have the ability to block or restrict the callers we don’t want.

Accounting on Phones

A modern phone usually contains logs of all the calls that are received. All unknown calls are either recorded as unknown number or private number, and we cannot determine the amount of times a single caller has called with an unknown number. Again, this would improve if we would actually get the true number of the caller and not have the ability to have private numbers or to be able to spoof the Caller ID.

Conclusion

The best improvement is to force everyone to share the number they are calling from and remove the ability to spoof the originating number. This allows us to figure out if the caller is authorized to call our phone or not. The mechanisms that allow for Caller ID spoofing are an entire topic that is better left for another blog post.

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Title image courtesy of ShutterStock