All the Perl that's Practical to Extract and Report

make money fast (may not be legal)

nicholas on 2004-06-24T10:54:21

Someone I know has an account with one of these firms that offer cheap international calls by prepending a prefix to the number you dial. Frustrated that he couldn't register his work number with them to use it, he tried changing the caller ID his work phone issued to make it appear as if it came from his mobile, and lo, it worked - he could make international calls on his account. (His workplace is something telcoms related, and is set up to be able to change outgoing caller ID for legitimate work reasons)

Which, of course means that he could just as easily make international calls billed to anyone else's account, if he knows which phone numbers they have registered.

So, all that remains is to set up a premium rate phone service abroad, and let the scamming begin.

Please note, this scheme may not be legal. :-) But it's certainly do-able, which is worrying. Authenticating on caller ID - bad plan.

Authenticating on CLID not so bad

drhyde on 2004-06-24T11:44:54

To fiddle with your CLID you need to be able to speak SS7. Even so, you *can* still be traced.

As an example, Alice PBX fiddles with her CLID, places a call which transit's Bob Telecom's network, and is terminated by Clare Telecom. Clare Telecom uses CLID to make some charge against Dave. Dave disputes the bill, Clare looks in her records to see where (which physical connection) the call came from, and sees that it came in from Bob Telecom. Bob can trace the call back from where it left his network to where it entered, and so pin the blame fairly and squarely on Alice.

Unlike ISPs, telcos have the advantage of keeping records of all connections on their network for billing purposes (yay circuit switching!), are aware of the dangers posed to their businesses by fraudulent use of the network so have people in place to deal with it, plus they operate in a regulatory and legal framework which can cope with just this sort of problem.

strange that you mention this ...

tinman on 2004-06-30T20:05:50

I wrote IVR code to do precisely this.. authenticate and login to an account using caller-id (they call it ANI, authorized number identification).

It was even easier in my case.. Large companies basically give you a list of numbers and say "look, if anyone calls come from these numbers, let them through without authentication" (I asked everyone several variants of 'are you REALLY sure you want to do this'? but they still wanted it).. Find out the director's office number, change your caller-ID to respond with that particular number on request and you're able to do VOIP calls to anywhere on the planet. And it would certainly take a while before you get detected.