Re: Steps to avoid Social Engineering

[John Pettitt <jpp () cloudview com>]

Any number can be spoofed - the camophone system will happily let you be
the Whitehouse switchboard or my cell phone it doesn't care.   Caller ID
is simply not validated beyond the originating switch (which in this
case is lying).   ANI on 800/900 numbers is a different matter - as far
as I know it's not easy to spoof but I've not tried with VOIP so who knows.

The bigger question - How do I know who I am talking to?   Is one of the
basic securty problems that all crypto systesm and all security polices
must address.   You basically have three choices:  Shared secret
(password),  Asymetric secrets (public key / signature), trusted third
party (if you call them back on their main number you are using the
phone company as a trusted third party, accept a drivers licence as ID
and the state becomes your third party).   Everything comes down to a
variation of one of those three.   

John

P. Rodriguez wrote:

> I see. That is very interesting. How about mobile numbers, can that be
> spoofed as well? E.g. Mobile to landline or mobile to mobile calls?
>
>
> From: John Pettitt [mailto:jpp () cloudview com] 
>  
>
> > Caller ID is not safe it's way too easy to spoof - see
> >    
> http://www.camophone.com/
>
> From: Sanders, Jonathan [mailto:Jonathan.Sanders () healthsouth com] 
>  
>
> > Caller ID can be spoofed very easily using VoIP. All someone would have to
> >    
> do is set up an Asterisk gateway
> (http://www.asterisk.org/) at their office or house even and spoof the
> Caller ID.
>
>
>
>