Re: Verizon Call Intercept

["Kenneth Williams" <ken () kwilliams org>]

I have the equivalent service from one of the SBC companies. They call it
privacy manager.
A couple of comments inline. I apologize for the large reply quote count.
Ken Williams

----- Original Message -----
From: "Mike Smith" <msmith () netlocksmith com>
To: <vuln-dev () securityfocus com>
Sent: Tuesday, May 28, 2002 4:22 PM
Subject: RE: Verizon Call Intercept


> > The Call Intercept service from Verizon (and
> > possibly others) is supposed to screen callers
> > that withhold their callerid or don't have one
> > because they're out of area etc.... A recorded
> > voice invites them to leave their name, then puts
> > them on hold while it contacts the number with call
> > intercept. They either accept the call or they don't.
>
> I tried this service and found it to have a lot of practical problems.
>
> 1) It just asks for a name, records whatever they say, then rings through
to replay the recording to you.  That means (a) there's no guarantee you'll
get the person's actual identity; (b) you're still disturbed by the phone
ringing; and (c) you still have to pick up to find out who it is!  Kinda
defeats the whole purpose of the service.

While this is true one of the greatest benefits I find is that I no longer
get those annoying calls from computerized dialers because the dialer does
not understand how to break through to ring my phone.
In addition once you pick up the phone you have choices.
    1. accept the call based on the ID
     2. send it to voicemail
     3. reject it outright with a we don't take telemarketing call
announcement

> 2) Some people mistake the name prompt for an answering machine, so they
leave a message, then hang up.  Since they've hung up, the call never rings
through, and their message isn't saved anywhere.  The caller thinks you got
their message, but you're unaware they ever called!  I lost out on a job
interview once because of this.

If they listen to the messages it tells them what is happening

> Getting back to the security side of things, the service description says
it allows the use of a 4-digit PIN to break through.  Do we know whether it
really enforces the 4-digit length?  Maybe people are choosing null or
single-digit PINs.  Or perhaps if you choose "0000" as your PIN, mashing the
"0" key long enough might be interpreted as 4 0's instead of one long one.

The pin on my service is at least 10 digits in fact they recommend assigning
the pin as the callers real phone number so it is easy to recognize

> If I still had the service, I'd experiment with blue-boxing it or
something, but I've already cancelled it for the practical reasons mentioned
above.

fooling the service probably could be done but in the end if I answered and
discovered I was fooled I would mearky accomplish the same thing by hanging
up.

> Mike Smith
> <www.netlocksmith.com>