Schneier on Security
A blog covering security and security technology.
« Indian OS |
| Hiding in Plain Sight »
October 18, 2010
Fingerprinting Telephone Calls
This is clever:
The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network -- cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing to avoid giving away the origin of a call will often route a call through multiple different network types.
This system can be used to differentiate telephone calls from your bank from telephone calls from someone in Nigeria pretending to be from your bank.
The PinDr0p analysis can't produce an IP address or geographical location for a given caller, but once it has a few calls via a given route, it can subsequently recognise further calls via the same route with a high degree of accuracy: 97.5 per cent following three calls and almost 100 per cent after five.
Naturally a visher can change routings easily, but even so PinDr0p can potentially reveal details that will reveal a given call as being false. A call which has passed through a Russian cell network and P2P VoIP is unlikely to really be from your high-street bank in the UK, for instance.
Unless your bank is outsourcing its customer support to Russia, of course.
The GIT researchers hope to develop a database of different signatures which would let their system provide a geolocation as well as routing information in time.
Statement from the researchers.
Posted on October 18, 2010 at 6:23 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It would help if banks *cough* HSBC ... didn't call you out of the blue and start by saying "This is Jamal from HSBC, can I confirm your address and postcode?"
After reading the book from Alber-László Barabási, "Bursts: The Hidden Pattern Behind Everything We Do" this is just another tool to prove the possibilities mentioned in that book.
Therein lies the problem: it can tell me a call seems to be coming over a VoIP link, but is it my bank's own internal VoIP network feeding into my telco's legacy TDM backbone, some visher using Skype from Nigeria - or my telco's own new VoIP backbone?
I still recall receiving a letter purporting to be from my credit card company seeking to verify a transaction and asking me to call some phone number with my card details to hand; since the print quality was appalling (well below that of the statements from the same company) on very flimsy paper, I dismissed it as an attempt at snail mail phishing. Of course, it turned out to be genuine; no doubt actual mail phishing would have paid the extra 0.1p to use proper 80gsm copier paper...
A few years ago, after a spate of bogus tradesmen posing as utility company engineers, at least one UK company instigated a system of passwords: any genuine gas company repairman would then have quoted the password you have his employer. Local Council ID cards have a phone number on the back you can call to verify ... worthless, of course, because whose phone number is it? At least they make an effort, though.
Marketing hyperbole. It would appear the post from 'zoli' might be from the marketers.
Noise creation devices to be marketed soon.
I doubt scammers would call direct from Nigeria or Russia anyway. More likely they'd call through Skype (or similar) which will would probably start a call from a PBX somewhere in the destination's home country.
"visher"? Really? Have people already forgotten the origin of the 'ph' in "phisher"?
tim: what country are you in?
> "visher"? Really?
"voice phishing," according to the first paragraph of the story.
And according to Wikipedia: http://en.wikipedia.org/wiki/Vishing
What are we supposed to call "virtual phishing"?
I wonder if it wouldn't be a great way to defraud the folks at the fort/NCTC if you were a contractor seeking to keep a observation going monkeying around with the verint software thing.
@ James Sutherland
There is no way to know whether its really your bank the first time you use it, but once you set up a base line you will notice when something changes. Assuming that not *all* calls you get are from scammers this should work pretty well.
So individual security-conscious customers are supposed to purchase this service (or a box that supplies it) from a third party or from their last-mile provider, to make up for the insecure design and implementation of phone company ID signaling systems. And instead they're supposed to trust the implementor/provider of this service.
What a lovely risk-shifting model.
Which is to say, it's a nice result, but mostly useful in a world where denying readily available information to the end user is part of the business model.
Wouldn't this assume that phone calls issuing from the same company/building *always* take the *exact* same route between points a (them) and b (me) and pick up the same noise pattern?
What happens when a call gets rerouted due to network traffic and goes through an additional switch or 10?
What about the route it takes internal to the company/pbx before it even gets to the outside world?
What happens when the person in the call center gets stuck with a sketchy headset?
What happens if your bank uses more than 1 call center location?
Interesting, yes, but far from convincing (yet).
You could just tell the caller the line is bad and you will call him back then get the number he gives you and try the banks phone number with the extension he gives.
Usually if someone says hes from the fbi or whatever, its due diligence to call the listed number for that agency and ask for that members name. and if he is fbi, ask him what its about, he'll blow you off or lie to you, then tell him you need 500 an hour to talk to him in your lawyers office. cash in advance 45 minute hours of course.
If you provide people with a tool that makes identifying calls possible in this manner, they will use it to make their calls sound more real.
Interestingly, why would a consumer use this tool? Of course, to make the consumer responsible for letting the fraud happen. Now, why don't banks (or other financial institutions) make use of this tool to identify customers? They don't want to because it makes them responsible (they collect one way or another, on all transactions). The whole thing is one sided, against the consumer.
It could be argued that if your bank is outsourcing it's customer service to Russia you have greater problems than simply authenticating their drone-on-the-phone.
They probably sold this crap to the FBI first, and now realize there's little market in intelligence agencies, so they'll try to sell it to corporations and consumers.
The tech sounds on a par with "voice stress lie detection", i.e., a con game.
As for the FBI, well, this is why spies use throwaway burner cell phones. No doubt vishers do, too.
@vnonymous: Really? You used wikipedia as a source? Do you also subsribe to PC Mag?
On the consistency of call centers...
My health insurance company apparently operates three different call centers that handle prescription coverage claims. You will reach one of them randomly.
Apparently, only one of them has an outgoing "forms for your doctor" fax system. The others can not check if a fax has been sent or not.
Two of them appear to vigorously enforce rules about discussing your spouse's information about you. One of them does not appear to care.
Now, some variability may depend on the person, of course, but it seems very consistent. It is unnerving when you call the "same department" and they follow a script and the script seems somewhat different.
“This is the first step in the direction of creating a truly trustworthy caller ID,” Traynor said.
You know, we *used* to have trustworthy caller ID, and not based on audio artifacts of the call's network path. The telcos' SS7 signalling networks used to be open only to the cozy club of other telcos, who were generally not going to be sending bogus info. End users who wanted to send callerid, such as from a company PBX, had it filtered, i.e. they were restricted to sending numbers in their assigned range.
This was broken by two things: (1) cellular roaming, which means that any mobile carrier might legitimately be sending any callerid number from any location, and (2) the greatly lowered costs and political/regulatory changes that allowed smaller CLECs to interconnect with the SS7 network, and pass in pretty much what they please from *their* end users.
It's instructive that IP spoofing is not a significant problem on the Internet, largely because the origin IP address is also generally what you need to respond. Bogus IP = no return packets = failure. There are certainly holes (mostly with with UDP VOIP streams, heh), but you can't just telnet to somewhere with your bank's IP address as the originating one and get anywhere useful.
Reliable callerid *could* be resurrected, but as with so many similar situations, the players who'd have to make it work have no incentive to do so.
I would never trust a phone call from my bank, if someone called me pretending to be from my bank, I would hang up and call the banks main number.
I agree completely but it's not just HSBC there are a few of them that still use outgoing call centres that can't take incoming calls so you can't verify the tel number and call them back... it's a shocking bad practice.
Just add a medley of chirps and clicks to your important phone calls. you can record one by just using squeaky machinery. very easy to plug in a sim card or a cheap plastic phone handset to get that cheap sound.
Makes me think of other analog noise analysis like the heads reading payment cards. Why not analyze their noise for fingerprints to detect a valid card versus a copy?
The concept of accepting any call where you cannot verify the caller amuses me. When my bank call me I always demand that they prove their identity to me - tell me something that only my bank would know. If they can't or refuse to so unless I have verified my ID to them, they get the call terminated. After a month of increasingly annoying calls they stopped calling me. Now they email me and ask me to call them, which I do using the number written on my card.
Adrian: what's the sort of thing you would accept as identification from your bank - something only they would know?
Particularly, something they would be likely to give to someone they haven't authenticated.
I tried to think of something but drew a blank.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.