[VOIPSEC] VoIP and Fraud

John Todd jtodd at loligo.com
Mon Feb 14 20:35:07 CST 2005 

Mark -
   You've brought up an interesting topic that has been bounced around 
several other discussion lists, so I'll put this question up to the 
VOIPSEC crowd for debate: Should it be the case that there is a "BCP" 
concerning CLID on ITSP networks?   (forgive me if this is already in 
an IETF draft somewhere; my mind is at maximum capacity for VoIP RFC 
drafts at the moment.)

   There is a sub-set of IP network administrators who are very 
concerned with edge filtering of IP addresses - this seems like 
almost exactly the same issue, but on a different layer.  Allowing 
only those caller ID's into one's network which one is terminating 
_out_ to the same trunk group (virtual or real) seems like a 
reasonable security measure for VoIP service providers.  Is this 
unrealistic for enterprise customers?  Is there a reason they would 
want to have the ability to use arbitrary CLID?  I think it may be 
difficult for "transit" networks, a.k.a. carriers, since they may 
have a rapidly fluctuating list of customers who may be using the 
carriage network for outbound capacity.  However, there is almost 
always an "edge", where the carrier world touches the enterprise or 
home user.  At this point it seems reasonable for ITSPs to filter 
CLID and deny anything other than the assigned CLID(s) for that 
customer.

JT



At 8:27 PM -0500 on 2/14/05, Mark Fletcher wrote:
>Mahesh,
>
>There are many potential areas, but one that concerns me is the ability for
>a user to easily spoof their Caller ID. Typically this has only been
>available to administrators of a PBX with PRI circuits. Many call this
>'security via obscurity'. By spoofing CLID, a caller could raise havoc with
>Emergency Services and the national E9-1-1 system, or use a spoofed CLID to
>socially engineer people into giving up personal information.
>
>Mark J. Fletcher
>Sr. Systems Engineer
>
>Office: 973-285-5745 (ESN 287-5745)
>Mobile: 973-919-6144
>SIP/Email: fletch at nortel.com <mailto:fletch at nortel.com>
>Visit Nortel on the web at http://nortel.com <http://nortel.com/>
>
>PLEASE NOTE NEW EMAIL ADDRESS:  <mailto:Fletch at Nortel.com> Fletch at Nortel.com
>[snipped legal nonsense]
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org
><mailto:Voipsec-bounces at voipsa.org> ] On Behalf Of Mahesh Thakkar
>Sent: Sunday, February 13, 2005 3:33 AM
>To: Voipsec at voipsa.org
>Subject: [VOIPSEC] VoIP and Fraud
>
>
>Dear All,
>
>I am new to VoIP, but not to communication. I am in telecom for the last 7
>years (GSM) and looking after Revenue Assurance and Fraud. I would like to
>know what are the vulnerabilities of VoIP and loop holes for fraud in
>practical day to day business and how one can protect or be prepared to act
>against VoIP fraud.
>
>Responses are highly appreciated
>
>--
>Mahesh Thakkar

More information about the Voipsec mailing list