[VOIPSEC] VoIP and Fraud

[Brian Rosen]

In SIP, there are two approaches to the general problem of getting a
reliable identity of the entity placing a call.

To duplicate the basic "the network says your phone number is xxx", there is
the "P-Asserted-Identity" header that a proxy puts on the message that would
alert another entity within the same domain what the network believes the
CLID is:
http://www.ietf.org/rfc/rfc3325.txt 

The general problem of Identity on the Internet as a whole is covered in Jon
Peterson's work:
http://www.softarmor.com/wgdb/docs/draft-ietf-sip-identity-03.txt

That would be a reliable identifier of the caller.

Brian

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of John Todd
> Sent: Monday, February 14, 2005 9:35 PM
> To: Mark Fletcher; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP and Fraud
> 
> 
> Mark -
>    You've brought up an interesting topic that has been bounced around
> several other discussion lists, so I'll put this question up to the
> VOIPSEC crowd for debate: Should it be the case that there is a "BCP"
> concerning CLID on ITSP networks?   (forgive me if this is already in
> an IETF draft somewhere; my mind is at maximum capacity for VoIP RFC
> drafts at the moment.)
> 
>    There is a sub-set of IP network administrators who are very
> concerned with edge filtering of IP addresses - this seems like
> almost exactly the same issue, but on a different layer.  Allowing
> only those caller ID's into one's network which one is terminating
> _out_ to the same trunk group (virtual or real) seems like a
> reasonable security measure for VoIP service providers.  Is this
> unrealistic for enterprise customers?  Is there a reason they would
> want to have the ability to use arbitrary CLID?  I think it may be
> difficult for "transit" networks, a.k.a. carriers, since they may
> have a rapidly fluctuating list of customers who may be using the
> carriage network for outbound capacity.  However, there is almost
> always an "edge", where the carrier world touches the enterprise or
> home user.  At this point it seems reasonable for ITSPs to filter
> CLID and deny anything other than the assigned CLID(s) for that
> customer.
> 
> JT
> 
> 
> 
> At 8:27 PM -0500 on 2/14/05, Mark Fletcher wrote:
> >Mahesh,
> >
> >There are many potential areas, but one that concerns me is the ability
> for
> >a user to easily spoof their Caller ID. Typically this has only been
> >available to administrators of a PBX with PRI circuits. Many call this
> >'security via obscurity'. By spoofing CLID, a caller could raise havoc
> with
> >Emergency Services and the national E9-1-1 system, or use a spoofed CLID
> to
> >socially engineer people into giving up personal information.
> >
> >Mark J. Fletcher
> >Sr. Systems Engineer
> >
> >Office: 973-285-5745 (ESN 287-5745)
> >Mobile: 973-919-6144
> >SIP/Email: fletch at nortel.com <mailto:fletch at nortel.com>
> >Visit Nortel on the web at http://nortel.com <http://nortel.com/>
> >
> >PLEASE NOTE NEW EMAIL ADDRESS:  <mailto:Fletch at Nortel.com>
> Fletch at Nortel.com
> >[snipped legal nonsense]
> >
> >-----Original Message-----
> >From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org
> ><mailto:Voipsec-bounces at voipsa.org> ] On Behalf Of Mahesh Thakkar
> >Sent: Sunday, February 13, 2005 3:33 AM
> >To: Voipsec at voipsa.org
> >Subject: [VOIPSEC] VoIP and Fraud
> >
> >
> >Dear All,
> >
> >I am new to VoIP, but not to communication. I am in telecom for the last
> 7
> >years (GSM) and looking after Revenue Assurance and Fraud. I would like
> to
> >know what are the vulnerabilities of VoIP and loop holes for fraud in
> >practical day to day business and how one can protect or be prepared to
> act
> >against VoIP fraud.
> >
> >Responses are highly appreciated
> >
> >--
> >Mahesh Thakkar
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>