[WEB SECURITY] New two-stage login procedure

Billy Hoffman Billy.Hoffman at spidynamics.com
Wed Dec 13 17:32:04 EST 2006

ANI != Caller ID. See (http://en.wikipedia.org/wiki/Automatic_number_identification).

While CallerID is easier to spoof than an ANI, the barriers to spoof an ANI are lower than they were back in the day. Lucky225 has been doing a lot of cool work in that space over the last several years.

Besides the classic way to spoof an ANI (perform an ANI fail through a 3rd party operator), Esteban pointed out the other, easier way: using an Asterisk box. There was a pretty funny presentation at Toorcon this year (http://www.toorcon.org/2006/conference.html?id=24). Some guy set up an Asterisk box that would ANI spoof to allow you to access anyone's voicemail box. The presenter made up a bunch of business cards and, as he put it "gave them to the most vindictive people I could think of: females 20-somethings."

And good fun was had by all,
Billy Hoffman
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845

-----Original Message-----
From: Brian Eaton [mailto:eaton.lists at gmail.com] 
Sent: Wednesday, December 13, 2006 12:47 PM
To: Esteban Ribičić
Cc: Web Security
Subject: Re: [WEB SECURITY] New two-stage login procedure

On 12/13/06, Esteban Ribičić <kisero at gmail.com> wrote:
> a smarter would be:
> 1) user calls from a defined number (mobile) to a pbx
> 2) pbx checks any and ask for a code
> 3) pbx replies with a token
> user logs with this normal credentials (bank account and password) + token +
> "common pool of questions".
> its not expensive...asterisk can do it.

Caller ID spoofing seems like a problem with this system:



The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list