[WEB SECURITY] New two-stage login procedure

Wade Millican WMillican at hutchison.com.au
Wed Dec 13 19:12:22 EST 2006

I agree any CallID/ANI/DNIS data is easily spoofed.  Off the top of my head, clickatell does it for SMSes.  I've played with the hardware/software before to do it for ISDN/Voice calls/payload.  If there was any decent payoffs in this vector, it'd be very very scary...

>>> "Billy Hoffman" <Billy.Hoffman at spidynamics.com> 14/12/2006 9:32 am >>>
ANI != Caller ID. See (http://en.wikipedia.org/wiki/Automatic_number_identification).

While CallerID is easier to spoof than an ANI, the barriers to spoof an ANI are lower than they were back in the day. Lucky225 has been doing a lot of cool work in that space over the last several years.

Besides the classic way to spoof an ANI (perform an ANI fail through a 3rd party operator), Esteban pointed out the other, easier way: using an Asterisk box. There was a pretty funny presentation at Toorcon this year (http://www.toorcon.org/2006/conference.html?id=24). Some guy set up an Asterisk box that would ANI spoof to allow you to access anyone's voicemail box. The presenter made up a bunch of business cards and, as he put it "gave them to the most vindictive people I could think of: females 20-somethings."

And good fun was had by all,
Billy Hoffman
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com ( http://www.spidynamics.com/ )
Phone:  678-781-4800
Direct:   678-781-4845

-----Original Message-----
From: Brian Eaton [mailto:eaton.lists at gmail.com] 
Sent: Wednesday, December 13, 2006 12:47 PM
To: Esteban Ribi*i*
Cc: Web Security
Subject: Re: [WEB SECURITY] New two-stage login procedure

On 12/13/06, Esteban Ribi*i* <kisero at gmail.com> wrote:
> a smarter would be:
> 1) user calls from a defined number (mobile) to a pbx
> 2) pbx checks any and ask for a code
> 3) pbx replies with a token
> user logs with this normal credentials (bank account and password) + token +
> "common pool of questions".
> its not expensive...asterisk can do it.

Caller ID spoofing seems like a problem with this system:



The Web Security Mailing List:

The Web Security Mailing List Archives:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

This e-mail message (including any attachment) is intended only for the personal use of the recipient(s) named above. This message is confidential and may be legally privileged. Any review, retransmission, dissemination or other use of, or taking any action in reliance on, this communication by persons or entities other than the intended recipient is prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the original message. 

Neither Hutchison 3G Australia Pty Limited (H3GA) nor Hutchison Telecommunications (Australia) Limited  (HTAL) make any express or implied representation or warranty that this electronic communication or any attachment is free from computer viruses or other defects or conditions which could damage or interfere with the recipient’s data, hardware or software. This communication and any attachment may have been modified or otherwise interfered with in the course of transmission.

The message represents the views and opinions of the author and under no circumstances represent those of H3GA, HTAL or its Group Companies. The shareholders, directors and management of H3GA and HTAL and its Group Companies accept no responsibility and accordingly shall have no liability to any party whatsoever in respect to the contents of this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061214/10d25730/attachment.html>

More information about the websecurity mailing list