November 19, 2006

Lauren Weinstein has an interesting angle on how the new Google ‘click-to-call’ service (via slashdot) could be used to attack consumers.

Like many of you, I noticed this new feature when Google announced it, but didn’t really consider it or bother to look into it. After seeing the slashdot article this morning, I figured I’d take a look at the google FAQ to see how obvious this problem was… for some reason, I had visions of people spoofing their numbers to trick businesses – which is annoying and possibly bad for business, but not really a security risk. Lucky for us, Lauren considered this from a different perspective…

Based on Lauren’s blog, I could see an attack along the lines of:
1. I go and ‘click to call’
2. I enter in your telephone number instead of mine
3. google calls you instead of me, but presents the caller ID information of the business they are connecting you to (courtesy of me)

So – is this an attack?

In reality, I’m not sure how easy or hard it would be to execute an attack like this (to the point where it really becomes a risk)– where I could spoof someone else’s number and google connected us together in a way that I could launch an effective attack. It would seem to me that in order to truly attack an unsuspecting consumer, we’d also have to have control over the other end of the line. It seems to me that unless I had an effective way to get Google to connect consumers to me and present the caller ID as someone else, this isn’t a huge risk.

That said, I see a more alarming trend: as more people rely on caller-ID, any service that intentionally modifies this information certainly poses a risk and, like Lauren, I would urge Google and others to consider it’s use more carefully.

A feature for some is an attack for another.

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours - the best way for Security Leaders to connect with a group of peers each week for a needed shot of energy and actionable insights.