Lauren Weinstein has an interesting angle on how the new Google ‘click-to-call’ service (via slashdot) could be used to attack consumers.
Like many of you, I noticed this new feature when Google announced it, but didn’t really consider it or bother to look into it. After seeing the slashdot article this morning, I figured I’d take a look at the google FAQ to see how obvious this problem was… for some reason, I had visions of people spoofing their numbers to trick businesses – which is annoying and possibly bad for business, but not really a security risk. Lucky for us, Lauren considered this from a different perspective…
Based on Lauren’s blog, I could see an attack along the lines of:
1. I go and ‘click to call’
2. I enter in your telephone number instead of mine
3. google calls you instead of me, but presents the caller ID information of the business they are connecting you to (courtesy of me)
So – is this an attack?
In reality, I’m not sure how easy or hard it would be to execute an attack like this (to the point where it really becomes a risk)– where I could spoof someone else’s number and google connected us together in a way that I could launch an effective attack. It would seem to me that in order to truly attack an unsuspecting consumer, we’d also have to have control over the other end of the line. It seems to me that unless I had an effective way to get Google to connect consumers to me and present the caller ID as someone else, this isn’t a huge risk.
That said, I see a more alarming trend: as more people rely on caller-ID, any service that intentionally modifies this information certainly poses a risk and, like Lauren, I would urge Google and others to consider it’s use more carefully.
A feature for some is an attack for another.