

 	  Tel3.com Calling Card System ANI Spoofing Vulnerability


* Written by: The Clone
* Date: Monday, August 1, 2005

* Contact: theclone@hackcanada.com
* Web-site: http://www.nettwerked.net

* Credits: Lucky225, RootSecure.net, War
* Shouts: Hack Canada (www.hackcanada.com)


-_-


Synopsis:

Corporations that are implementing voice over IP (VOIP) technologies for
the purpose of offering dedicated phone service (i.e. Vonage), or pre-paid
calling card service (i.e. Nettwerked Calling Cards) in an attempt to cut
communications costs associated with POTS-copper lines shouldn't overlook
the obvious security risks. Most businesses implementing VOIP are primarily
concerned with the following three things: voice quality, latency and inter-
operability. To many businesses, security is an after thought, an expense
not worth investing in until something "bad" happens. A reactive instead of
proactive approach to VoIP security is what tends to cost these companies
millions of dollars in intellectual property losses. One such company that
recently caught my attention for lack of security (specifically customer
authentication) is Tel3.com, a business headquartered out of Miami Florida.


Details:

Tel3.com is a company that offers pre-paid, VoIP based, local/international
calling card services worldwide. One feature that Tel3.com offers all its
customers (credit card paying customers I might add), is the ability to make
long distance calls on the Tel3 calling card network without the necessary
use of a unique 12+ digit pin code. Instead Tel3 can authenticate its paying
customers based on Automatic Number Identification (ANI). Yeah, I can't
believe it either.


According to the Tel3.com FAQ (http://www.tel3.com/faq.aspx):

"Tel3 is a service that provides unprecedented low international and domestic
calling rates. Tel3 uses ANI (caller-id) recognition so users do not have to
enter a PIN each time they make long calls from their Instant Access numbers."

The problem with "ANI Billing" is the fact that ANI can be so easily spoofed.
"So what is ANI?", you ask. ANI or Automatic Number Identification is a system
used by the telephone company to determine the number of the calling party.
There are believed to be two types, 'FLEX ANI' (used for e.g. verification
services such as voicemail) which is relatively easy to spoof, and 'Real Time
ANI' (used only for billing purposes on e.g. 800 numbers) which is harder to
spoof [Definition: Hack FAQ ].

ANI Spoofing is done by falsely setting the telephone number you're calling
from to appear as another number somewhere else. Infact the number you can
set does not necessarily need to be a valid one either. In the traditional
sense ANI and Caller ID spoofing was done using the assistance of an operator,
or through a company's PBX (Private Branch Exchange). These methods were not
the most efficient, many operators caught onto what you were doing after a
while, and a lot of previously exploited company PBX's were protected in
secure locations.


"So how can I spoof my ANI without an operator or access to a company's PBX?"

Today ANI spoofing has become much easier to do. With VoIP (Voice over Internet
Protocol) becoming more and more present in today's business world, you now have
the ability to spoof your ANI via this method. This is how its done: a lot of
VoIP carriers never set a Charge Number and allow you to pass through your own
ANI information without ever having a pre-set number implemented on their side.


The Asterisk(tm) Way...

The first and more complicated way to spoof your ANI is by using Asterisk(tm) -
The Open Source Linux PBX. According to their site (www.asterisk.org): "Asterisk
is a complete PBX in software. It runs on Linux and provides all of the features
you would expect from a PBX and more. Asterisk does voice over IP in many prot-
ocols, and can interoperate with almost all standards-based telephony equipment
using relatively inexpensive hardware."

What you need is a computer with a Linux compatible network card, basic Linux
knowledge, an Internet connection (preferably a high speed type like ADSL or
Cable), a VoIP hardware phone or software phone, and an account with a VoIP
provider that allows ANI spoofing (i.e. Nufone.net, VoicePulse.com, VoipJet.com).

According to RootSecure (http://www.rootsecure.net/?p=reports/callerid_spoofing):

Follow the instructions in Andy Powell's, 'Getting Started With Asterisk' guide
for the initial Linux install.

Add the following lines to your extension config file in the same context as your
SIP phone.
exten => 33,1,Answer
exten => 33,2,AGI(cidspoof.agi)

Sign up with a VoIP provider.

Add appropriate details into your IAX config file (as issued by your VoIP service
provider).

Download the cidspoof.agi script changing line 77 to the correct username/hostname
for your VoIP IAX service provider, and copy it to /var/lib/asterisk/agi-bin/.

Start Asterisk

Check your SIP phone has correctly registered / verify you are able to make a SIP
to PSTN call.

Call extension 33, enter the 10 digit number you wish to spoof from, followed by
the 10 digit number you wish to spoof to.

A simpler alternative is to use the command SetCallerID(2121111111) in the "exten-
sions.conf" file direct however it will have to be manually edited and Asterisk
reloaded for every call.


An easier way...

These companies offer the customer the ability to ANI/CID through their pre-paid
service: SpoofTel (http://www.spooftel.com/ - a Spoofing-only service), Nettwerked
Calling Card (http://www.nettwerked.net/callingcard/ - A calling card service that
War and I run. We charge 25 cents per ANI spoof, and also spoof your ANI/CID as
"780-000-1337" by default), and Veratel Communications (http://www.vera-tel.com).
Just check Google, you're bound to find a ton of more companies that offer ANI/CID
spoofing for a reasonable fee. Is this sitting well in your stomachs, Tel3.com? :-)


The possible consequences of Tel3.com using ANI as a form of authentication...

As you can see it's very easy to spoof your ANI/Caller ID. The obvious consequences
of using ANI as a form of authentication the ability for anyone with minimal tech-
nical skills to start using your Tel3.com calling card time without your knowledge
for free telephone calls or other fraudulant activities. At this point all the
potential attacker needs is the telephone number you have bound to your Tel3.com
account and any number of previously mentioned methods to spoof their phone number.


The Solution...

For now I would advise anyone using Tel3.com to contact the company directly and
tell them you are not comfortable with this "convenience" service due to the
severe risks it presents you. In the end Tel3.com is going to be the ones who will
need to re-think their marketing, and go back to the way traditional calling card
companies go; by using a unique and difficult to bruteforce 12-14 digit pin code
for its user authentication.


Final Thoughts...

This article was not written as a new, exciting, or mind blowing tutorial on ANI
spoofing. So before you open up your e-mail client to send me some hate mail you
stupid (and mostly American) fucks, lets get real for a second; nearly every
idiots in the so-called H/P "scene" knows how to spoof ANI/CID. This article was
written to point out that not only are banks and mobile companies using ANI as a
form of authentication, but now our beloved US/CDN Calling Card companies are too.

These companies need to wake up and smell the luke warm coffee: ANI AUTHENTICATION
IS NOT A SECURE METHOD OF VERIFYING WHO YOUR CUSTOMERS ARE. Quit it, or expect to
be exploited until the end of time.

Good Day.

.eof