"vishing scams" - Why can they still happen?

[Lucio]

Excuse the poor quality of the following article, it's been included to help explain the querry.

Article

What I'm curious about is why we are still using phone exchanges which don't allow either caller to terminate the connection. It seems to me that even if you ignore the bank's role in this, the landline phone system could be modified to prevent the problem?

Does anyone know why it works this way? Is it a legacy problem due to old technology or must it work this way to prevent chaos?

[Programming_Lif]

The problem here is that the telephone company can't monitor all the calls on the network... there's like 1 billion calls going through the system and to actually monitor every single conversation and check whether they are fraudulent or not takes a very long time. Landline companies have tried to modify their network to prevent the problem but fraudsters are too clever and are able to easily bypass it... either by moving places - constantly changing number or having a call centre overseas do their dirty work... what's worse about call centre overseas is that if you are in the UK, there is nothing you can easily do to prevent it.

Thus the best thing landline companies can do is to warn people about these types of scams and banks telling people that they would never ask for the CVV or security code of your card on the phone or online.

[Jonj1611]

The problem here is that the telephone company can't monitor all the calls on the network... there's like 1 billion calls going through the system and to actually monitor every single conversation and check whether they are fraudulent or not takes a very long time. Landline companies have tried to modify their network to prevent the problem but fraudsters are too clever and are able to easily bypass it... either by moving places - constantly changing number or having a call centre overseas do their dirty work... what's worse about call centre overseas is that if you are in the UK, there is nothing you can easily do to prevent it.

Thus the best thing landline companies can do is to warn people about these types of scams and banks telling people that they would never ask for the CVV or security code of your card on the phone or online.

If you had read what the OP was asking you would know that wasn't what he asked. What he asked was why the connection cannot be terminated.

[g8ina]

a quick double tap on the handset switch often clears the line, or more likely opens a second line ...

[peterb]

In simple terms, it is because the signalling channel which establishes the call, and tears down the call is separate from the voice channel that caries the speech.

I am not familiar with the details of the ptotocol (Signalling System 7), but in essence the initiating call retains control of the voice channel and therefore initiates the teardown process at the end of the call.

More detail are here:
http://en.wikipedia.org/wiki/Signalling_System_No._7

That then begs the question of whether the protocol could be modified?

I would guess that the answer is yes, but how easy that would be to implement, given that it is pretty much a global protocol that handles everything from a local call between two line pairs connected to the same exchange, right through to two mobile calls that can be on different continents, and the technical challenges of implementation are enormous.

That said, the ITU and telcos did modify the protocol for out of band signalling when 'preaking' became popular in the 1970's, using in-band tone generators to send signalling codes that by-pased billing processes. That took some years to implement, and the telephone system is considerably larger and more complex than it was 40 years ago.

However, the cynic in me wonders that if the 'vishing' fraud resulted in revenue loss to the Telco's, would they be a bit more pro-active in implementing a change?

[BobF64]

I'd suspect that BT dont see it as a big enough problem, and quite possibly when everyone is finally upgraded to the 21CN it wont be a problem at all.

However, the cynic in me wonders that if the 'vishing' fraud resulted in revenue loss to the Telco's, would they be a bit more pro-active in implementing a change?

Perhaps they should be. Credit card companies are liable for fraud under the Consumer Credit Act, i think, no reason that Telcos couldnt be held liable on the same grounds, suitable regulation or law as needed.

[wasabi]

However, the cynic in me wonders that if the 'vishing' fraud resulted in revenue loss to the Telco's, would they be a bit more pro-active in implementing a change?

...is the correct answer.

[peterb]

I'd suspect that BT dont see it as a big enough problem, and quite possibly when everyone is finally upgraded to the 21CN it wont be a problem at all.



Perhaps they should be. Credit card companies are liable for fraud under the Consumer Credit Act, i think, no reason that Telcos couldnt be held liable on the same grounds, suitable regulation or law as needed.

Well, it isn't really a BT problem, it is an issue with any equipment using Signalling System 7, which is a global standard, so any change would have to be applied everywhere and agreed by the ITU.

Should Telcos be responsible for how there network is used, particularly if the originating call might be from another Telco, and possibly passed through networks not under their control?

Tricky one, because the crime at the end of the day is fraud (and in the UK, possible offence under various communications acts. But fraud is a criminal offence investigated by law enforcement agencies, however it is caused. You could say that
omeone receiving a phishing e mail should hold the ISP responsible, or someone responding to a fraudulent letter should hold the post office responsible.

However, I do accept that there is a slight difference in that it is the exploitation of a technical defect that allows the scam to take place, but is that different from a security defect in an OS that allows access to a computer?

Of course, traffic analysis and call set up monitoring, the metadata, might help law enforcement agencies catch the perpetrators, but that would involve harvesting metadata before the crime takes place...

But technical solution is to change SS7, but the cost/benefit analysis would make interesting reading and the cost of implementation would ultimately be passed onto all end users.

[Agent]

A huge number of scams can be solved by two factor checking. The bank checks your details when you ring (name, address, whatever) and then you ask them something like your current balance / email address / middle name. Things scammers are unlikely to have at sort notice like that. I caught a fake insurance company out like this only 6 or so months ago!

[peterb]

A huge number of scams can be solved by two factor checking. The bank checks your details when you ring (name, address, whatever) and then you ask them something like your current balance / email address / middle name. Things scammers are unlikely to have at sort notice like that. I caught a fake insurance company out like this only 6 or so months ago!

Indeed, but that requires the end user to be security conscious and know about it - the user in the article the OP quoted clearly was not particularly security conscious.

The problem is compounded by some types of phone (cordless in particular) that don't give a dial tone until the phone number has been entered and a send button pressed (my Siemens Gigaset is one example) so the interval between hearing a dial tone and the phone dialling the number very small, an d easily missed - so if there is no dial tone (because the line is still open) that could be missed.

As an aside, I had a couple of suspect transcation on my credit card - which were picked up by the issuer concerned. All good, and they suspended the card - then rang me to check the details. I was out so they left a number to call back.

I rang back, and the person on the other end started asking me to authenticate myself!

A 'robust' discussion ensued when I declined to give any details until he authenticated himself to me! Which he eventually did! But I did wonder at the mentality which seemed to assume that since I was ringing a number they had left with me, they must be genuine, and I needed to authenticate myself!