I'm happy to see pal John Todd, whom I know from his days with TalkPlus, has landed with the Digium folks. That's a great match as John knows Asterisk very, very well and has always been viewed with high regard in the open source community.
When I read about John in PC World it was related to Vishing, a topic I have been aware of for some time, and the potential impact it could have unsuspecting customers of financial institutions. Given all the changes occurring in banks right now due to the current storms in the banking world, one has to realize that opportunistic criminals will take advantage of the opportunity.
In the summer months I reached out to front line PR representatives of Wells Fargo Bank and Citibank, two of the largest banking institutions, as well as a Privacy Officer at American Express. I asked each of them a simple question. "What are you doing to protect against vishing?" Only the American Express representative was able to provide some sort of answer, but like his counterparts at the other two institutions, I had to first explain what vishing was.
Despite promises that from Wells Fargo and Citibank's reps that they would look into the matter with their technical people, neither ever got back to me, not even with the usual, "we don't comment on matters of bank security."
Once again, the bad guys are winning.
Andy -
I think the FBI warning (though distressingly non-specific) was not about caller ID fraud with Asterisk. It's about compromised individual accounts being used for outbound voice phishing, which can happen to anyone with weak passwords. But since the FBI didn't contact us first, we don't know.
Of course, a more critical question is "What is being done to manage caller-ID fraud on SS7 networks?" but that's another story to tell.
http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/
JT
Posted by: John Todd | December 06, 2008 at 09:50 PM