Various “Click to Call” services have begun to emerge recently, bringing with them some very interesting and questionable service behavior. In a nut-shell, Click-to-Call provides a website user with a button that they can click to initiate a voice session with the website or business, such as a customer service department. Most of these types of services work in a similar way with only minor variations; when a user clicks on the click-to-call button or link, the user is asked for their phone number. The “called” party’s phone system or click-to-call provider then essentially initiates a 3-way call, first calling the website user at the number they provided, then once the user answers, connecting that call to the number of the business or website owner. In most cases these sysetms spoof the Caller-ID of the called party toward the user and may or may not spoof the Caller-ID of the user toward the callee.
Google has recently introduced their Click-to-Call feature for Google Ad-Words, as well as adding it to Google Maps, allowing users to “call” businesses found on their ads or maps directly from the website. When a user selects a location on a Google map and then clicks the “call” link next to the displayed phone number, Google prompts the user for their phone number and the call progresses as described above.
While investigating Google’s implemenation of this feature on Google Maps, I also noticed another feature that I hadn’t noticed before. Google Maps allows you to forward the location’s information such as name, address, and phone number to a mobile device via SMS. It works much the same way as their click-to-call service in that via the location description you click the “send to phone” link and enter your phone number so that Google can forward the information via SMS.
Currently Google seems to have restricted their service to AdWords advertisers and people who are paying for this servcie, however other systems also exist that provide much the same functionality without the “called” party being aware of what is happening or even expecting it, resulting in cases where their Caller-ID information may be spoofed toward the “calling” party’s number, which may or may not actually be the person that initiated the call via the website’s click-to-call form.
The inherent problem with Click-to-Call and similar services is an amplified version of one of the most prevalent current problems with VoIP overall; general lack of verifiable user identity. Not only are users of click-to-call services usually not required to authenticate with the site before clicking-to-call, they are allowed to provide their own call-back number which usually isn’t verified in any way. Then, to make things worse, a role-reversal happens where the entity that would normally be the receiver of the call becomes the initiator of the call, or at least the 3rd-party assist mechanism initiates, potentially spoofing one or both of the other parties as the initiator.
Remember when BBS systems back in the day started requiring user phone number verification by not allowing users to register or activate their accounts until they provided a call-back number and let the BBS connect back to them? Yea, there was a reason many boards stopped doing that, or at least severely restricted what numbers they could call back… Nobody likes a modem calling them up in the middle of the night and screeching in their ear, especially victims of a BBS call-back system that was fed their number by some punk kid at 3am. I’m going to go out on a limb here and say that most people also won’t like answering their phone to find a ringing line, which is then answered by Joe’s XXX Empornium, or possibly their Ex-girlfriend.
There was a recent discussion relating to Caller-ID on the VoIPSec e-mail list centered around what acceptable uses for Caller-ID information are, if there are legitimate cases in which Caller-ID should be able to be spoofed, and if Caller-ID really provides any value as an identification of the calling party (or more accurately, the calling line’s owner). At first glance, the spoofing of Caller-ID in either direction of a 3rd-party assisted call would seem to make sense; once the call is established the 3rd-party (human operator or automated system alike) is usually no longer involved in the call other than perhaps maintaining the connection, so the information of the two parties remaining involved is what is used as Caller-ID. However, while the website user originally initiated the call by clicking on the click-to-call link, either the called party or a 3rd-party assist mechanism is actually initiating the call via the phone system, potentially from the “called” party’s line or equipment. What could this potentially mean for the accuracy of call records when subpoenad in a legal battle? “No, Detective, they called ME, I never initiated any coorespondance with them at all…” Unless the business or click-to-call provider is keeping complete and accurate records of which calls were initiated by whom at what internet address via this system, select call records could prove to be questionable. When combined with the lack of user identity required by most click-to-call systems, unless an ISP is willing to get involved there will be a difficult time of attempting to track down who actually initiated any given call that was completed in this manner.
In my opinion, not only do “Click-to-Call” services in their current forms open up a huge can of worms technically, but when they start employing what is essentially a vulnerability in VoIP systems such as the ability to spoof Caller-ID in order to mask what is actually taking place from the parties involved in the call, the potential for abuse sky-rockets. On the positive side however, I guess 3rd-party assisted calls provide an excellent middle-man monitoring point for the spooks, Customer Support Quality Assurance, and anyone having to comply with CALEA. (: