Click-to-Harass

Various “Click to Call” services have begun to emerge recently, bringing with them some very interesting and questionable service behavior. In a nut-shell, Click-to-Call provides a website user with a button that they can click to initiate a voice session with the website or business, such as a customer service department. Most of these types of services work in a similar way with only minor variations; when a user clicks on the click-to-call button or link, the user is asked for their phone number. The “called” party’s phone system or click-to-call provider then essentially initiates a 3-way call, first calling the website user at the number they provided, then once the user answers, connecting that call to the number of the business or website owner. In most cases these sysetms spoof the Caller-ID of the called party toward the user and may or may not spoof the Caller-ID of the user toward the callee.

Google has recently introduced their Click-to-Call feature for Google Ad-Words, as well as adding it to Google Maps, allowing users to “call” businesses found on their ads or maps directly from the website. When a user selects a location on a Google map and then clicks the “call” link next to the displayed phone number, Google prompts the user for their phone number and the call progresses as described above.

While investigating Google’s implemenation of this feature on Google Maps, I also noticed another feature that I hadn’t noticed before. Google Maps allows you to forward the location’s information such as name, address, and phone number to a mobile device via SMS. It works much the same way as their click-to-call service in that via the location description you click the “send to phone” link and enter your phone number so that Google can forward the information via SMS.

Currently Google seems to have restricted their service to AdWords advertisers and people who are paying for this servcie, however other systems also exist that provide much the same functionality without the “called” party being aware of what is happening or even expecting it, resulting in cases where their Caller-ID information may be spoofed toward the “calling” party’s number, which may or may not actually be the person that initiated the call via the website’s click-to-call form.

The inherent problem with Click-to-Call and similar services is an amplified version of one of the most prevalent current problems with VoIP overall; general lack of verifiable user identity. Not only are users of click-to-call services usually not required to authenticate with the site before clicking-to-call, they are allowed to provide their own call-back number which usually isn’t verified in any way. Then, to make things worse, a role-reversal happens where the entity that would normally be the receiver of the call becomes the initiator of the call, or at least the 3rd-party assist mechanism initiates, potentially spoofing one or both of the other parties as the initiator.

Remember when BBS systems back in the day started requiring user phone number verification by not allowing users to register or activate their accounts until they provided a call-back number and let the BBS connect back to them? Yea, there was a reason many boards stopped doing that, or at least severely restricted what numbers they could call back… Nobody likes a modem calling them up in the middle of the night and screeching in their ear, especially victims of a BBS call-back system that was fed their number by some punk kid at 3am. I’m going to go out on a limb here and say that most people also won’t like answering their phone to find a ringing line, which is then answered by Joe’s XXX Empornium, or possibly their Ex-girlfriend.

There was a recent discussion relating to Caller-ID on the VoIPSec e-mail list centered around what acceptable uses for Caller-ID information are, if there are legitimate cases in which Caller-ID should be able to be spoofed, and if Caller-ID really provides any value as an identification of the calling party (or more accurately, the calling line’s owner). At first glance, the spoofing of Caller-ID in either direction of a 3rd-party assisted call would seem to make sense; once the call is established the 3rd-party (human operator or automated system alike) is usually no longer involved in the call other than perhaps maintaining the connection, so the information of the two parties remaining involved is what is used as Caller-ID. However, while the website user originally initiated the call by clicking on the click-to-call link, either the called party or a 3rd-party assist mechanism is actually initiating the call via the phone system, potentially from the “called” party’s line or equipment. What could this potentially mean for the accuracy of call records when subpoenad in a legal battle? “No, Detective, they called ME, I never initiated any coorespondance with them at all…” Unless the business or click-to-call provider is keeping complete and accurate records of which calls were initiated by whom at what internet address via this system, select call records could prove to be questionable. When combined with the lack of user identity required by most click-to-call systems, unless an ISP is willing to get involved there will be a difficult time of attempting to track down who actually initiated any given call that was completed in this manner.

In my opinion, not only do “Click-to-Call” services in their current forms open up a huge can of worms technically, but when they start employing what is essentially a vulnerability in VoIP systems such as the ability to spoof Caller-ID in order to mask what is actually taking place from the parties involved in the call, the potential for abuse sky-rockets. On the positive side however, I guess 3rd-party assisted calls provide an excellent middle-man monitoring point for the spooks, Customer Support Quality Assurance, and anyone having to comply with CALEA. (:

3 thoughts on “Click-to-Harass

  1. Dan York

    Dustin,

    Nice piece. TechCrunch also had a post yesterday speculating that Google had pulled Click-To-Call because of harrassment issues, although it seems to have just been a temporary service outage, as the service is back running today (used it myself this morning).

    The interesting thing, though, is that you can see the immense value to the consumer for this type of service. Over the past few days I’ve been testing it myself with calling various local businesses here in Vermont. I have to say it has worked great. Find them in Google Maps, click the “call” button, wait for the ring of my phone, press the “Talk” button on my wireless handset and… ta da… I’m connecting to the business. It is a little strange for other people in the house (i.e. my wife) to hear the phone ring once before I pick up, but outside of that, it works fine. From a consumer point of view, it’s a wonderfully easy way to find businesses and connect. Why should I remember my dentist’s number when I can just find them in Google Maps and click “call”? Simple. Easy. Convenient.

    Interestingly, the Caller ID that I see is that of the business I am calling, so I’m not entirely sure how that is all working. You are right, though, that this does raise serious issues around the accuracy of call records. I’ll have to look at my next phone statement and see how (or if) these calls are recorded.

    From a security point-of-view, too, it’s not entirely clear to me personally where all these calls are going. Presumably Google is using some VoIP Service Provider (some posts have indicated it is VoIP, Inc., in Florida) who is initiating the calls to myself and the other business. How long is my call actually in “VoIP” versus the traditional PSTN? What IP networks does it traverse? What is the window of exposure for interruption or interception? All good questions without ready answers (at least that I can see).

    What is interesting to consider, also, is how fundamentally disruptive this and other similar services are to the traditional carrier market. Why should I pay Verizon (my carrier here in VT) anything beyond the very, very basic service if I can use these services for my connections? Given that the model today here in the US is that incoming calls are free, what is my incentive to go beyond the very basic plan? Suddenly instead of paying $50 or $70/month for an unlimited NA calling plan, I’m paying $15/month for rudimentary service. Just use a click-to-call service… especially a free one from Google, and you’re set. Now, granted, I need to use some other service for calling residences, since Google is only businesses, but still, the point is that these services have to be giving carrier execs severe cases of agita.

    It will also be curious to see the effect this Google effort has on JaJah and friends, where Google is making it free. Given that JaJah’s business model seems to be around charging people for calls longer than 5 minutes, a move like this has got to be a threat to that model. On the other hand, they may be wagering on the “stickiness” of customers… once they have started using Jajah, they’ll stick with it. However, customers are fickle and we’ve seen time and time again that free beats everything else (witness Skype’s growth).

    What I am not entirely clear on is the business model for Google. Obviously this service can drive people to use Google Maps, but okay… so what? As of this moment, there is no blatant advertising on any of the queries I’ve done. Now this may just be that no one has sponsored any links relevant to my very local queries. I note that when I did a query on “map store, boston, ma”, I got sponsored links above and below my search results. So maybe that is it… which seems kind of weak to me personally. If I’m looking up a business, for me odds are pretty certain that I’m going to call that business. But maybe that’s just me. Maybe enough other people are clicking on the sponsored links that giving away calling minutes is an effective loss leader to bring people to the site. I’m sure Google being the behemoth that they are they can get very aggressive pricing, so all the collective minutes may just be noise in their balance sheet.

    Anyway, it’s fascinating to watch all of these services evolve, and yes, as you indicate, there are serious security issues that do need to be addressed. We shall see how this all shakes out.

    Thanks for writing this post,
    Dan

  2. Pingback: Voice of VOIPSA » Blog Archive » Tell Me Your PIN, So I Can Go Shopping

Comments are closed.