“Let me transfer you…”: Teachable Moments from Telemarketers

Telemarketers… yeah. It’s a fairly well known tactic to spoof an outbound call’s Caller ID to use the same area code and three-digit exchange as the intended target, making it appear as a local call.

By the sound of my local calls, I must be living in downtown Bangalore…

It’s worth listening to this one right to the end — trust me.

So, you don’t want to block a local number, and it might be spoofed anyway, so what would be the point? What can you do? Well, not much. After all, the FCC is not on our side in the telemarketer wars. There are some crowd-sourced technical solutions where you share all of your inbound calls with a central service; with a larger view, that service can see numbers that are calling everyone and block them or intercept them before you answer; however, that does mean you have to participate in sharing all of your telephony data.

In my particular, one-off case, though, it just so happens that my long-standing phone exchange is fairly old and I don’t think I know anyone else in that exchange. So, if I see a number from that exchange, I forward it to kindly old Lenny to for handling.

That’s Lenny in the recording above, by the way. Lenny is not an AI per se. Lenny is a sequence of a dozen or so recorded snippets and some very basic logic: Starting with message n=1, Lenny plays message n, waits for the caller to respond, and when there is silence Lenny plays message n + 1. In its base implementation, the cycle is entirely deterministic: Lenny is not trying to interpret what the caller wants; rather, he just rambles a bit like a kindly old gentleman and invites the telemarketer to engage — after all, if they can keep you on the phone, there’s a chance, yes? So Lenny just keeps on keeping on until the telemarketer catches on or just gives up in frustration. (Seriously, listen to that message to the end.)

So, it’s not the solution, but in this particular case it is a solution.

That was fun. Is that all?

Well, no. I believe it’s particularly important to remind clients that telephone systems are more sophisticated than the average user may think. The abilities to monitor, to record, and even to add intelligence in real time in an automated way are very possible and very real. It’s not just the audio processing, by the way — phone systems are computers with access to all of the call metadata in real time. They can analyze, copy, reroute,record, and so forth — the possibilities are left to the imagination of the reader…

If you’ve ever been concerned with your personal privacy or your organization’s privacy when it comes to stored files, email processing or any other typical concerns, I’d urge you to add telephony to your threat modeling. Know who controls the system, who has access to the data, and who owns the data.Ask what data is retained. Ask how the system is protected. Ask if the data in transit is encrypted and if that data transits on a dedicated, isolated network. As a security professional, it is your job to ask ~ so ask.

Now, on a lighter note: Understanding that the telemarketer’s business is built on this type of technology may unlock some ideas in how to deal with them.

TCM Labs invites every security-conscious professional to take note of the phones in your personal and business environments, to ask who controls them, and to consider how they might be used. Contact us with your concerns.