Show HN: Phone verification at no cost (opens in new tab)

(github.com)

147 pointsnatsu9010y ago62 comments

62 comments

39 comments · 12 top-level

gst10y ago· 9 in thread

It's relatively easy to change/fake the caller ID of phone calls so unfortunately this approach isn't really secure. That's why phone number verification usually places an outgoing call, to verify that you're actually able to receive calls on that number.

reitanqild10y ago

This has been the case since I was a kid. My dad told me that I could verify[0] the identity of a caller by calling back to a number that was known to belong to the entity in question.

[0]: for some level of security. My father was a farmer at that time and I know he wasn't talking about a nation state adversary ;-)

ma2rten10y ago

Yeah, this should be common knowledge.

wfunction10y ago

At the risk of sounding like I'm actually going to abuse this capability... if it's done "relatively easily", how is this done?

finnn10y ago

My SIP provider passes whatever number I send, for most of the numbers. No talking to them required. Particularly fun for Android phones that do Google Maps lookups for caller ID, so calling from 2024561414 shows up as "The White House"

Just for fun i went ahead and verified 2024561414 with the demo of this thing. It gave me a nice little check mark showing that I was definitely the White House

1 more reply

nmjohn10y ago

Basically, because there is no verification/validation surrounding caller id - https://en.wikipedia.org/wiki/Caller_ID_spoofing

1 more reply

lucaspiller10y ago

I switched to a different SIP provider as they were cheaper, but my number was still held at the old SIP provider and couldn't be ported. I explained the story and asked if they could 'virtually' add that number to my account so outgoing calls would come from that number. They just switched on the feature to enable me to set the caller id to anything as it was easier for them.

1 more reply

Buge10y ago

Some friends and I used to make prank calls with fake funny caller IDs using https://www.spoofcard.com/

amjd10y ago

Most VoIP providers let you use any number as the caller ID with a simple SMS verification. So, if you were to have access to someone's phone for a few minutes you could possibly verify it and use the number for making calls and sending text messages from the VoIP service.

I believe the SMS verification is something that companies use to avoid liability alone, technically they can use any number as the caller ID if they choose to.

tonymillion10y ago

I came here to say this exact thing.

I've worked in VOIP quite a bit, and even built a product based on the fact you can fake caller id over SIP i.e. "keep your number but lower your outgoing call rates"

kevindeasis10y ago· 8 in thread

Hi, there's a free phone verification using facebook. It's account kit.

https://developers.facebook.com/docs/accountkit/overview

What do you guys think?

chambo62210y ago

Similar to Twitter's Digits, which has been around for a while and seems quite popular. https://get.digits.com

everfree10y ago

Why is it free?

1 more reply

h43k3r10y ago

This seems interesting. Do you know of any app currently using this. I would like to quickly try it out before the hassle of setting it up myself.

kevindeasis10y ago

Sorry, I don't recall businesses using account kit. However, it's pretty easy to do a basic setup.

jaxondu10y ago

Its free up to 100K SMS per month. Can find any pricing detail from Facebook.

kevindeasis10y ago

Sorry, I forgot there was a limit.Good catch though!

k_10y ago

As great at this probably is, I don't think adding yet another dependency to facebook is a good thing.

I'm getting tired of services that only accept facebook users. Having a facebook login or any other facebook service requiring the user to be a facebook user is not bad in itself (and can be pretty useful), but it should _always_ have an alternative.

That's why I think projects like Dial2Verify Twilio are a great thing. They're still not perfect though, as some said here on HN.

siva789110y ago

Account Kit and Facebook Login are not linked. You can implement account kit independently.

patcheudor10y ago· 3 in thread

I may get down voted for this and so be it, this must be said. This is a prime example of creating what was intended to be a security feature without understanding the threat landscape. I just tested it, and it's 100% vulnerable to caller ID spoofing. In 2016, caller ID spoofing is as simple as downloading an iPhone app and spending $30 for a bunch of minutes.

The problem is, a lot of people will find this cool and will also not evaluate the threat landscape. In fact, it's even worse. They will assume the threat landscape has already been evaluated. The code is out there, so it must be good. They will then implement this into some "super duper secure" service which should require a far more security for user authentication. It will then take me 15 minutes of pulling my hair out in a security review to explain to whomever implemented it that it offers no security. The team will walk away from our meeting wondering if I was just trolling them and ask how their entire team could have made this mistake. They will then come to the conclusion they are smart and I must be wrong. They'll then call me back to explain again, at which point I'll take them through a full video demonstration with their VP of operations on the call. This time they will actually "get it" because they saw it exploited on video. Their VP of operations will then fire the project manager and lead developer and I'll feel like shit for being responsible for the termination of two careers.

bpchaps10y ago

Not to mention that it's incredibly inconvenient if you don't carry a phone, or if you lost it. I tried to signup for airbnb this weekend while traveling, but wasn't even able to go through the verification process without a physical phone. Zero alternatives for verification and even trying google voice (my main 'phone' provider) wasn't good enough. Sure, I could've borrowed someone's phone for a second, but isn't that the sort of thing these systems are supposed to guard against? I don't get it.

Another example - you can't use uber on a desktop without going to m.uber.com last I checked. There's no way to order trasnportation without that m. (why!)

Another - gmail. You either need another email or a phone, and at the time, neither were possible. (why!!)

For tons of reasons, I just don't like having a phone in my pocket 24/7/365. Mostly, I just enjoy the peace of mind of being unreachable. I've been oncall for years, but that oncall vibe is extending more and more into social situations, for the worse. I hate it. Devs - PLEASE account for those like me! I'm really tired of people telling me (accurately :(.) "You wouldn't have these issues if you had a phone." on account of your laziness or lack of awareness for sensible security.

patcheudor10y ago

I have a shocking number of burner phones driven by the need to register for stuff which requires phone-call validation of identity. Of course every one of those phones was purchased in cash while wearing a hoodie and sunglasses, after parking in a nearby neighborhood and walking to the store.

Note, I'm not a criminal, I just play one in my day job.

1 more reply

patmcguire10y ago

Wow, working in security sounds awful.

neil_s10y ago· 2 in thread

Haha, this is the digital version of the Indian phenomenon of 'missed calls', used as 1-bit 0-cost notification mechanism. It's become such a cultural artifact, that big companies are now advertising numbers you can 'missed call' and get a callback from.

https://gigaom.com/2011/12/13/indias-missed-call-mobile-ecos...

koolba10y ago

It's not Indian specific either. I've seen it in a number of places throughout the world. It works anywhere that does not charge to receive calls (i.e. any sane place outside of the U.S.A.) as long as the caller doesn't get billed for cancelling.

You can get more than 1-bit of information as well if you sync the clock on your phone with the recipient. That gives you approximately 3.3 bits of information if you use the minute modula 10. This only works if you previously agree upon a meaning for values (Mod 0: Yes, Mod 5: No, etc).

jdeibele10y ago

Those of us old enough to remember AT&T before the breakup probably had a similar system with our parents. Call, let it ring once and hang up. Repeat. Wait for mom to call you on the family phone.

jldugger10y ago· 2 in thread

So... Twilio adjusts their pricing in 3... 2... 1...

rizwank10y ago

Twilio likes makes revenue on inbound, or enough breakage on the $1 to not have it be an issue. This is a perfectly legit usage of the number.

BinaryIdiot10y ago

Na though I wouldn't be surprised if they add an API to verify phone numbers.

DDickson10y ago· 1 in thread

So you can only verify, at best, one user every 90 seconds?

Also, I have to assume Twilio would look at this as a form of abuse.

ntauthority10y ago

This doesn't reserve the incoming number for just that user (given that one has to enter their phone number beforehand), but while the user is using the line, other users most likely wouldn't be able to call either (though it might be Twilio handles this as well and sends a status message anyway - as even cell carriers seem able to notify users of incoming calls while being in a call already).

therealidiot10y ago· 1 in thread

Can people just stop with this whole verify-by-phone thing?

beefhash10y ago

Can people just stop with this whole spam-every-website-to-death thing?

They can't, that's why there's an ever-increasing amount of verification.

subinsebastien10y ago· 1 in thread

Again, nothing new. I have already implemented this on my app here : https://play.google.com/store/apps/details?id=in.xtel.quitq.... using Twilio alone. But, twilio is not completely free.

OJFord10y ago

Well done. But you didn't blog about it, or release that part of your app as a standalone library. You also didn't (couldn't) patent it - it doesn't need to be new to be interesting and valuable to HN readers.

Matt3o12_10y ago

Are you willing to make international users pay up to 80¢ per verification? If someone cancels a call, I still have to pay for one minute (it's only free if I cancel the call). So if I were to call any American number that hung up on me, I have to pay 80¢ (USD dollar cents of course).

Just pay the 0.02¢ or whatever phone services charge these days. If your business is actually big enough to have to worry about phone verification, do it right. Users don't like to call your number since they don't know the costs associated with it (especially international users). Furthermore, it makes number spoofing much harder.

ntauthority10y ago

Would 'rejecting' the call result in the calling user's operator billing them, though? This is a major concern with international usage, given phone providers' tendency to... overcharge for what's technically VoIP usage.

The classical text message verification schemes barely have this issue in most of the world as the recipient pays nothing, but of course the sender gets billed instead.

faizmokhtar10y ago

This is pretty cool hack. Great job OP!

cia4862179310y ago

However isn't it considered a kind of exploit? Twilio never intended users to waste their VoIP traffic.

Could we also do phone verification at no cost, however instead by outbound call? Is there any free/paid host providing such service?

j / k navigate · click thread line to collapse

62 comments

39 comments · 12 top-level

gst10y ago· 9 in thread

reitanqild10y ago

This has been the case since I was a kid. My dad told me that I could verify[0] the identity of a caller by calling back to a number that was known to belong to the entity in question.

[0]: for some level of security. My father was a farmer at that time and I know he wasn't talking about a nation state adversary ;-)

ma2rten10y ago

Yeah, this should be common knowledge.

wfunction10y ago

At the risk of sounding like I'm actually going to abuse this capability... if it's done "relatively easily", how is this done?

finnn10y ago

Just for fun i went ahead and verified 2024561414 with the demo of this thing. It gave me a nice little check mark showing that I was definitely the White House

1 more reply

nmjohn10y ago

Basically, because there is no verification/validation surrounding caller id - https://en.wikipedia.org/wiki/Caller_ID_spoofing

1 more reply

lucaspiller10y ago

1 more reply

Buge10y ago

Some friends and I used to make prank calls with fake funny caller IDs using https://www.spoofcard.com/

amjd10y ago

I believe the SMS verification is something that companies use to avoid liability alone, technically they can use any number as the caller ID if they choose to.

tonymillion10y ago

I came here to say this exact thing.

I've worked in VOIP quite a bit, and even built a product based on the fact you can fake caller id over SIP i.e. "keep your number but lower your outgoing call rates"

kevindeasis10y ago· 8 in thread

Hi, there's a free phone verification using facebook. It's account kit.

https://developers.facebook.com/docs/accountkit/overview

What do you guys think?

chambo62210y ago

Similar to Twitter's Digits, which has been around for a while and seems quite popular. https://get.digits.com

everfree10y ago

Why is it free?

1 more reply

h43k3r10y ago

This seems interesting. Do you know of any app currently using this. I would like to quickly try it out before the hassle of setting it up myself.

kevindeasis10y ago

Sorry, I don't recall businesses using account kit. However, it's pretty easy to do a basic setup.

jaxondu10y ago

Its free up to 100K SMS per month. Can find any pricing detail from Facebook.

kevindeasis10y ago

Sorry, I forgot there was a limit.Good catch though!

k_10y ago

As great at this probably is, I don't think adding yet another dependency to facebook is a good thing.

That's why I think projects like Dial2Verify Twilio are a great thing. They're still not perfect though, as some said here on HN.

siva789110y ago

Account Kit and Facebook Login are not linked. You can implement account kit independently.

patcheudor10y ago· 3 in thread

bpchaps10y ago

Another example - you can't use uber on a desktop without going to m.uber.com last I checked. There's no way to order trasnportation without that m. (why!)

Another - gmail. You either need another email or a phone, and at the time, neither were possible. (why!!)

patcheudor10y ago

Note, I'm not a criminal, I just play one in my day job.

1 more reply

patmcguire10y ago

Wow, working in security sounds awful.

neil_s10y ago· 2 in thread

https://gigaom.com/2011/12/13/indias-missed-call-mobile-ecos...

koolba10y ago

jdeibele10y ago

Those of us old enough to remember AT&T before the breakup probably had a similar system with our parents. Call, let it ring once and hang up. Repeat. Wait for mom to call you on the family phone.

jldugger10y ago· 2 in thread

So... Twilio adjusts their pricing in 3... 2... 1...

rizwank10y ago

Twilio likes makes revenue on inbound, or enough breakage on the $1 to not have it be an issue. This is a perfectly legit usage of the number.

BinaryIdiot10y ago

Na though I wouldn't be surprised if they add an API to verify phone numbers.

DDickson10y ago· 1 in thread

So you can only verify, at best, one user every 90 seconds?

Also, I have to assume Twilio would look at this as a form of abuse.

ntauthority10y ago

therealidiot10y ago· 1 in thread

Can people just stop with this whole verify-by-phone thing?

beefhash10y ago

Can people just stop with this whole spam-every-website-to-death thing?

They can't, that's why there's an ever-increasing amount of verification.

subinsebastien10y ago· 1 in thread

Again, nothing new. I have already implemented this on my app here : https://play.google.com/store/apps/details?id=in.xtel.quitq.... using Twilio alone. But, twilio is not completely free.

OJFord10y ago

Matt3o12_10y ago

ntauthority10y ago

The classical text message verification schemes barely have this issue in most of the world as the recipient pays nothing, but of course the sender gets billed instead.

faizmokhtar10y ago

This is pretty cool hack. Great job OP!

cia4862179310y ago

However isn't it considered a kind of exploit? Twilio never intended users to waste their VoIP traffic.

Could we also do phone verification at no cost, however instead by outbound call? Is there any free/paid host providing such service?

j / k navigate · click thread line to collapse