Spoofing Warning #1
Comments
|
It also means any bad actors can verify phone numbers. Only way to prevent that is to place a call/text to them with a code or similar. |
|
With enough numbers (10k+), one could initiate a call from twilio and request user to enter the phone number or just return the call. |
|
That would cost thousands of dollars! |
|
Oh, scratch that. Spoof a number, leave a missed call, ask user to enter. Twilio does not officially support it, but maybe other services do and don't charge for making a missed call. SpoofCard.com: «Timing on calls begins when your call is connected» |
|
In Malaysia, customize caller ID is not allowed, telcos are forced to display the real number to receiver (usually in SMS, but not sure if it apply to phone call as well). Maybe this will do if Twilio provide phone number from Malaysia or other country which have similar regulation. |
|
I think this is a great start, in the sense that at the least you got a phone number from the user and you are able to "verify" a call from that number was made. I will also implement a second step, send the user an sms with code so the user can confirm. Will be forking an playing around with some posibilities. But CID spoofing is very real, no matter what telco you have if you know what you are doing. |
and others
Granted that nowhere in your README do you use the words "authentication", it's still probably a good idea to note in the README that this isn't meant to be a form of secure authentication, as it's trivially easy for Bad Guys to spoof caller ID.
The text was updated successfully, but these errors were encountered: