Spam Calls and Enumeration

I love speaking to telemarketers. It's a game really. I like to see how long I can keep them on the line before they hang up in frustration. The key is to not be an overt jerk and string them along like you want to be part of their program but just can't grasp what they need from you. Or offer a problem that they just can't get around. For instance, not being able to grasp the difference between a debit account and a credit account when credit card debt consolidators call. Another favorite is explaining that I live on an overgrown wooded lot and agreeing to purchase solar cells if the company will remove the five mature oak trees on my property.

Sometimes this game has unintended beneficial consequences. The vehicle warranty callers are relentless and I had been telling them that I have various vehicles and couldn't understand what vehicle they wanted to offer an extended warranty. They don't know what vehicle you own when they first call so their script offers a little social engineering attempting to get you to mention the make and model of your vehicle. I would try to keep them on the line as long as possible without ever mentioning a specific vehicle. Eventually, the caller would hang up. But someone else always called back. Sometimes the next day.

Recently one caller slipped and asked what vehicle I owned that was between the model years of 2012 and 2019. I guess the actual company behind the calls realizes there is no need to offer an extended warranty on a new vehicle that already has a valid warranty. Or one that is too old and will be a sure claim.

So, I told the next caller that I owned a 2021 Tesla to see how he handled the new model year. To my surprise, it wasn't the year that stymied him. It was the vehicle. The caller said, “Oh, we can't offer a warranty on a Tesla. I'll remove you from the list.” And then he hung up.

The next time you get a call offering an extended vehicle warranty tell the caller you own a new Tesla. Maybe the caller will be diligent and remove your number from the list.

I told that anecdote during a zoom meeting with a group of fraud investigators. One attendee suggested that you should never answer such calls because doing so validates the number and the telemarketers will share your phone numbers with others. Essentially, compounding the number of telemarketing calls you receive. Not wanting to embarrass my colleague, I accepted the comment and moved the conversation along. But that advice doesn't hold water... accepting the call doesn't validate your phone number as a real number. The number will be validated as legitimate whether your answer it or not!

What happens if you don't answer the call? It will eventually be answered by the phone system, either the voice message system or the phone company robot advising the caller that the called person (a) doesn't have a voice message system set-up or (b) isn't accepting phone calls at the time. Even a call that rings endlessly still tells the caller that a phone number is a live number. Calls to phone numbers that are not assigned to a subscriber are answered by the system notifying the caller as such. Usually with some nasty tones and a message like “This number is no longer in service”.

The telemarketer is going to know that my phone number is valid regardless. The vulnerability is the system, not my response. In the world of web applications, this is known as a user enumeration vulnerability and is often exploited by attackers attempting to circumvent password-validated logins. The exploit occurs when the threat actor can confirm a user exists on a system based on how the system reacts to a failed login attempt. For instance, a threat actor goes to the login page for a web service and enters the username of “Matt500” and a password of “Password1”. The server is going to react differently depending on the validity of the entry. Access to the system will be granted if the credentials are wholly valid which is a win for the hacker. But a failed login can be just as beneficial if the server is not configured correctly. Contrast the failure message of “User Does Not Exist” compared to “Password is Incorrect”. A notice that the username doesn't exist tells the hacker that the combination is completely wrong and they should move on, but the notice of an incorrect password tells the hacker that the entered username is valid on the system and they just need to figure out the password. A correctly configured server will provide an ambiguous failure notice such as “The Username Or Password is Incorrect” so that the attacker doesn't know which item was wrong.

A call ringing through to my voice message tells the spam caller that the phone number is valid and it will remain on the “Known Good” numbers list. As will the call being answered by the phone system's robot. The only response that may get your number removed from the list is the phone company auto-message advising the number has been disconnected and is no longer assigned to a user.

Go ahead and answer the spam call and have fun, or not, the result will be the same – you'll be getting another call soon.