anorlunda said:
No problem. You did nothing wrong. But if this thread continues to go in that direction, I'll move it to General Discussion.
Fair enough, Sir; the following, I hope, is back on topic:
This problem of fake human phone callers being used fraudulently seems to me to be similar in some ways to the problem of one-way authentication/validation/verification, where two-way would be appropriate. Websites can use captchas to ensure the user is human and not a bot; humans should be able to do something similar to a caller.
An example of the one-way-only problem is the fake ATM that collects the mag stripe data from a would-be user's card, prompts for the PIN, then says something like EID6049I LINK ERROR 02A3 EID6051I LOCAL SYSTEM RESET 012B and then re-displays the welcome screen. The fake ATM collects card data and PINs, and the operator then removes it, and uses the data to make counterfeit cards, which he can then use, along with the PINs, to steal money.
A remedy for this would be a protocol by which your name was not encoded on the card, and the welcome screen displays your name by consulting the bank's records, and if it doesn't display your name, you can call the hotline number on the card and report it, instead of entering your PIN.
Similarly, to prevent machines from fraudulently pretending to be human, we could use ringback protocols in the reverse direction. The original use of ringback protocols was for a computing machine user connecting via modem from an offsite location. The user would call a number for the switch, and the switch would present an authentication dialog, and then the switch would ring back the authenticated user, who would then complete a repeat of the authentication dialog, this time with the switch having made an outgoing call.
A reverse example: if I get a call, ostensibly from a person, who says he's an FBI field agent in Chicago, I can ask him which field office published number I can call him back at, from which the switchboard operator there can route the callback to him. That's 2-way authentication: the FBI knows it's me because the agent called my listed number, and I know it's the FBI because I called back and got the same agent, who acknowledged having just called me.
That might seem a bit much, but before you give out your credit card numbers over the phone, you should at least be able to ensure that the caller is an authorized representative of the entity with which you're trying to do business, and with bots being able to successfully pretend to be human, and the attendant ramp-up in the possible number of phishing calls, we'll have to do something about it; establishing two-way protocols is a reasonable stop-gap measure -- devising human-presentable Turing tests that are very hard for machines to pass and easy for humans is something that we may soon have to get used to.
