Random IVR code

Stewart1 · February 9, 2020, 2:49am

Any complex challenge will cause some potential customers to give up or go to a competitor.

IMO the attacker is very unlikely to customize his robot for you, so experiment until you find a simple defense that works.

First, set up a whitelist so your existing customers are not bothered by this nonsense.

Then, try some simple stuff e.g. “For Sales, please press Pound.” If the robot doesn’t, you’re done. If it does, try something else.

If you are still having trouble, please post a recording of one of the attacker’s calls, as well as what you have learned about the pattern of caller IDs he’s using.

dicko · February 9, 2020, 4:57am

Whitelist added to my ‘nonsense’ A successful question and answer session takes all of 15 seconds, so not too obnoxious (and certainly not complex). You can wrap those couple of “DB” lines around any other “Intrusion detection system” you want to make it a one-time only thingy :-

[bender-blocker-whitelist-and-google-tts]
exten =>  s,1,noop(Google Cloud STT and whitelist)
same => n,GotoIf($[${ISNULL(${DB(whitelist/${CALLERID(num)})})}]?:ok); are they whitelisted yet
same => n,Set(loop=0)
same => n,Set(prefix=${EPOCH})
same => n(loop),Playback(custom/screening)
same => n,Record(/tmp/${prefix}number.wav,2,3)
same => n,Set(voice=${SHELL(gcloud ml speech recognize /tmp/${prefix}number.wav --language-code='en-US'|sed -n -e  '/transcript/p'|sed  -e 's/[^0-9]*//g' -e 's/.*\([0-9]\{2\}$\)/\1/'|tr -d '\n')})
same => n,GotoIf($[ ${LEN(${voice})}  < 2 ]?invalid)
same => n,Read(keypad,custom/verify,2,,,2)
same => n,GotoIf($["${voice}" = "${keypad}"]?addwhitelist) ;  did they pass the password check?
same => n(invalid),PlayBack(custom/wronganswer)
same => n(break),Set(loop=$[${loop}+1])
same => n,GotoIf($["${loop}"="3"]?finish:loop)
same => n(finish),Playback(sorry-youre-having-problems)
same => n,Hangup()
same => n(addwhitelist),Set(DB(whitelist/${CALLERID(num)})=OK) ; ok they passed the  one-time nonsense, whitelist this number
same => n(ok),goto(from-pstn,${FROM-DID},1) ' ; this is where the good-guys get to go. It could be a QUEUE or an IVR of course

To preemptively add granny’s number (555-222-1234) so she doesn’t need to go through this pain

rasterisk -x "database put whitelist  5552221234 Granny"

Suggested content of custom/screening.wav “This is Robocallcop, just once I ask you to say a number between 11 and 99”

Suggested content of custom/verify.wav “Thank, you, now please enter that same number on your dialpad”

Suggested content of custom/wronganswer.wav " Sorry, Invalid response"

All done in your best RoboCop voice of course.

Bufuair · February 12, 2020, 11:48am

Hey ,

Is there any way to have the read function active while the numbers are playing ? I’ve noticed alot of people tend to start typing while the code is playing …
I moved the read function before the SayDigits but obviously that didn’t work
As always any input is very much appreciated.

comtech · February 12, 2020, 2:35pm

Prerecord all of the potential messages (don’t use say digits), make the read command include a variable that will reference the correct custom recording based on the randomizer. This will allow the correct message to be played, and allow for interruption.
Use a TTS program (Polly, Google, MSOFT, etc.) to build a custom recording on the fly with the same variable name. Insert that into the read command. This is more complex, but will let you prompt for whatever random string you like while still being able to interrupt.
Break your recording into pieces and arrange them at a cadence that they don’t hear what to press until the end (say digits at the very end). This will not fix the interruption issue, but may limit the issue.

dicko · February 12, 2020, 3:56pm

Robocallers can easily send dtmf tones, and apparently are using AI to infer what to send to bypass your ivr, but if instead you ask “what color is the sky/grass/your eyes?” or similar easily defined question/answer which of course can be randomized, STT can quite easily decide if the caller both replied and did so somewhat sensibly, no key presses needed. Add the whitelisting.

The effort of getting STT working is well rewarded, not just for this but more generally for voicemail transcription and at a greater cost monitor file transcriptions.