I may get down voted for this and so be it, this must be said. This is a prime example of creating what was intended to be a security feature without understanding the threat landscape. I just tested it, and it's 100% vulnerable to caller ID spoofing. In 2016, caller ID spoofing is as simple as downloading an iPhone app and spending $30 for a bunch of minutes.<p>The problem is, a lot of people will find this cool and will also not evaluate the threat landscape. In fact, it's even worse. They will assume the threat landscape has already been evaluated. The code is out there, so it must be good. They will then implement this into some "super duper secure" service which should require a far more security for user authentication. It will then take me 15 minutes of pulling my hair out in a security review to explain to whomever implemented it that it offers no security. The team will walk away from our meeting wondering if I was just trolling them and ask how their entire team could have made this mistake. They will then come to the conclusion they are smart and I must be wrong. They'll then call me back to explain again, at which point I'll take them through a full video demonstration with their VP of operations on the call. This time they will actually "get it" because they saw it exploited on video. Their VP of operations will then fire the project manager and lead developer and I'll feel like shit for being responsible for the termination of two careers.
It's relatively easy to change/fake the caller ID of phone calls so unfortunately this approach isn't really secure. That's why phone number verification usually places an outgoing call, to verify that you're actually able to receive calls on that number.
Hi,
there's a free phone verification using facebook.
It's account kit.<p><a href="https://developers.facebook.com/docs/accountkit/overview" rel="nofollow">https://developers.facebook.com/docs/accountkit/overview</a><p>What do you guys think?
Are you willing to make international users pay up to 80¢ per verification? If someone cancels a call, I still have to pay for one minute (it's only free if I cancel the call). So if I were to call any American number that hung up on me, I have to pay 80¢ (USD dollar cents of course).<p>Just pay the 0.02¢ or whatever phone services charge these days. If your business is actually big enough to have to worry about phone verification, do it right. Users don't like to call your number since they don't know the costs associated with it (especially international users).
Furthermore, it makes number spoofing much harder.
Haha, this is the digital version of the Indian phenomenon of 'missed calls', used as 1-bit 0-cost notification mechanism. It's become such a cultural artifact, that big companies are now advertising numbers you can 'missed call' and get a callback from.<p><a href="https://gigaom.com/2011/12/13/indias-missed-call-mobile-ecosystem-2/" rel="nofollow">https://gigaom.com/2011/12/13/indias-missed-call-mobile-ecos...</a>
Would 'rejecting' the call result in the calling user's operator billing <i>them</i>, though? This is a major concern with international usage, given phone providers' tendency to... overcharge for what's technically VoIP usage.<p>The classical text message verification schemes barely have this issue in most of the world as the <i>recipient</i> pays nothing, but of course the sender gets billed instead.
However isn't it considered a kind of exploit? Twilio never intended users to waste their VoIP traffic.<p>Could we also do phone verification at no cost, however instead by outbound call? Is there any free/paid host providing such service?
Again, nothing new. I have already implemented this on my app here : <a href="https://play.google.com/store/apps/details?id=in.xtel.quitq.app" rel="nofollow">https://play.google.com/store/apps/details?id=in.xtel.quitq....</a> using Twilio alone. But, twilio is not completely free.