Fake caller ID: Fun, legal and easy to do
Caller ID information is not to be trusted. Judging by the reactions I've gotten from colleagues and friends recently after they've been the victims of spoofed-ID demonstrations, it's not common knowledge that caller ID information, primarily the phone number that often appears on the recipient's telephone display, can be easily faked. Best of all for the mysterious caller, it's not illegal in the U.S. (except in cases where fraud occurs). Calls for the purpose of amusement or revenge are perfectly legal.
This phone is tapped.
(Credit: Andrew McConachie)With the help of easy-to-use Internet calling card services, it's possible to call up your friends, and have the originating caller number be something completely different, say, the White House switchboard (202-456-1414). For many of the services, it's as simple as punching in three phone numbers: your own number, your pal's number, and the number you want to show up on their phone's display when you call.
The calling card companies providing these services charge a fair bit--approximately 60 minutes of calls for $10. One of the major firms, SpoofCard, is nice enough to let users try their service out for free--two minute calls can be initiated for free from the company's Web site. For those of you doing the home-brew VOIP thing using an Asterisk server at home, faking your Caller ID information is as simple as editing a configuration file.
Being able to change the originating call number can actually be really useful--for the bad guys.
Many voice mail systems do not prompt you for a PIN or password when you appear to be calling from the number associated with that voice mail account. Some credit card companies require that new cards be activated upon receipt by calling up an automated phone system from the cardholder's home phone number. Many people screen their calls, looking first at the display before deciding if they will pick up the phone. Such people can be tricked into picking up the phone by someone who would ordinarily get ignored. Caller ID spoofing is a priceless technique when conducting social engineering or industrial espionage. Being able to call someone else in a company and have the number come up as as an internal office phone number can make it much easier to pretend to be "Bob from accounting."
Anonymous
(Credit: Doublebug / Flickr)Using a fake caller ID service, it should be possible for a motivated criminal to stalk someone, listen to their voice mail and then activate a credit card stolen from the victim's mailbox. Creepy stuff
So what about the law? Caller ID spoofing services do not appear to violate any federal criminal law, according to an interview published with Orin Kerr, a law professor at the George Washington University Law School, and a former Justice Department computer crime lawyer. "It doesn't violate the Wiretap Act or the Computer Fraud and Abuse Act or anything like that," said Kerr.
Congress attempted to pass legislation earlier in 2007 making it illegal to spoof caller ID. The bill, The Truth in Caller ID Act of 2007, sailed through the House of Representatives but has yet to make it through the Senate. The law would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement is exempt from the rule.
Ma Bell: Got the ill communication
(Credit: TheTallest / Flickr)With the legislation apparently stalled at the federal level, some states have begun to pas their own laws. According to USA Today: "Florida Gov. Jeb Bush signed a law banning commercial telemarketers from using ID spoofing. Violators can be fined up to $10,000 per incident. Alaska and New York have considered anti-spoofing legislation. Delaware has no law that specifically bars people from misrepresenting their name and number on the recipient's caller ID. If done for commercial purposes, however, the practice could be treated as a violation of the state's Deceptive Trade Practices Act or the Consumer Fraud Act, says Barbara Gadbois, who directs the Consumer Protection Unit of the Delaware Attorney General's Office. Extracting personal information that is then used to steal money or commit another crime is a felony punishable by up to eight years in prison, Gadbois says."
Even the state laws that have been proposed only ban the commercial use of caller ID spoofing and cases of fraud. The use of such services by individuals for amusement or revenge is still perfectly legal. Thus, until the feds can agree upon and pass stronger legislation, fake caller ID is here to stay.
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. 
can
be legally spoofed, what will happen to legitimate charities? We need to fight
this legally and make use of such software illegal. First it was mail fraud by
mail
order magazines; then it was telemarketing fraud, that is related to how I lost
my job, it was due to others misrepresenting themselves; now it's a new form
of
telephone ID fraud. I am antsy now about answering my phone. How would
you
feel if you gave your credit card info over the phone to someone who was
impersonating your favorite charity? It's bad enough with phishing and
especially with re-directed sites where the server brings up the wrong page!
How are we to protect ourselves from bad people?
If so, can you give me your number?
Point is: It is never safe to give someone credit card information over the phone if you did not originate the call. Even if you did originate the call it is questionable if handing out sensitive information is safe. If someone asked you to call for that purpose (by mail, phone, email, ...) and provided you with the phone number to call you can also assume that this is unsafe. The only time it would be "reasonably" safe (for any value of reasonably) is when you received the phone number you are calling independently (such as going into your bank and asking for their number and then using that for the event that they ask you to call them).
Caller ID spoofing just does not matter at all. If you have even half way reasonable security behavior, you did not trust caller id to begin with.
You've jumbled a bunch of different telephone services under the banner of
Caller ID..
I think the important service you're missing is ANI, automatic number
identification. This is provided to companies with 1-800 numbers, and as far
as I understand is more difficult to spoof. (Admittedly, I don't know how IP
telephony interfaces to provide an ANI.) This would more than likely close or
at least limit the credit card activation hole.
In short this is a little alarmist.
http://answers.google.com/answers/threadview?id=555871
though it's mostly about corporate crime. Still, it's pretty intriguing reading.
ZIDDLEYS
Email: ZiddleysID@gmail.com
We specialize in deep cover identification and closely guarded secrets of complete authentic Identity Change
Need Deep Cover ID? How about a complete AUTHENTIC Identity change? With our confidential resources, top of the line technology and complete Identity change IDs and Materials you now can be reborn anywhere in the world!
- by nukemdomis December 7, 2008 5:17 PM PST
- Always be careful when answering the phone and never rely on your caller ID because anyone can change theirs. Be careful because there on many people disguising their voice from 'voice changer websites'.
- Like this Reply to this comment
-
(8 Comments)