Fake caller ID: Fun, legal and easy to do

Caller ID information is not to be trusted. Judging by the reactions I've gotten from colleagues and friends recently after they've been the victims of spoofed-ID demonstrations, it's not common knowledge that caller ID information, primarily the phone number that often appears on the recipient's telephone display, can be easily faked. Best of all for the mysterious caller, it's not illegal in the U.S. (except in cases where fraud occurs). Calls for the purpose of amusement or revenge are perfectly legal.

This phone is tapped.

(Credit: Andrew McConachie)

With the help of easy-to-use Internet calling card services, it's possible to call up your friends, and have the originating caller number be something completely different, say, the White House switchboard (202-456-1414). For many of the services, it's as simple as punching in three phone numbers: your own number, your pal's number, and the number you want to show up on their phone's display when you call.

The calling card companies providing these services charge a fair bit--approximately 60 minutes of calls for $10. One of the major firms, SpoofCard, is nice enough to let users try their service out for free--two minute calls can be initiated for free from the company's Web site. For those of you doing the home-brew VOIP thing using an Asterisk server at home, faking your Caller ID information is as simple as editing a configuration file.

Being able to change the originating call number can actually be really useful--for the bad guys.

Many voice mail systems do not prompt you for a PIN or password when you appear to be calling from the number associated with that voice mail account. Some credit card companies require that new cards be activated upon receipt by calling up an automated phone system from the cardholder's home phone number. Many people screen their calls, looking first at the display before deciding if they will pick up the phone. Such people can be tricked into picking up the phone by someone who would ordinarily get ignored. Caller ID spoofing is a priceless technique when conducting social engineering or industrial espionage. Being able to call someone else in a company and have the number come up as as an internal office phone number can make it much easier to pretend to be "Bob from accounting."

Anonymous

(Credit: Doublebug / Flickr)

Using a fake caller ID service, it should be possible for a motivated criminal to stalk someone, listen to their voice mail and then activate a credit card stolen from the victim's mailbox. Creepy stuff

So what about the law? Caller ID spoofing services do not appear to violate any federal criminal law, according to an interview published with Orin Kerr, a law professor at the George Washington University Law School, and a former Justice Department computer crime lawyer. "It doesn't violate the Wiretap Act or the Computer Fraud and Abuse Act or anything like that," said Kerr.

Congress attempted to pass legislation earlier in 2007 making it illegal to spoof caller ID. The bill, The Truth in Caller ID Act of 2007, sailed through the House of Representatives but has yet to make it through the Senate. The law would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement is exempt from the rule.

Ma Bell: Got the ill communication

(Credit: TheTallest / Flickr)

With the legislation apparently stalled at the federal level, some states have begun to pas their own laws. According to USA Today: "Florida Gov. Jeb Bush signed a law banning commercial telemarketers from using ID spoofing. Violators can be fined up to $10,000 per incident. Alaska and New York have considered anti-spoofing legislation. Delaware has no law that specifically bars people from misrepresenting their name and number on the recipient's caller ID. If done for commercial purposes, however, the practice could be treated as a violation of the state's Deceptive Trade Practices Act or the Consumer Fraud Act, says Barbara Gadbois, who directs the Consumer Protection Unit of the Delaware Attorney General's Office. Extracting personal information that is then used to steal money or commit another crime is a felony punishable by up to eight years in prison, Gadbois says."

Even the state laws that have been proposed only ban the commercial use of caller ID spoofing and cases of fraud. The use of such services by individuals for amusement or revenge is still perfectly legal. Thus, until the feds can agree upon and pass stronger legislation, fake caller ID is here to stay.

[zariyahakik]

Who would've knew?

This is pretty amazing. Who would've knew that making calls based on amusement is legal.

[ChimericPhantom]

Bad for legitimate charities, good for criminals!

I just answered a telephone call from one of the police youth charities. If ID
can
be legally spoofed, what will happen to legitimate charities? We need to fight
this legally and make use of such software illegal. First it was mail fraud by
mail
order magazines; then it was telemarketing fraud, that is related to how I lost
my job, it was due to others misrepresenting themselves; now it's a new form
of
telephone ID fraud. I am antsy now about answering my phone. How would
you
feel if you gave your credit card info over the phone to someone who was
impersonating your favorite charity? It's bad enough with phishing and
especially with re-directed sites where the server brings up the wrong page!
How are we to protect ourselves from bad people?

[nbarnard42]

ANI vs. Caller ID

Christopher,
You've jumbled a bunch of different telephone services under the banner of
Caller ID..

I think the important service you're missing is ANI, automatic number
identification. This is provided to companies with 1-800 numbers, and as far
as I understand is more difficult to spoof. (Admittedly, I don't know how IP
telephony interfaces to provide an ANI.) This would more than likely close or
at least limit the credit card activation hole.

In short this is a little alarmist.

[fishfry001]

Fake caller ID: Fun, legal and easy to do

This should be illegal, period. There's no justification to have something that will be so sorely abused by criminals, just so someone can have some "fun" with this capability. The negatives far outweigh anything positive about this technology. I say ban it for good.

[dsarokin]

There's a pretty good overview of computer crime from Google Answers:

http://answers.google.com/answers/threadview?id=555871

though it's mostly about corporate crime. Still, it's pretty intriguing reading.

[ziddleyz]

Ultimate In Deep Cover ID And Identity Change

ZIDDLEYS

Email: ZiddleysID@gmail.com

We specialize in deep cover identification and closely guarded secrets of complete authentic Identity Change

Need Deep Cover ID? How about a complete AUTHENTIC Identity change? With our confidential resources, top of the line technology and complete Identity change IDs and Materials you now can be reborn anywhere in the world!