Caller ID Spoofing

What's worse than a bad authentication system? A bad authentication system that people have learned to trust. According to the Associated Press:

In the last few years, Caller ID spoofing has become much easier. Millions of people have Internet telephone equipment that can be set to make any number appear on a Caller ID system. And several Web sites have sprung up to provide Caller ID spoofing services, eliminating the need for any special hardware.

For instance, Spoofcard.com sells a virtual "calling card" for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display.

Near as anyone can tell, this is perfectly legal. (Although the FCC is investigating.)

The applications for Caller ID spoofing are not limited to fooling people. There's real fraud that can be committed:

Lance James, chief scientist at security company Secure Science Corp., said Caller ID spoofing Web sites are used by people who buy stolen credit card numbers. They will call a service such as Western Union, setting Caller ID to appear to originate from the card holder's home, and use the credit card number to order cash transfers that they then pick up.

Exposing a similar vulnerability, Caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards.

And, of course, harmful pranks:

In one case, SWAT teams surrounded a building in New Brunswick, N.J., last year after police received a call from a woman who said she was being held hostage in an apartment. Caller ID was spoofed to appear to come from the apartment.

It's also easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox.

I have never been a fan of Caller ID. My phone number is configured to block Caller ID on outgoing calls. The number of phone numbers that refuse to accept my calls is growing, however.

Posted on March 3, 2006 at 7:10 AM

Comments

MiguelMarch 3, 2006 8:17 AM

Yes, if you call me home and you're ID is hidden I won't bother answering the phone. Sorry but it's too many telemarketers out there (and most of them seem to prefer to hide their ID).

Adam ShostackMarch 3, 2006 8:25 AM

Cigular continues to use Caller-id to authorize access to voice mail. If you know my cell number, feel free to listen to the messages--not that I can stop you.

At what point does the widespread media attention to caller ID spoofing turn this into an actionable tort?

arlMarch 3, 2006 8:29 AM

Yup, this needs to be fixed. With all of the abuse possible over the phone people want to know who is on the other end before they pick up the phone.

Carriers may need to work out agreements on forwarding caller ID data if the data provided to them does not meet a given level.

The credit card activation problem is bigger than this. Most houses have a demark on the outside. It does not take much to buy a handset, steal a card from the mailbox and then walk to the side of the house and jack in.

PierreMarch 3, 2006 8:30 AM

BTW, congrats about the Dr Dobbs award. You are in a fine group of persons.

RowanMarch 3, 2006 8:32 AM

@ Adam:

I don't think it requires media attention for ID spoofing to become a tort. Assuming they do it intentionally, it's becomes an issue of showing damages.

I'm very suprised this doesn't fall under any other existing law though.

dqueueMarch 3, 2006 8:39 AM

Adam,
Cingular has a preference that you may change so you're prompted to enter your password, even if you're calling in from (what appears to be) your cell phone.

James LickMarch 3, 2006 8:58 AM

Bruce,

I hope you realize that Caller ID Blocking is just as hopelessly broken as Caller ID Spoofing. There are two ways that the recipient of a call can know the calling number, Caller ID and ANI (Automatic Number Identification). Caller ID Blocking DOES NOT block ANI.

ANI service is normally only available on business lines, toll free numbers, and when using a PBX, though some VOIP operators also use it. I use a service which will automatically use ANI instead of Caller ID if the Caller ID is blocked. My Dad uses Caller ID Blocking, but I still see his number when he calls me.

If you are using Caller ID Blocking to make sure that telemarketers don't get your number, you're just fooling yourself. Of course, Caller ID Spoofing will also usually spoof ANI as well. Caller ID Blocking is only useful against people who don't know about ANI, and those people probably aren't as much of a threat to your privacy.

CallMeMarch 3, 2006 9:02 AM

I generally agree that Call ID Spoofing will eventually become a problem.

Regarding getting it fixed, in my area, the local telephone company charges a premium for "Caller ID" and for "Caller ID Name" services. If enough customers realize the system is flawed, by not providing the level of service expected, and contact their local provider to complain or cancel the service, the financial impact could push the telcos into fixing the problem.

However, outside companies foolishly relying on Caller ID for some form of authentication (for CC activiation, etc.), I think this may be more a localized problem.

For example, in my house the attitude toward incoming telehones calls has changed and my family is now "trained" so that we don't answer calls that are not in our local address book. We no longer answer all incoming calls, but only pickup calls that are in our "white list" (aka the built in phone book in our telephones). All our phones have the ability to check incoming calls against the built in address book, and then give a distinct ring to indicate the caller is in the phone list. Incoming calls from numbers not in our phone list go to the answering system (which allows call screening), where the caller can leave a message. This process won't become a problem until my local phone number "white list" (circle of friends, family, etc.) is corrupted by Caller Id Spoofing, which since this is highly localized, likely won't be a problem for some time.

DougMarch 3, 2006 9:23 AM

Remember that caller ID blocking doesn't work when you dial a toll-free number. The toll-free holder receives a bill, listing your phone number and the appropriate charges.

That's a good part of the reason why companies are willing to spend the money on toll-free - they now have a 'business relationship' with you and can telemarket to you.

Moral of the story: Use unlimited long-distance, and dial a toll call.

Victor BogadoMarch 3, 2006 9:58 AM

The problem I see here is not that there is a flaw in "caller ID", instead is the fact that people use it as a infallible identification.

This is similar to the problems that many companies assume that if someone knows your birthday and your social security number (or some other ID number) then it must be you. People need a good way to identify themselves to companies and other people.

MikeMarch 3, 2006 10:50 AM

Some phones provide you the ability to only send caller id to people already in your contacts list.

Chase VentersMarch 3, 2006 11:26 AM

I work in telecommunications, so this isn't really new to me. What's changing here is that there are now voice-over-IP providers that accept whatever Caller ID credentials you supply in your call setup requests. This is actually not a new thing at all... business-grade telephony service (say, PSTN connectivity for your PBX over a PRI) often offers you the same capability to define your caller ID information. The reason is because although you may have 24 channels, you may have 100 DID (direct inward dial numbers, say 123-456-7800 to 123-456-7900). Thus it becomes the responsibility of your private branch exchange to inform the switch what number the call is actually coming from.

Now, one solution is to lock down, at the switch, which caller ID numbers may be set by a given subscriber. (This isn't, to my knowledge, as easy as setting a configuration parameter... switching is in some ways obscenely more complicated than it ought to be).

Even if you did so, though, you'd be excluding the capability of businesses to take advantage of PBX features like call forwarding. (Call comes into DID, endpoint user is not at his desk, call goes to his cell phone with the *original* caller ID information set).

In truth, I think the largest problem is that people trust Caller ID as an authentication mechanism. T-Mobile was one carrier that was notably fantastically vulnerable to mailbox hijacking. What drives me crazy about it is that even if they wanted to offer PIN-free access to subscribers who call from their own number, they could have simply verified that any call coming into their voicemail system, bearing one of their subscriber's numbers, actually *originates* from T-Mobile hardware. But as usual for large companies, they simply didn't care until it became newsworthy.

Sigh.

hibernatusMarch 3, 2006 11:29 AM

i'm very surprised how can anybody absolutely believe in Caller ID. afaik, no service here in Slovakia is based on the ID only. at least a PIN code is demanded.

i may lend my mobile phone to my friend, when his one is out of batteries; i may loss my phone; it may be stolen; also a fix line may be used by a burglar... so, from my point of view it is not a problem of spoofing a Caller ID, but problem of believing in the ID.

another_bruceMarch 3, 2006 11:39 AM

the telcos created these premium services to make money, not to make you more secure. in a spy-versus-spy escalation, first there was caller id, then caller id blocking, then call managing. the only winner in this arms race is the telco.
since i'm retired, at least from law and biztech, i have the option of simply not ever taking calls. i leave the phone line plugged into the computer even when it's turned off, and i only plug it into the phone when i want to call someone.
so is caller id spoofing an actionable tort? we'll never know until somebody sues over this. that's how actionable torts get recognized.

royMarch 3, 2006 11:41 AM

Thanks to telemarketers, the failure of the National Do Not Call Registry, the popularity of suppression of caller ID, and the ability to spoof the ID, my home phone has the ringer off. I will never answer. Leave a message. If I don't know your voice, I will not respond to the message.

BTW, if this spoofing is outlawed, then only outlaws will be spoofing. So the law would deter only noncriminal dishonest people.

As far as existing laws, when is impersonation legal?

dkMarch 3, 2006 11:42 AM

One thing that isn't clear in this report is whether we are talking about Caller ID spoofing, or ANI spoofing. I have heard many reports of Caller ID spoofing, but non of ANI. This may reflect the confusion between these two services.

If ANI spoofing is easy, it does call into question whether services, like credit card activation, which rely on one calling from home, are reasonably secure. In my experience, all credit card activation has taken place over toll-free numbers, implying that Caller ID spoofing is a non-issue.

J.D. AbolinsMarch 3, 2006 12:51 PM

I had blogged about the Newark, NJ phone hoax case last year. One news site that still is carrying a report about the hoax is Texas KGBT 4 TV at http://www.team4news.com/Global/story.asp?...

The phone hoax seemed to be low-tech, no apparent ANI/CLID twiddling. Seems like social engineering and, perhap, police reluctance to dismiss the call as a hoax lest a real kidnap/rape victim's call was ignored.

EvanMarch 3, 2006 1:57 PM

I'm rather surprised nobody has mentioned http://www.crypto.com/papers/wiretapping/

The whole paper is great, but section 2.2 includes a relevant blurb about spoofing caller ID sans use of a third party system by sending mutliple CNID signals accross the line. I don't know how useful this would be against, eg, Cingular's system, since it relies on the client device displaying only the most recent number, but according to the paper it works against wiretapping devices, so who knows?

Swiss ConnectionMarch 3, 2006 3:35 PM

It's not just telemarkters, but also Banks and criminals who use Caller-Id Blocking. I generally don't want anything to do with any of them.

Can Anyone Explain how I can set up ANI so to see the blocked number anyways. Of course with the banks, the number sent by the PBX is the main switch number not the employeees extension.

Its also worth mentioning that the international telecom union stets standards which insist on technical procedures which enable government and law enforcement agencies to bypass caller-id

MozMarch 3, 2006 4:26 PM

@Evan
Completely useless against any modern mobile phone system. The number is sent in the initial set up in an out of band signalling message.

EvanMarch 3, 2006 5:21 PM

Moz:

Thanks--good to know :). Still, unless I'm mistaken (and I'm no expert), it should still be useful for stuff connected to the plain old telephone system, i.e. a typical phone line like what most of us have at home and/or work.

peachpuffMarch 3, 2006 11:02 PM

"My phone number is configured to block Caller ID on outgoing calls."

You probably realize this, but I'll point it out anyway: blocking Caller ID alone doesn't prevent any of the abuses you mentioned. Refusing to identify yourself doesn't stop others from impersonating you. You'd need to inform Western Union, credit card companies, and the police in advance that the real you always blocks Caller ID.

Ari HeikkinenMarch 4, 2006 8:16 PM

In my opinion, caller ID is the best thing to ever happen for phones. If someone calls you when you're busy, you simply check logs when you get back and if it's someone you care about you call back. Now that's convenience.

You can always switch off the caller ID for numbers you don't want calling you back, but I don't quite understand what's the point of disabling it when calling say your friends.

As for security, I've never used caller ID for authentication. If someone I know calls me I generally recognize their voice and the caller ID is pretty much irrelevant anyway. And if there's need for additional security you can always hang up and call back (or use some other means of communication of which security you're less uncertain of - phone systems are a big question mark when it comes to security either way, so it's safe to assume they're not secure).

If I've hated something related to phone systems it's answering machines. Ever wondered why every phone company is so keen on giving you free answering machines? That's because they make millions with them. Normally you'd get busy or no answer, but with these stupid things you're always getting an answer and are thus billed.

Ari HeikkinenMarch 4, 2006 8:22 PM

Oh, and I'm always amazed of the US way, when it comes to technology, the tendency to outlaw things instead of fixing them.

RvnPhnxMarch 6, 2006 12:33 PM

@Ari Heikkinen

If you come up with some way to fix stupid people, will you please let us all know?

jayhMarch 8, 2006 7:46 AM

>>Yes, if you call me home and you're ID is hidden I won't bother answering the phone. Sorry but it's too many telemarketers out there (and most of them seem to prefer to hide their ID).

I use a calling card. No ID shows up. One relative has a habit if ignoring calls without ID, if she's going to be that arrogant, I don't bother to contact her.

tomApril 24, 2006 3:12 AM

Bring Caller ID functionality directly to your computer desktop. Identify callers using CallerID Monitor before you answer to call. It uses your modem or ISDN adapter and Caller ID service provided by your local phone company in order to identify who's calling.

http://www.yaodownload.com/internet-tools/...

DianeMay 7, 2006 12:04 PM

If I use a prepaid phone card to call a car dealership.do they get my number or the card number.Or with automatic number identification do they get my number no matter what.

DianeMay 7, 2006 12:07 PM

If I use a prepaid phone card to call a car dealership do they have my number or the card number.Or with most buisnesses having automatic numbe identification do they get my number NO matter what I do to prtotect my privacy

jmasseyJune 1, 2006 5:42 PM

Re: All those who refuse to answer a call if the caller ID is blocked: Be aware, some (many?) law enforcement agencies block caller ID so that if, say, a detective calls you from the private line on his desk, you will still have to hit the phone book and call their 'main' phone number and ask for a transfer instead of being able to learn his private line's number and thus harass them as they work a case in which you are involved.

Carl Coryell-MartinJune 2, 2006 12:49 AM

Some mobile phone companies use the caller id feature to determine if a caller is calling someone on the same network.

I saw a demo last year where someone had set up an asterix server to give himself free wireless service 24/7. He routed all his calls through his home PBX which used spoofed caller id to look like a cell phone on the same network and thus used no wireless minutes.

SkaagJune 2, 2006 3:57 AM

The simple solution is to call the number back (CID or ANI, at this order of priority), for serious transactions (money or privacy related).

You eliminate the problem entirely AND The real person owning the original number suddenly gets a call from the company, which serves as an alarm that somebody is trying to spoof him.

RustyJune 2, 2006 6:15 AM

While I do use caller-id to screen calls, the vast majority are actually screened at the voice-mail box.

If someone wants me to call them at an extention of a toll free number, I expect to find out what company they are calling from.

If it is 'important' that I call, define important for 'whom'. A telemarketer who absolutely needs to make a sale may find it far more important that I call back, than I ever will. Also define 'why' it is important that I call back. 'Important' is not a why, it is a modifer to why. I.e. 'It is important that you call regarding your son's pending apendectomy.'

There are callers that I will pick up the phone for. Pretty much they all have text associated with their caller-id number that I recognize, and consider important to take the call from. That number is fairly low, the rest can do their best to get me to call them back. I'm not all that impressed with most of them these days.

JasonJune 2, 2006 7:23 AM

Useless and irrelevant point of fact: There are no SWAT teams in New Brunswick, NJ. They're called the Middlesex County HRT.

some guyJune 2, 2006 2:39 PM

Some utilities use the ANI instead, and there was a hack at one point where you could spoof your caller ID and then call certain MCI numbers which take your caller ID and make it your ANI (they did it as a 'fix' to the 000-0000 issue).

Anyway, nobody really cares but us, so we probably won't see better fixes at these companies until they get hacked by China or something.


James Lick wrote:
(( Of course, Caller ID Spoofing will also usually spoof ANI as well. Caller ID Blocking is only useful against people who don't know about ANI, and those people probably aren't as much of a threat to your privacy. ))

Tim PozarJune 2, 2006 11:36 PM

Funny this is just being talked about. Being able to spoof Caller ID has been around for years. At my work we got a PRI from a well know CLEC and I tie that back to an Asterisk server. I noticed that I can put anything I want on the Caller ID going out. My provider does not restrict the range of numbers .

RdwdgakJune 6, 2006 6:16 AM

Today is election day. Yesterday we got 11 computer generated calls and only one had a human calling. Although several of the caller ID numbers were legitimate, there were 3 from 1-800-555-5551 and 2 from 1-000-000-0000. Each of these had a recorded political anouncement. At least I didn't waste time trying to call those numbers back.

avhSeptember 25, 2006 4:37 PM

>>Yes, if you call me home and you're ID is hidden I won't bother answering the phone. Sorry but it's too many telemarketers out there (and most of them seem to prefer to hide their ID).

Very clever, unless they continually call you at 4 in the morning. Believe me, they do.

E-rockNovember 5, 2006 7:42 AM

I think that Caller ID spoofing technology is less of a threat than the peoples' missuse of caller id. Caller ID was designed as a telephone feature, not unlike call-waiting or voicemail. It was, however, NOT designed as a security device. If someone comes up with a way to render it useless, from a security prosective, then the subscriber always has the option of cancelling the service. They shouldn't use caller-ID as a "secure" way of identification, anyway. Same thing with voicemail. All voicemail services allow the user to require passwords... USE THE PASSWORD and the problems are solved. Finally, the idea of making ID Spoofing illegal based on it's intended misuse for commiting credit card fraud is rediculous. Yes, it can be used as a tool for activating a fraudulently obtained credit card by posing as a call originating from the real person's home. However, that's the credit card company's fault for not placing new subscribers on the phone with a real person. Again, if new credit card companies required simple verification of personal applicant information, 90% of credit card fraud would be erraticated. It is simply less expensive (and obviously less secure) for a revenue-generating enterprise, like a credit-card company, to utilize an automated approval system with limited verification filters, than to hire live help for $8 an hour. I mean, cars and ski-masks make a great tool to facilitate bank robbery, however I wouldn't recommend making them illegal based on their potential misuse.

JulesNovember 15, 2006 11:40 PM

While the logic behind the above posting that begins with "Caller ID spoofing technology is less of a threat than the peoples' missuse of caller id." seems to make some sense, the fact still remains that anyone trying to use any form of misleading identity, (except for law enforcement, or other legitimate agencies) has a dishonest purpose in mind. Stalkers, harrassers, thieves, con artist, identity thieves, just love this type of technology. The usage of this technology by anybody other than legitimate agencies, is plainly speaking guilty of impersonation. If the Federal Government can not figure a way of outlawing the companies that offer "caller i.d. spoofing" to the general public, these companies should face law suits by the victims of scam artist, stalkers, etc., that use these products.

Roel HausteinNovember 27, 2006 4:14 AM

Well,

does someone has a programm for mobile phone that can see the number of the anonymous caller?

Greetings Roel
N E T H E R L A N D S

Winston SmithDecember 10, 2006 10:47 AM

Thesis-Antithesis-synthesis...

I wonder what the 'solution' to spoofed CLID's will be. More and more people are weary of answering their telephones these days, lest it be some scum-bag telemarketing company (usually based in India)! What annoys me the most, is the fact that they use LOCAL area codes, in an effort to fool people into thinking it's a legitimate call.

I now always leave the answering machine to 'pick up' the call (after two 'rings'). I had one company call me twice a day, for two whole weeks- and the call was always 'dropped' by them when I picked the receiver up: A FAKED CLID to boot!! I'd love to blow their heads off with an AK47! *cough* It's almost pointless being on an opt-out/'do not call' list- as those nefarious scoundrels call numbers at random- via computers! I'll end up getting rid of my 'phone- I don't need the hassle...

Perhaps the 'solution' would involve biometric technology- welcome to the NWO. Trust me, the telecommunications companies/governments knew that this 'problem' would arise- and are just waiting for us to accept having to provide a thumb scan before calling anywhere...

VikDecember 18, 2006 3:54 AM

I am in the US and got a disturbing voice mail message recorder and yet I got no information about the call on my caller ID.

I wasn't home at the time so I am relying on looking at the indicator/record of calls that came in on that day. There is simply no record of any call, just the voice mail.

How can this be?

JerryJanuary 8, 2007 1:54 AM

My girlfriend used this system to make me think she was at work ( or home ) when in reality she was seeing her other boyfriend . How many others have been fooled into think their significant other was at one place when actually they were somewhere else . It took me years to discover how she did it.

trishJanuary 9, 2007 11:41 AM

i have cingular wireless with a family plan (son has additional phone) I know that he is making phone calls and receiving phone calls at certain times. But when I look on my statement those calls are not registering. Some phone numbers show up on his call list and show the amount of time he's talking but never show up on the statement. And then there are times where there is no phone list on his phone of who he called or received the call from when i know he was on it talking. My question is..can a person make an outgoing call or receive a incoming call talk for how ever long and then delete it from their call list on the phone and it never registers on the statement.? Or is there something that either he is doing or the other party is doing prior to dialing eithers numbers to keep it from registering either on the phone or statement? And if it can be done please explain how and how to correct the problem.

perplexedJanuary 27, 2007 8:51 PM

Totally unbelievable that spoofcard.com is allowed to operate with a slogan like "Be who you want to be!"

Maybe a few tens of dollars worth of spoofed calls from key legislative people to other key legislative people or departments may do the trick? But, this may carry liabilities. Maybe even a simple notice to several key legislators that such an attempt will be made to-and-fro on their behalf to highlight the issue *alone* will do the job?!?

AnonymousFebruary 1, 2007 9:01 AM

The frightening part is that some dial around services (10-10-XXX) use CID and ANI to ID the caller. If someone spoofs you; they can call whomever and suddenly it will show up on your phone bill.

Something has to be done about this!

AnonFebruary 17, 2007 12:36 PM

Heh, from:
https://www4.spoofcard.com/buy.php
=-=-=-=-
Purchase A New Calling Card

Due to elevated levels of fraudulent purchases, we are temporarily requiring that all new customers verify a cell phone number. By filling out the below form, you will receive a text message on your cell phone containing a 4-digit verification code needed to place an order. You are only permitted to verify one cell phone number for a single new purchase, per week.
[...]
=-=-=-=-
Hey spoofcard that medicine takes sour, eh?

glass half fullFebruary 26, 2007 1:11 AM

Seems you are all focused on the negative. Does it take a criminal mind to think of the criminal activities one could engage in with altered caller IDs? Is it not possible to use such a system to seek truth? Contradictory, ironic, maybe even hypocritical? Perhaps. But sometimes one or two simple calls from an ID other than your own may give you the assurance or answers needed when dealing with a confusing situation or someone else who may be artfully deceitful. And then not only may the situation be remedied and their lies addressed with proof, but the truth may also set you free

annFebruary 28, 2007 5:12 PM

I am a victim of caller ID spoofing. For several months I received 1-2 calls a week from people in different parts of the country who said my phone number appeared on their caller ID. Some were quite irate and adamant that I had called them. Today I received 14 calls from people in Ohio from 9am to 9:30 am saying my number was on their caller ID. When I finally reached a human at AT&T they looked into it and said there is nothing they can do except change my phone number. Is there any other way to fix this?

TomMarch 5, 2007 5:43 PM

Ive been receiving calls on my Verizon cell phone for weeks now up to 10 x a day.People say I called them when I didnt and the scam is someones trying to get these people to sign up for Capital one credit cards.On my cel #.Its really annoying costing me time at work to answer the phone as well as angry people.I even got a call at 1:00am.I would change the # but Ive had it for 15 years and its a buisness line.It could cost$$ to change signs,cards ,shirts ect.I want these people stopped!!This is illegal!!

David BranaghMarch 19, 2007 7:37 PM

Just wanted to know, is there a way to possibly block or spoof ANI(Automatic Number Identification)? I was told it was impossible. If there is a way, I was just curious to know. I have broadband(digital) phone service by the way.

spartan0407March 23, 2007 1:23 AM

the cisco 3800 routers have a facility to permit screening based on the caller id. (the exact command is isdn caller xxxxxxxxxx). this permits the administrator to permit dial ups only from known telephone numbers.
plse clarify this doubt for me, will this caller id spoofing work here too?

kenMarch 24, 2007 7:15 PM

Who cares if caller id is spoofed or not, I only answer the phone if I know the person who is calling. No one would know to spoof that number. I use Phone Tray Free to send messages and SIT tones to telemarketers and individuals who I don't care talk to.

TimMay 18, 2007 2:03 AM

How many of you work in telecom? You all need to wake up. It's only a problem for subscribers because carriers have reverse ANI, ISUP and many other validation methods to identify a call or circuit. Regulations prevent LEC's from providing these protocols and routing information to the public. Hell yes the carriers are capable but don't hold your breath on them spending millions to alter their infrastructure just so you can be assured who's calling. Believe me, if the problem is really serious, the phone company can find out who called. If you want to do something, start with addressing public utilities commission and the FCC so there will be a market available offering additional caller identification features beyond CLID or even ANI!!

IndiaMay 25, 2007 5:10 AM

Winston Smith:
Trust you are still alive and well. Scum-bag telemarketing companies are usually based in USA, they just use cut-rate telemarketers based in India. You are confusing the guilt of the employer with that of the employee.

VeryTiredNowSeptember 14, 2007 11:07 AM

I was awakend by three consecutive calls at 4:30 this morning by a silent caller who I thought I'd gotten rid of 5 years ago. She had a Caller ID "Susan S-----" with the number (818)313-xxxx.

After a week or so of enduring similar torture back in '92, I'd ordered Call Blocking, which seemed to eliminate the problem. Now, after having switched over to a new package deal with my cable company, the Carzy Bitch is back!!!! And NOW, I've just learned that my cable company DOES NOT OFFER A CALL BLOCKING FEATURE!!!!

I had spoken with the person who really owns that phone number back in '92 and I was convinced that she was not the person making those calls, but I am pretty sure I know who the culprit is... I beleive it is my ex-husband's second ex-wife, who is a real LOON and her name is Linda V----- of Tujunga, CA.

It was not until this morning after Googling around a bit that I realized how she'd done it.

I know that this will not stop on its own... Short of getting a new telephone number, is there anything I can do to stop this harassment?

JOctober 2, 2007 4:31 AM

Well, it's happening. Telemarketers are using Spoofing to attempt to con people out of their credit card numbers. I've been receiving phone calls from a 92 year old nursing home patient for the last several months named Adele. The call registers as a (208) number, but when you try to call it, the line is disconnected. Here's basically how it goes:

-Chipper recorded voice-

"Hello, this is Heather from your credit card company (it never even NAMES "your credit card company," it just says that) and we're offering help to lower your interest rates on your credit card. We have been trying to get into contact with you for a while now, and this is your FINAL CHANCE. To speak with a representative now about lowering your interest rates, please press 1. To discontinue calls about this offer, press 3."

I've always hit 3 in the past. The line goes silent, and I hang up. A few weeks later, I'll get another call, and press 3 again.

Last night, I hit 1. Here's what happened. I wish I was kidding.

A man picked up, sounding like a bored fast-food employee - he sounds at least 25.

"Did you press 1 to lower your interest rates?"

"No, I pressed one to talk to someone about taking my name off of this list-"

"I'm not a psychiatrist. You need to *talk to someone*?"

".... About taking my name off of this list, yes. The 3 button doesn't work and - "

"Do you need a psychiatrist? Are you *lonely*? You need to *talk to someone*?"

By this point of the conversation, my hands were shaking. This guy was being blatantly unprofessional, and I was in shock at his rudeness.

"Why are you being so belliger-"

He's talking over me now.

"Maybe you should talk to your psychiatrist. You've got major problems."

"Can I speak to your manager? Is this a business call or a prank call?"

"Is this a what? What did you say?"

"Is this a business call or a PRANK PHONE CALL?!"

"Why did you press 1 if you're not lowering your interest rates?"

"Because I needed to speak to a real person and not a machine to get my name off the list."

"A machine? -Something about a robot- What do you even want?!"

-Me, calmly and coldly-

"I want you to take my name off your list and never call this number again."

".... Is that right?"

He says this like it's a challenge, like I've just threatened him. WTF?!

"Yes."

"....."

"Take me off the list."

"We'll see...."

"....."

"....."

"....."

"Do you *have* a psychiatrist?"

"...Nooooooo..... Am I off the list?"

"Maybe you need one because-"

"Oh that's clever, you're really clever with the psychiatrist thing. Is my refrigerator running-"

-He hangs up-

...... That's basically how it went. WTF WAS THAT?!?!?! I told my dad what happened, and he tried to call the number on the Caller ID, but as I said, it was disconnected. So, while I struggled to pull myself together - I was shocked, outraged, and felt oddly violated - my dad called the operator, and they traced the number to "T. Myhre," and the town and state. I won't reveal the phone number because as I mentioned, it does belong to an old woman in a nursing home.

However, I searched the number on Google, and the name registered as "AR (her last name)." WTF?!?!?! I put in the name "T. Myhre," and located the address.

A CHRISTIAN NURSING HOME. WTF?!?!?!?!

I surfed around, and got the URL of the joint from the city Chamber of Commerce site. Then I visited the site, and it had pictures of happy old people everywhere. WTF?!?!?!

So I was severely freaked out, and decided to find more info on "AR." I searched the full name, and came up with a CEMETARY. WTF?!?!?!

I searched down the long list of names of dead people, and finally found a "Harvey T. (last name)." Eureka! A "T" connection! Or so I thought... Unfortunately, Harvey died back in 1995, and I doubted whether the vile call came from beyond the grave, though the caller was certainly a creature of darkness...

Then, I noticed another name on the list - an "Adele Ruth (last name)." AR! Interestingly enough, Harvey was born in 1913, died 1995, and Adele was born in 1914 and died *no date*. Hmm....

I called the nursing home and asked if Adele (pronounced by the friendly receptionist as "uh-dell." I kind of like that spelling...) lived there. She said that she was just upstairs. I tried to explain to her what had happened, and that it was the strangest phone call I'd ever received. The receptionist seemed just as WTF'd as I was, and advised me to call the office back in the morning to get it all straightened out. It seemed like a nice place. Definitely not where the call came from.

And so, I spent the next few hours searching for various "T. Myhre"s. I eventually stumbled onto the recurring name "Teresa Myhre." A LOT of them.

And this is where it all went wrong. I found several of the Teresas, and Googled the phone numbers. They gave me DIFFERENT NAMES. Attached to DIFFERENT CITIES. In DIFFERENT STATES. All connected through the SAME phone number. WTF?!?!?!

After hours of searching, I discovered a link between some of the names and numbers. This all just happened a while ago, so it's not going to be comprehensive (or even chronological) but here's basically what I did:

T. Myhre - Background Checks to-
Teresa Marie Myhre - Googles to-
Terry Myhre - Googles to-
Teresa Myhre - her phone # Googles to-
John Myhre - # Googles to-
JD Myhre - # Googles to-
Paul Myhre - # Googles to-
M & T Snodgrass (WTF?) - # Googles to-
Michael Strenke (WTF?!) - # Googles to-
Richard Strenke - # Googles to-
.... RICHARD STRENKE! Finally, a valid number.

So I looked back on what all I'd found (which was sooo much less organized than I make it look here). "T" Snodgrass? Teresa perhaps...? Hmmm.... So... I called them. The "T" and "M" Snodgrasses had different numbers (I think), and since "M" Snodgrass was disconnected (Michael?) , I called "T," hoping for a connection. A deep voiced woman answered the phone.

"Um, Hello?"

"Hi. I was wondering if *Terry* was there?"

"Uh, Terry?"

"Yeah."

"....."

"....."

-Away from the phone-

"Terry?"

I wait for about 30 seconds.

"Hello?"

"It's not Terry yet."

The same deep voice.

"Oh."

A few seconds later, a new voice answers.

"Hello?"

I'd waited about a minute and a half total for her to get to the phone. She sounded young, maybe around my age.

"Do you know Richard?"

"Richard?"

"Yeah, Richard Shenk... ay?"

I had both forgotten how to spell AND pronounce the man's last name.

"Um... no...?"

"...Oh, that's okay. Sorry. Thanks."

I hung up.

Hmm... I couldn't tell if she was lying, and it didn't help me make a connection at all.

.... I spent the next half hour calling people at home after midnight, asking for other people's names to "freak them out" and hopefully get a confirmation that these people were related in some way, and I had just stumbled upon a Nationwide Underground Telemarketer Scam. I still don't know if they're related. I may yet be right. I do know for sure, however, that I pissed off one woman who was sleeping in some state that I cannot remember.

Two of the Richards (there were multiples of every name on the White Pages site) had the same address and one of the Richards had a "J" middle initial, but both phone #s were the same, except that the last two digits of one of the phone #s were different. This sounds suspiciously like an apartment building to me. What are the odds of two Richard Strenkes in the same building? So I called both of them. "Richard J"'s line was disconnected, so I dialed regular Richard Strenke (I still forget how that's spelled as I type this). A groggy sounding woman picks up after the fifth ring.

"Hello?"

"Hello. Is this Teresa?"

I am being sneaky, and trying to trick her into giving me a connection between all of these phone numbers, names, states, and cities.

"What?"

Damn.

"Can I please speak to Richard?"

"You. Have. The wrong. Number."

"Oh? I'm sorry."

"Do you have ANY IDEA WHAT TIME IT IS?!"

She hangs up.

Ooops. Hmm... She was pissed. Well, whatever. I look at the clock and it says 12:04 am. It can't be *that* late wherever the hell she is... right?

I wish I could say that I stopped there, but I called a few other people.

I asked one of the Michaels to "say hi for me to Richard."

"Richard? I don't know him."

"Yeah, this is- this is an *old friend*."

It comes out sounding pathetically like a threat, and I am mortified at the parallel I immediately draw to the Evil Caller's ".... Is that right?""

"I think you have the wrong number."

"....... Are you SUUURE?"

"Um... yeah."

"Okay, sorry, thanks."

Well, f%&k.

I give up. I'm just gonna call the Nursing Home in the morning, and tell them somebody might be messing with Adele too. (Oddly enough, I find myself caring about the elderly lady, even though I have no idea who she really is, or what she's like.)

So... an hour and a half later, after my dad's gone to bed (he was soo pissed, and wanted to KILL the guy who called me) I got started searching for Teresa again. Finding the same dead ends (but not making any more phone calls!), I tried a different tacit.

I started searching for scams involving telemarketers and credit cards. I came across a lot of horror stories concerning the elderly and telemarketers, and I wish I could call and talk to the Nursing Home *right now*. I hope they didn't mess with that old lady.

Then, I stumbled onto the term "Spoofing." I had never, ever heard of this before. They make cards that let people trick caller IDs into displaying the wrong number?! WELL S%&T!!!

My deepest apologies go out to those five people I called. Unless of course you really *are* connected to the Nationwide Underground Telemarketer Scam, in which case I hope you were on your cell phone, and it gives you brain cancer.

So, I'm going to call the Nursing Home back tomorrow morning and try to explain what all I've learned about what may have happened, and PRAY that I don't sound as insane as I think I do. Besides, with Harvey gone, maybe Adele is lonely, and it's always nice to know that someone out there cares. I'm probably being paranoid about it being anything more than a random choice by the NUTS people (I just typed that out because I was too lazy to type the whole thing out again, and I had no idea it would abbreviate to that. Awesome!) for the Caller ID to display Adele's number, but I don't think it'll hurt to make her caretakers aware that *someone* is using her phone number. Maybe I'm too sentimental...

Or maybe I *should* look into a getting a shrink after this fiasco, but either way, I've already resigned myself to the fact that most likely, the Evil Caller will never be brought to justice.

If he were just a prank caller, why would he bother with the woman's recorded message (And yes, I searched for "Heather" Myhre, Strenke, Snodgrass, etc. too. I was very thorough..), and why would the call be about my *credit card*? And why would there be a press button option at all?

At the end of the day, I don't regret all the trouble I went through (and will still go through in a few hours when I call about Adele), because this guy WAS a CRIMINAL, and if it can happen to me, it can happen to anyone.

Beware of Spoofers, for NUTS jerks are catching on. This *should* be illegal, and I plan to send a (much less self-deprecating) complaint to the FCC. Spoofing is going to cause major problems, and something needs to be done, before more people like Adele are made patsies, and more people like *me* are made fools of....

Because ya know, it sounds kinda funny now, but I was pissed at the time (I STILL am), and that bastardly little weasel shouldn't get away with it, dammit. Spread the Word.

JacquesOctober 4, 2007 3:20 PM

Next time anyone gets one of these calls, don’t get mad, get even, have fun. Follow the thread as long as they will talk to you. Tell them, sure, you want to lower your interest rate. When they ask for your number, tell them you thought they had it. When they say they don’t, tell them you can’t find yours right now, can they look it up or give you a number you can call back. Sound either real excited or real stupid. They may even give you a number.

String them along as long as you can, see what they will tell you. If you like messing with people’s heads, this can be fun. I love the political and religious calls, it’s a real hoot messing with zealots.

If they keep calling from the same caller ID, some phone companies, usually only the old standbys like Verizon or AT&T, not cell or cable, will do a trap and trace on the line. You usually have to file a formal complaint with the local cops, and the phone company will only give the call info to the cops, but if nothing else, you might cause these pests a little hurt. If there are a lot of complaints against one number, the cops may even do something about it. There are ways to trace to the real originating number, not the spoofed number. But you have to be way better at this stuff than I am to do it.

Dave MeadsOctober 17, 2007 12:12 PM

I have had multiple calls from companies who seem to thumb their nose at the DNC list. Some of them spoof their numbers on the CallerID. Unfortunately, some of these groups are exempt from the DNC list. I had a problem with Jerry Kilgore (Republican candidate for VA Governor in 2005) and his campaign staff. They were constantly calling and I was getting all 0's for the CallerID. They even called at 6:40pm the night of the election to ask me to vote for their candidate; when I said please stop calling the lady turned up the volume of her phone to try to drown me out while continuing her spiel.

There is legislation in Congress to make CallerID spoofing a Federal offense. Here is the name of the legislation (the House version has already passed the House):

S. 704: Truth in Caller ID Act of 2007

Contact your Senators (especially if one of them is on the Committee on Commerce, Science, and Transportation) and urge them to get this approved and the law enacted.

petersonDecember 29, 2007 8:10 AM

i am calling some premium numbers i want to hide my caller id i try every thing but caller id is still coming on because i can see the live stst of the number which i am calling how can i hide my caller id any body can help.cheers

PebblesJanuary 25, 2008 3:32 PM

My business cell phone was used as the butt of a Caller ID Spoof in which someone had setup to call numerous people repeatedly throughout an extended period (sometimes 5-6+ times per day for weeks) and hang up, always showing my number. I never once made the calls, yet I received an increasing amount of calls (I finally switched my number when I started getting over 30 complaint calls per day!!) from people wanting to know why I was doing this to them.

At first, I tried explaining what little I knew about it (thank you to Google for even finding any info!), then I left info on my voicemail that I was not the one making the calls and they had to call the police to get the number traced and to PLEASE press charges, as I couldn't do anything (at this point I was under the impression that only those with blocked numbers could have any number entered). Then, I changed the message when I read something stating that the police won't do anything if they are not being threatened. The new message basically stated that it is called Caller ID Spoofing and I was as powerless to stop it as they were. Needless to say, after many months of this crap, I finally had to give in and change my business number and hope I don't lose customers in the process.

While I do suspect the person with absolutely NO life whatsoever who set this up for a totally assinine reason, what I do not understand is WHY it is still around. Apparently there is no one in legislation who has been the victim of this on their own. If they had, I'd be willing to bet money it would be made illegal in no time flat. It's sad that there are so many people out there that obviously have so little to do other than create issues and drama in other people's lives.

PattyJanuary 28, 2008 1:39 PM

Someone is spoofing my caller ID, what appears is: Unavailable & my home #. I stopped answering, no one's there. I contacted my phone service, they can't do anything just said, contact FCC, which I did, they told me to contact my phone service. NO ONE CAN HELP. My phone service also said I should call the police, do a trace, the police will contact my phone service. etc. etc.etc. In the meantime, I'm getting 10 - 15 calls a day with my # on it, no one can help.

Angry VictimFebruary 20, 2008 10:08 AM

I am a victim of caller id spoofing. I get anywhere from 2 to 15 calls a day from people all over. Fortunately, none of them have sounded angry, if I actually answer the phone. I had to call my cable company three times and threaten to cancel my service if no one would help me with this. First I was told that someone hijacked my number. The cable company said they could clearly see that I wasn't making the calls, and they could see the calls that came in. I was told that they would file a "work ticket" to see what the problem was and that I should call back in a couple of days. The second time I called, the person who answered the phone said basically, sorry, there's nothing we can do from here so you need to call your local police dept. I didn't feel like calling our barney fife police dept so I called back one more time the follwoing day and threatened to discontinue their phone service complete and just use cheap trak phone cell phones as this issue was becoming unbearably irritating. Well, the squeaky wheel does get the grease. A supervisor called me back in 15 minutes and agreed to change my phone number and to mask my caller id for free. I will now have to give my new contact info to family and friends and that in itself is kind of a pain. I'm hoping this will stop the calls. I also signed up for the Do Not Call Registry. I don't think it prevents spoofing though.

JulieMarch 17, 2008 9:30 AM

My family is another victim of caller ID spoofing. For about a week now my family has received at least ten calls every day (as late at 11:00 pm) from spanish-speaking individuals claiming we called them. I don't think they understand when I tell them our numbers (yes, two phone lines) have been taken over by someone else. Our phone company will not help us unless we want to pay $60 to change our phone numbers. This activity has got to be stopped. I've written both of our Senators and Representatives and the FCC asking them to look into the issue. Maybe if enough people complain they will be forced to deal with it!

MichaelJune 20, 2008 2:36 PM

For folks on the Do Not Call List, the telemarketing calls you do get should be considered a short-list for scammers.

I'm on the do not call list but I'm getting as many as 5 telemarketing calls per week. For the most part, these go over to voice mail and I just get an anoying recording followed by a press 1 for more info sort of request.

I've been home a few times to answer the phone and pressed the one to connect to a person. Often, nothing happens. Twice, I got a real person. In each of these, it was quite obvious after exchanging a few words that I was being called by a scammer. In today's call, I had as odd a conversation as "J" did in his posting above. (This one claimed to be a credit company that was part of Equifax. Nonsense.)

The FBI web site says that the point of these calls is to get your identity including social security. That adds up. Today's call was offering very low credit card interest for my great payment history. The fact that they didn't know how much I owe was a pretty good tip off to the plan.

What I wish was that I had a way to simply block calls that have the potential for CID scams. This would, of course, block all the Internet-based calls. Small loss, I don't know anybody using that.

While I wish that the whole operation were outlawed, I seriously question whether a law could work. How do you trace calls that are routed over the internet? You could only do so by catching the folks in the act of making the calls. That would be a real trick.

For now, I hope that company dropped my name. I don't hold out much hope there.

MarkAugust 14, 2008 2:26 PM

What I really don't understand is the fact that our countries have laws regarding transmission over electronic media and these companies actively promote an illegal act. The sending of hoax information known to be false, possibly alarming and definitely with intent to mislead.

If I phone phreaked the wrong ANI over the network I'm a criminal but because I paid a company to do it for me it's ok...



TaggertOctober 2, 2008 5:11 PM

Here is an interesting twist. Today, I called the VA Hospital to check on some medical equipment. I used a home telephone (traditional landline phone service) and my call lasted about 2 mins. About 30 minutes later, I received a call from the VA Hospital's main line, according to the caller ID on my "Cellphone". I answered and there was a beeping sound (the kind of sound you hear when a fax machine is attempting to connect or perhaps it was the sound of a device beeping, to notify that the telephone conversation was being recorded).

In any case, I called the office of the person at the VA Hospital, who I had spoke to earlier on my Home landline, to see if perhaps he was calling me back on my cellphone. I was guessing that perhaps he had my cellphone number listed in his records, from a previous call, but, he claimed that he was not the caller.

So here is a weird scenario... did someone monitor my home phone and attain the other party's phone number (either electronically, or simply by listening in on my conversation), and then call me back 30 minutes later, spoofing the VA's telephone number, to attain a E911 fix on my cellphone location?

Perhaps I'm being paranoid, but this really did happen, and there is no one at the VA (who I regularly deal with) who claims to have called me, on my cellphone today. So, is this a simple VA phone system glitch? Or something to worry about?

Doug RansomOctober 8, 2008 8:58 AM

When combined with the requirements for the Canadian no call list, one could spoof a telemarketers phone number, make a pile of calls on the no call list, and have the owner the phone number receive a large large fine ($1500 call or $15,000/ call depending on whose number you spoof!

RichardFebruary 17, 2009 4:05 PM

Someone stole a credit card out of my mothers mail and then used the "LEGAL" "FUN" callerID spoof to call and get a pin number from the card company. Since the card number matched the home phone number they issued a pin. So there's nothing malicious about this service ... I say BULLS..T. Screw you SPOOFCARD!

MikeJune 15, 2009 3:24 PM

Sorry to hear about that Richard. Credit card companies should use additional methods to verify the caller's identity, not just whether the home phone number matches the account. The phone number itself (even when not spoofed) does not establish who is really on the other end. I would so much rather use my secretary to identify and screen my calls than to pay for caller id on my business phones.

teenmomJune 16, 2009 12:05 PM

well it looks like spoofing is becoming a teen prank...someone made prank calls to a bunch of people late at night put in our home number and my 12 year old daughters name...i got a phone call from some woman who wanted to know who was calling late at night from our house number...we were not home the night the calls were made and my daughters name should not be on there id it should have been my name as it appears on my bill..this could be scary if someone makes threatening phonecalls to someone and it looks as if my daughter did it... its not illegal says the phone company but its identity fraud if you ask me

SalvadorJuly 6, 2009 10:57 AM

I have just come across a need for spoofing my caller ID that is neither a prank nor a fraud. I wanted to call a ticketing agency and they will only accept a call if the CLID is displayed and from specific countries. But I am using VOIP without caller ID. So what can I do?

RobAugust 17, 2009 4:01 AM

I can't believe so many people are concerned about this.
Here is my standard phone answering policy.
1) I never answer the phone unless the caller Id is a person I know.
2) I usually don't get to the phone fast enough anyway so it almost always goes to the answering machine message. (I alway use the canned machine message - a woman's voice - I am a man(not one I recorded myself). If A person or business I recognize and want to talk to starts to leave a message I will usually answer it then. Most telemarketing callers will never leave a message - they may keep calling for weeks now and then but I never answer and they never leave a message. Most of them have obscure unidentifiable caller ID names that I never heard of.

I am on the do not call register, and actually get very few calls, those that I do receive are mostly from businesses that I have something to do with, so it is legal for them to call me, but usually they are just trying to sell me something or get me to renew something, so I almost never answer them either.

I have had the same phone number and address for the last 46 years.

In general, I never call businesses from my home phone unless it is one I normally deal with - it is convenient to call from my home phone because their caller ID software recognizes my number so they know who I am and I do not need to provide a lot of extra info to the people at the other end before they start asking my the questions to verify my ID - I know I am talking to the real company because they already know my name and account number so I don't need to give that away.

When calling a new company, I usually call from my cell phone, I have had that same number for 6 years and never receive any calls on it from anyone other than my friends.

It had been years since anyone who is blocking their outgoing caller ID has called me.

If you actually answer a call from a telemarketer or strange person. The best policy is to simply immediately hang up, do not say anything at all other than Hello.
Usually you are being called from a computer dialer, so when you say Hello, there will be no answer anyway, because their system will not have connected you to a person yet. So if you say Hello once and get no reply, hang up immediately. Do not wait and say Hello, Hello, is there anyone there ? and wait for them to come on the line.
Just hang up immediately if you get no immediate response from someone.
If you hear a lot of background noise such as other people talking, also hang up immediately because it is also probably some sort of call boiler-room situation. Do not answer, and start a conversation with anyone. Most of these people unless a legitimate business, will be evasive and eventually belligerent. At best they will just stick to their prepared scripts and keep promising you ofther offers if you try to get out of the conversation politely - just hand up, do not say good bye, or not interested, just hang up.

Feel happy that you have already cost the caller the price of a completed connection.

So - bottom line - I have no problems.

JustinSeptember 27, 2009 3:07 AM

A lot of you have a backwards view of CID spoofing. Consider the rule of least privilege. When you make a call, you don't necessarily need to disclose your number, and *67 isn't always available.

Concrete case:

You call your bank using a private line that you only want friends to have access to. The bank *surreptitiously* records your CID information, and enters the number you're calling from as your phone number on file. They don't bother asking if you're calling from your own number or otherwise, they simply assume that it's your number and that they can call it as they please.

A month later you take a vacation to the other side of the world. At 3am where you are, the bank calls the number you didn't give them, which rings a physical phone (voip attached, or cellphone), to tell you what you already know - hotels and trains are being purchased on your credit card on the other side of the world.

Advocates of the rule of least privilege will only give consumer-facing businesses (like banks) a voicemail-only phone number. Businesses have no reason to need a number that physically rings the personal phone of a consumer. And they obviously abuse it with sales calls, and disclosing the number to other companies that abuse the number.

It's not just legitimate to spoof a voicemail number in place of a personal number -- it's also the proper security conscious approach, and everyone should be doing it!

You wouldn't give a bank the same personal email address that you distribute to friends would you? Same goes for phone numbers. I'm surprised Schneier seems to see the spoofing strictly as a tool for fraudsters.

JustinSeptember 27, 2009 3:13 AM

> Caller ID Spoof needs to be outlawed and we need the
> FTC to take action if our nation's law makers can't...

Certainly not! I find it disappointing that spoofing CID isn't easier and cheaper than it is.

Consumers should not be forced to trust businesses with whatever personal phone number they happen to be calling from. See my post above for more detail.

RogerSeptember 27, 2009 4:17 PM

Justin, you make some interesting points, but they seem to speak only to privacy of CLIs, which is already addressed by the existing system: it is possible on most if not all PSTNs to suppress emission of a CLI at all.

This is no argument for the current ease of spoofing CLIs: if a CLI is emitted, it should be genuine. A system in which fake CLIs can be emitted, serves practically no purpose -- no honest purpose, anyway. A system where *optional* but completely reliable CLIs can be emitted, enables the PSTN to be used for a variety of services for which it is otherwise too insecure.

True, in the past it has been used for many such services due to some combination of naïvety, a lower incidence of antisociality, or simple lack of an alternative. And those uses resulted in con jobs, hoax calls galore, heavy breathers and other stalkers, dangerous convicts released by fake faxes, and Nick Leeson.

(And unfortunately, due to the scourge of telemarketers, "answering the phone" is rapidly becoming one of the services for which PSTN is too unreliable without an identification system.)

JustinSeptember 29, 2009 10:13 AM

Roger, there are most certainly good reasons to spoof caller id. The phone number you call from is not necessarily the number you want the other party to have -- but you still want to announce yourself via caller id, both so that the recipient picks up the phone, and so they can make that choice based on the number you distributed to them. The other party won't necessarily recognize the number you're calling from.

I have 10 or so different permanent email addresses at any given time, and countless disposable addresses from spamgourmet.com. It would be absurdly silly to force me to send each message from the provider that offers the /from/ address - and in fact impossible in cases where the provider offers pop3 or forwarding but not smtp (or their smtp server is malconfigured).

The same need exists for security savvy callers, who might have 5-10 different phone numbers for different purposes. Suppose you have a voicemail-only number, which is the only number you trust the other party to have. Because it's a voicemail-only number, there's no switch you can route the call through to get the proper CID info (as outbound calls are not part of the service). Forcing callers to use *67 effectively *denies* callers the option to announce their identity - which disservices both the caller and callee.

And the *67 option is not available with all services (eg. google voice). So at the moment, the only possible way for a google voice user to protect their number is to use a spoofcard or the like.

Moreover, caller id is a lousy instrument for tracking abuse to begin with. Malicious callers can always get around it, even if it means the attacker uses a one-time offshore disposable phone number.

There's a better means to track abuse that trivializes caller id. You trace the call. The service provider records the ANI information, which can then be disclosed by court order. And those records have a standard of evidence that will work in court.

JustinSeptember 29, 2009 10:18 AM

I'll add that there is a senate bill right now to prohibit CID spoofing (bill S.30).

Although I generally oppose a prohibition on CID spoofing, this bill is reasonable, because it seems to only prohibit spoofing that's done with intent to defraud, or commit a crime.

I get the impression the S.30 won't stop consumers from being able to choose which of their numbers they want to announce via CID.

JustinSeptember 30, 2009 6:36 AM

It occurred to me that S.30 would stifle creative innovative uses for CID information.

Eg. one could send a free SMS message to a landphone (which is generally not SMS capable) by manipulating CID information. It would not necessarily be malicious, but could loosely be interpreted by a court as an attempt to "defraud".

JarradJanuary 11, 2010 2:14 AM

You think you have it tough?
Try living in Australia.
We have caller ID available but the number won't come up if it's a telemarketer, basically any company (such as your bank) who legitimately wants to contact you... Or even if it's a different telecommunication company! Optus customers, for example (Optus is the 2nd biggest phone company in Australia) can't see the caller ID of any Telstra (the biggest phone company in Australia) customer, we can't see any overseas number and we have to PAY if we want caller ID set up AND anyone who pays for a private number (to try to hide from telemarketers) has a hidden caller ID number as well!

Personally, I'd rather have people spoofing their caller ID's and at least get some idea of the majority of people who are calling me then to have our current set up!

hetalFebruary 3, 2010 12:31 PM

sir,

i do need help. i have been getting call and calls from every where and anywhere please tell me how to stop this. Many people called me and told me that i called them ...and i did not....or i have no reason to call them ....two weeks ago i changed my phone no cuz many people complained so wanted to save my self ...however people are getting getting calls from my old number as well new number.
some time i get call from my old number which i have disconnected two weeks ago to my new number ....
since yesterday i get call from my new number to my new number ...how do i get call from my own number.......this is like horror story ....some time looks like my phone is after me to get me ....like science fiction ...the worse thing is ...all the call i get ...they are from some or other professional cervices ...but each service owner ...has same last name ...so it is such and such attorney ...such and such doctor ...such and such construction ....such and such cleaner....man this same last name people from different state are ...after my number ...please please ...please ...please ...help me ....
thank you

hetalFebruary 3, 2010 12:41 PM

this is in response to Taggert
target i feel same way...cuz even though i changed number ....my known person gets call from me.....or they get call each other lately my dad gets call from known people to me ....what is that ...people who happen to be in my list calls to my dad and when my dad returns call it is not really a call ...
what is this ...

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..