Caller ID Spoofing: Is There an Answer?

  • By Doug Gale
  • 01/13/09
##AUTHORSPLIT##<--->

Caller ID spoofing causes the caller ID display on a phone to display something other than the real caller. It isn't a new technology; it's been around since caller ID became popular. While the original spoofing implementations were somewhat kludgy, with the advent of Voice Over IP (VoIP) they became much better. It's an easy hack that endangers institutional data through "social engineering." Are your faculty and staff aware of this potential threat?

Legality
In 2004 the first commercial service offering to spoof caller IDs for a fee was launched. By 2006 commercial spoofing was covered by the popular press when SpoofCard, now one of the largest and most feature-rich of the spoofing services, suspended Paris Hilton's account because it was being used to harass Lindsay Lohan and to access her voicemail account. Now Googling "caller ID spoofing" yields more than 200,000 returns--including scores of companies who offer the service for a fee.

But is It Legal?

Yes.

While legislation has been proposed to restrict caller ID spoofing, it is currently legal, although some states have passed laws that make it illegal to spoof caller ID for certain purposes, such as "to mislead, defraud or deceive the recipient of a telephone call." Even in those states, calls for amusement or revenge are generally legal. If you are interested in a more detailed history of caller ID spoofing, check out calleridspoofing.info.

Potential for Abuse
While the companies providing these spoofing services emphasize "amusement," the mischief sometimes goes a good deal further, as in the case of a Washington State teanager who was sentenced to 30 days in jail and a $24,000 fine for using caller ID spoofing to send SWAT teams to the homes of innocent individuals--a practice known as "swatting."

It is worth noting that even though providers of spoofing services treat their call records as confidential, they do make them available under court order in cases of illegal activity. For this to be an effective deterrent to misuse, however, you have to assume that the criminal is dumb enough to use their real identity when they subscribe to the spoofing service.

There are other uses that are still merely potential threats to insitutional data security.

Does caller ID spoofing have legitimate (versus legal) uses? Certainly. For example, a professional who returns a call from a number he would rather remain private might spoof his own business number. Or the call recording feature offered by some providers could be used by a businessman to have a record of a verbal order or transaction.

How It Works in Practice
To see how the system works in the real world I went to Spoofcard.com on the Web and, being the cheapskate that I am, selected their free trial. I had to enter three telephone numbers: mine, the number to be called, and the number to appear on the called phone's caller ID. For the latter two I used my spouse's line and the phone number of one of her friends. A few seconds after I hit the "submit" key on my computer, my phone rang with the message "enter 1 to complete your call." I did so and my wife answered, "Hello Marilyn," which was her friend's name.

If that isn't easy enough, Macintosh users can even download a Widget to their desktop to make the process even easier.

The cost, after the first free call, is minimal: 60 minutes for $10. And there are additional options available, including:

  • Change your voice to male or female in real time.
  • Record your conversation for later download (although the company points out that it is illegal in many states to record a telephone call without informing the other party that the call is being recorded).

For the more technically inclined who want to set up their own VoIP-based caller ID spoofing service or understand how the service works, the instructions can be found in "Fake caller ID: Fun, legal and easy to do" and Rootsecure.net.

What This Means to Education
Caller ID spoofing is a really easy hack--no technical skill required. Because it is so easy and has the potential to be so damaging, we need to make sure that faculty and staff understand three basic rules:

  • Protect your voicemail with a password. (When you call your own phone number you are automatically routed into voice mail.)
  • Only give information to people whose voice you recognize or phone numbers that you yourself have dialed.
  • Don't accept calls from financial institutions asking for account information. If you are unsure, call them back using a phone number obtained from an independent source.

The fundamentals are even easier to remember and can be summarized with a single rule:

  • Rule No. 1: Caller ID is not to be trusted.

READ MORE DAILY NEWS

About the Author

Doug Gale is president of Information Technology Associates, LLC (www.it associates.org) an IT consultancy specializing in higher education. He has more than 30 years of experience in higher education as a faculty member, CIO, and research administrator.

Featured

  • cloud with binary code and technology imagery

    Hybrid and AI Expansion Outpacing Cloud Security

    A survey from the Cloud Security Alliance and Tenable finds that rapid adoption of hybrid, multi-cloud and AI systems is outpacing the security measures meant to protect them, leaving organizations exposed to preventable breaches and identity-related risks.

  • handshake between two individuals with AI icons (brain, chip, network, robot) in the background

    Microsoft, Amazon Announce New Commitments in Support of Presidential AI Challenge

    At the Sept. 4 meeting of the White House Task Force on Artificial Intelligence Education, Microsoft and Amazon announced new commitments to expanding AI education and skills training.

  • stylized illustration of a desktop, laptop, tablet, and smartphone all displaying an orange AI icon

    Survey: AI Shifting from Cloud to PCs

    A recent Intel-commissioned report identifies a significant shift in AI adoption, moving away from the cloud and closer to the user. Businesses are increasingly turning to the specialized hardware of AI PCs, the survey found, recognizing their potential not just for productivity gains, but for revolutionizing IT efficiency, fortifying data security, and delivering a compelling return on investment by bringing AI capabilities directly to the edge.

  • open laptop with various educational materials like charts, quizzes, and documents emerging from the screen

    Pear Deck Learning Debuts New AI Features

    GoGuardian recently introduced new artificial intelligence features within its Pear Deck Learning curriculum and instruction platform, designed to aid educators throughout their teaching journey — from lesson planning to assessment.