Caller ID Spoofing: Is There an Answer?

• By Doug Gale
• 01/13/09

Caller ID spoofing causes the caller ID display on a phone to display something other than the real caller. It isn't a new technology; it's been around since caller ID became popular. While the original spoofing implementations were somewhat kludgy, with the advent of Voice Over IP (VoIP) they became much better. It's an easy hack that endangers institutional data through "social engineering." Are your faculty and staff aware of this potential threat?

Legality
In 2004 the first commercial service offering to spoof caller IDs for a fee was launched. By 2006 commercial spoofing was covered by the popular press when SpoofCard, now one of the largest and most feature-rich of the spoofing services, suspended Paris Hilton's account because it was being used to harass Lindsay Lohan and to access her voicemail account. Now Googling "caller ID spoofing" yields more than 200,000 returns--including scores of companies who offer the service for a fee.

But is It Legal?

Yes.

While legislation has been proposed to restrict caller ID spoofing, it is currently legal, although some states have passed laws that make it illegal to spoof caller ID for certain purposes, such as "to mislead, defraud or deceive the recipient of a telephone call." Even in those states, calls for amusement or revenge are generally legal. If you are interested in a more detailed history of caller ID spoofing, check out calleridspoofing.info.

Potential for Abuse
While the companies providing these spoofing services emphasize "amusement," the mischief sometimes goes a good deal further, as in the case of a Washington State teanager who was sentenced to 30 days in jail and a $24,000 fine for using caller ID spoofing to send SWAT teams to the homes of innocent individuals--a practice known as "swatting."

It is worth noting that even though providers of spoofing services treat their call records as confidential, they do make them available under court order in cases of illegal activity. For this to be an effective deterrent to misuse, however, you have to assume that the criminal is dumb enough to use their real identity when they subscribe to the spoofing service.

There are other uses that are still merely potential threats to insitutional data security.

Does caller ID spoofing have legitimate (versus legal) uses? Certainly. For example, a professional who returns a call from a number he would rather remain private might spoof his own business number. Or the call recording feature offered by some providers could be used by a businessman to have a record of a verbal order or transaction.

How It Works in Practice
To see how the system works in the real world I went to Spoofcard.com on the Web and, being the cheapskate that I am, selected their free trial. I had to enter three telephone numbers: mine, the number to be called, and the number to appear on the called phone's caller ID. For the latter two I used my spouse's line and the phone number of one of her friends. A few seconds after I hit the "submit" key on my computer, my phone rang with the message "enter 1 to complete your call." I did so and my wife answered, "Hello Marilyn," which was her friend's name.

If that isn't easy enough, Macintosh users can even download a Widget to their desktop to make the process even easier.

The cost, after the first free call, is minimal: 60 minutes for $10. And there are additional options available, including:

• Change your voice to male or female in real time.
• Record your conversation for later download (although the company points out that it is illegal in many states to record a telephone call without informing the other party that the call is being recorded).

For the more technically inclined who want to set up their own VoIP-based caller ID spoofing service or understand how the service works, the instructions can be found in "Fake caller ID: Fun, legal and easy to do" and Rootsecure.net.

What This Means to Education
Caller ID spoofing is a really easy hack--no technical skill required. Because it is so easy and has the potential to be so damaging, we need to make sure that faculty and staff understand three basic rules:

• Protect your voicemail with a password. (When you call your own phone number you are automatically routed into voice mail.)
• Only give information to people whose voice you recognize or phone numbers that you yourself have dialed.
• Don't accept calls from financial institutions asking for account information. If you are unsure, call them back using a phone number obtained from an independent source.

The fundamentals are even easier to remember and can be summarized with a single rule:

• Rule No. 1: Caller ID is not to be trusted.

READ MORE DAILY NEWS