This month's topic is about caller id manipulation.
Recently, Caller ID spoofing has become much easier and more prevalent. Millions of people have Internet based telephone equipment that can be set to make any number appear on a Caller ID system. And to make this process even easier, several web sites have popped up to provide Caller ID spoofing services. These sites eliminate the need for any special hardware or software.
For purposes of this article, we will examine the site, https://www.spoofcard.com. They sell a virtual "calling card" for $10 that provides you with an hour of calling time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display. The service also provides you with an optional voice scrambling feature, to make the caller sound like someone of the opposite sex, either male or female. Currently Caller ID spoofing appears to be legal, though many of its uses are not and according to the Federal Communications Commission web site, it has never investigated this practice.
Some Caller ID spoofing web sites appear to be used by people who buy stolen credit card numbers. They will call a service such as Western Union, setting Caller ID to appear to originate from the card holder's home and use the credit card number to order cash transfers that they then pick up. Exposing a similar vulnerability, Caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards. Some card companies claim that they use additional means to confirm new cards. And caller ID spoofing may not work for calls to toll free numbers, where the hardware can identify calls using an additional technology.
Telephone companies can trace calls to their origin regardless of the Caller ID information they carry, but the process is labor intensive, since a call may be carried by several companies before reaching its destination. The fragmented nature of the telephone network also makes it technically difficult for the carriers to prevent spoofing. It's also fairly easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox. In a similar incident, spoofing was part of the technique used by a hacker who broke into Paris Hilton's cell phone voice mail in 2004. The hacker apparently called her by posing as a support person from her carrier and persuader her to give up her password. This technique is known as a "pretext" call, where someone poses on the phone as a customer or employee to obtain personal information from companies and individuals. And while spoofcard.com seems to be a service that is used for "entertainment purposes," it also notes on their web site that "Private Investigators and Law Enforcement" will find Caller ID spoofing valuable for pretext calls."
There you have it. False caller identification is more serious than pranks, or the annoyance of intrusive telemarketing. It facilitates fraud and can be potentially used for more sinister practices. So the next time you receive a phone call from a familiar number and you do not recognize the voice on the other end, you might want to ask who it is.
To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at firstname.lastname@example.org.
We Manage Risk, So You Can Manage Your Business
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2011-03-22 Michael Desrosiers
The primary duty of an exception handler is to get the error out of the lap of the programmer and into the surprised face of the user. (Verity Stob)