Technology facilitates Caller ID spoofing

By Peter Svensson

updated 6:08 p.m. ET March 1, 2006

NEW YORK - Last fall, U.S. Rep. Tim Murphy’s office started getting phone calls from constituents who complained about receiving recorded phone messages that bad-mouthed Murphy.

The constituents were especially upset that the messages appeared to come from the congressman’s own office. At least, that’s what Caller ID said.

“People thought we were making the calls,” Murphy said.

The calls, which the Pennsylvania Republican estimated in the thousands, were apparently placed with fake Caller ID. That has been possible for a long time, but it generally required special hardware and technical savvy.

In the last few years, Caller ID spoofing has become much easier. Millions of people have Internet telephone equipment that can be set to make any number appear on a Caller ID system. And several Web sites have sprung up to provide Caller ID spoofing services, eliminating the need for any special hardware.

For instance, Spoofcard.com sells a virtual “calling card” for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display. The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex.

Red Tape: Gang warfare, hacker style There might be a gang fight raging in your bedroom or study right now. The fight is over your bandwidth and your PC processing power.

Caller ID spoofing appears to be legal, though many of its uses are not. The Federal Communications Commission has never investigated the issue, spokeswoman Rosemary Kimball said.

Vulnerabilities
Lance James, chief scientist at security company Secure Science Corp., said Caller ID spoofing Web sites are used by people who buy stolen credit card numbers. They will call a service such as Western Union, setting Caller ID to appear to originate from the card holder’s home, and use the credit card number to order cash transfers that they then pick up.

Exposing a similar vulnerability, Caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards. Some card companies maintain, however, that they use additional means to confirm new cards. And caller ID spoofing may not work for calls to 1-800 numbers, where the hardware can identify calls using a separate technology.

Two spoofing services contacted by The Associated Press, Spoofcard.com and Telespoof.com, did not return messages seeking comment about their business. However, some of the five or so Web sites in the business don’t appear to be completely unscrupulous: James said he had been hired by a few of them, which he would not name, to help stop the Western Union scam.

Also, both Spoofcard.com and SpoofTel.com say they will surrender call logs to authorities in response to subpoenas. Spoofcard.com’s site says the service is “intended for entertainment purposes only.”

MORE FROM SECURITY

Security Section Front

Spain: Internet-related child porn on the rise Google providing better view of personal data EU agrees on new Internet user rights Red Tape: ‘Fakeosphere’ ads target consumers Internet censorship limits could be set by WTO Cubans say Craigslist-like site is blocked Security center opens to battle computer attacks Reports: N. Korea behind cyberattacks on U.S.   Is your Wi-Fi connection safe? Google Voice blocks fewer than 100 numbers Security Section Front   Add Security headlines to your news reader: