Technology facilitates Caller ID spoofing

Tracing calls is a laborious process
Telephone companies can trace calls to their origin regardless of the Caller ID information they carry, but the process is laborious, especially since a call may be carried by several companies before reaching its destination. The fragmented nature of the telephone network also makes it technically difficult for the carriers to prevent spoofing.

At Verizon Communications Inc., security manager John Lewandowski said the company often gets complaints about fake Caller ID after a telemarketer has spoofed his number to cover his tracks.

In a typical case, someone will be jarred in the middle of the night by repeated telemarketing calls. He checks Caller ID, calls the number — which is false — and starts “cussing out” the person at the other end of the line, Lewandowski said.

“And that poor guy was asleep. It wasn’t him at all,” Lewandowski said. The company investigates and tracks down the callers, he added.

More troubles
Apart from fraud and telemarketing, Caller ID spoofing can be used for pranks and spying.

In one case, SWAT teams surrounded a building in New Brunswick, N.J., last year after police received a call from a woman who said she was being held hostage in an apartment. Caller ID was spoofed to appear to come from the apartment.

It’s also easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox.

In a slightly more complicated fashion, spoofing was part of the technique used by a hacker who broke into Paris Hilton’s cell-phone voicemail in 2004, according to security consultant Kevin Mitnick, who said he was citing hacking sources. The hacker apparently called the celebrity socialite posing as a technical-support person from the carrier, and lured the password from her.

That is known as a “pretext” call — someone poses on the phone as a customer, employee or even a regulator to obtain personal information from companies and individuals. And indeed, while Spoofcard.com contends that its service is for “entertainment purposes,” it also notes that “Private Investigators will find Caller ID spoofing valuable for pretext calls.”

Robert Douglas, a privacy consultant in Colorado, testified before Congress last month that pretexters trade tips on finding the best spoofing services.

Red Tape: Gang warfare, hacker style There might be a gang fight raging in your bedroom or study right now. The fight is over your bandwidth and your PC processing power.

Pretexters generally claim their practices are legal, as long as they don’t involve financial information. A bill introduced in the Senate would make it illegal to pose as someone else to obtain phone records, or to buy records from phone company insiders.

Douglas would like legislation against Caller ID spoofing as well, but there appears to be little interest in Washington.

“If I’m paying extra for Caller ID, which I do ... there should be some ability on my part to believe what I’m getting,” Douglas said.

In Alaska, State Representative Bob Lynn has introduced a bill to make spoofing a misdemeanor. “False caller identification is more serious than pranks, or the annoyance of intrusive telemarketing,” Lynn writes. “It facilitates fraud, and can be potentially deadly.”

However, it is unclear what effect the bill would have. As Lynn notes, Caller ID is a federal issue.

MORE FROM SECURITY

Security Section Front

Red Tape: Holiday ‘cyberbegging’ grows on eBay Internet users lured to oppose health bills 5 things to know about Facebook’s new settings Facebook privacy revamp draws fire Facebook gives users more privacy controls Hacker to plead guilty in more store break-ins U.S. takes fight against hackers overseas Surprise! Merchants say Web fraud is down Facebook forms board on online safety Man in stolen cell phone pic turns himself in Security Section Front   Add Security headlines to your news reader: