Forgot your password?
typodupeerror

Caller ID Spoofing Becomes Easy 168

Posted by CowboyNeal
from the clue-phone-ringing dept.
objekt writes "According to an article in USA Today, Caller ID spoofing has become much easier in the last few years. Millions of people have Internet telephone equipment that can be set to make any number appear on a Caller ID system. And several websites have sprung up to provide Caller ID spoofing services, eliminating the need for any special hardware. For instance, Spoofcard.com sells a virtual 'calling card' for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display. The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex."
This discussion has been archived. No new comments can be posted.

Caller ID Spoofing Becomes Easy

Comments Filter:
  • Dupe spoofing (Score:1, Interesting)

    by Anonymous Coward
  • Whatsa matter? (Score:2, Insightful)

    by PatTheGreat (956344)
    What's the major concern over ID spoofing? That people are going to be calling their friends, pretending to be from the White House (The number, by the way, is 202.456.1414)? I think spoofing is cool, but I don't think it's gonna have major impact on anything. When was the last time someone used caller ID as a end-all form of identification?
    • if the caller id says the white house is calling, chances are, a regular average joe will pick it up, expecting the white house spoof yourself as google and call yahoo, see if you can make any impact
      • And I get emails all the time claiming that our friend, the deposed Nigerian Prince needs only my help and my bank account number.

        Same concept, I think.

      • The average joe probably isn't going to recognise that it is the telephone number of the white house.

        And outside the cell phone sector, how many people actually have call display features on their phone?
    • Re:Whatsa matter? (Score:4, Interesting)

      by Anonymous Coward on Thursday March 02, 2006 @08:25PM (#14839337)
      During a pen-test to social engineer a user into changing her proxy setting to a server that we "owned". While caller ID spoofing might not fool you, the "masses" actually do use it as a forum of "authenication". For example, we called as a major telco representive claiming that we had reports of "slow Internet traffic" from there site. The caller ID spoofing was enough to fool the employ to do pretty much anything we asked.

      Many, many people believe spoofing is a valid forum of "making sure".
      • These sites are catering to more people who have nefarious intentions then benign ones. There are few legitimate uses for call spoofing (law enforcement sting ops being one that come to mind); and most of the people who would -need- this service (aforementioned law enforcement) have the tools to do it themselves.

        With all the scams that use a veneer of authority to fool people into all sorts of financial, political, or other loss, this spoofing only gives those fraudsters another tool to use when defrauding
    • Re:Whatsa matter? (Score:1, Insightful)

      by Anonymous Coward
      The people that arent in the know are going to be giving up confidential information way more easily. Heck, if someone from the "police" call about a disturbance, what's the likelyhood of you reporting it.


      But the real kicker is now I can get that girl I'm stalking to pick up her phone, cause she keeps screening me and all my friends numbers.

      • I know it was a joke, but it's something I never understood about spammers and the people that reply to email that they recieve under obviously falsified information... for example: "Re: account past due", and the email is about viagra, I never understood why on earth they would do it.

        Why would someone buy anything at all from someone who got their attention through fraudulent means? The sad thing is that not only do the spammers think that someone would do it, but worse is that people DO buy things from t
    • When was the last time someone used caller ID as a end-all form of identification?

      Let's see... about 13 seconds ago. Maybe less.
    • Banks and cell phone companies, in particular, will insist you call from the phone number 'known' to be associated with your address.

      Banks... need I explain?
      Cell phone companies... how much easier could it be to get someone's records?

      While many companies don't use the phone number as an "end-all form of identification," unfortunately, too many of them use it as a first line of ID.
      • Not just banks, but Network Solutions did this as well with one of my customers last year. The call was legitimate, but it was simplicity to change the CLID on our phone system to match the number they expected the call to come from.
    • by nurb432 (527695)
      its about people causing trouble for others, to hide their identiy. Such as a exspouse that has a restraining order, or scam artists " we are with the police, see even our caller ID says so".

      People screwing with their friends isnt a reason to even care i agree.
    • When was the last time someone used caller ID as a end-all form of identification?

      It happens all the time on common voice mail setups. A certain major "orange" nationwide American cellular carrier's voicemail system, at least in my area, authenticates by caller ID. Unless the user has set a PIN and has set the system to ask for that PIN every time, caller ID spoofing will allow access to their voicemail. Most people don't even know this setting exists, and on this carrier's voicemail setup, it's not easy to

      • A certain major "orange" nationwide American cellular carrier's voicemail system, at least in my area, authenticates by caller ID.

        I would imagine that this is somewhat more secure, since both your phone and their voicemail system are on their network. When they authenticate using caller ID, they also have your mobile phone's unique identifier that is used for billing, and so they can guarantee that you are who you claim to be. Caller ID spoofing will not work there.

        • It does. I said it authenticates by caller ID because it authenticates by caller ID and caller ID only (unless it's set to ask for the PIN), not because I wanted to sound intelligent. Calling the voicemail center number with falsely set caller ID will indeed give you access to a customer's voicemail box.

          Furthermore, your on-network conjecture is false. There is no guarantee that I, or any other customer of said wireless company, is on that company's own GSM network. A customer could be roaming on a competit
    • Re:Whatsa matter? (Score:2, Interesting)

      by JRock911 (848012)
      Junk faxing, for one thing. I get junk faxes CONSTANTLY and you can never, EVER trace the numbers back to a real number.

      Basically it allows the unscrupulous telemarketers an out.. they can't be traced! The fax doesnt have anyone's name on it, the company who their promoting "claims" to never have heard of them... all the while they're getting paid.
    • Most of your credit card companies use CallerID to verify a new credit card activation. All you need is the 16 digit number and fake the CallerID of the cardholder and you can activate most cards.

      I'm not paranoid because I shred everything with my name/address/account info on it before I put it in the trash. Before starting that practice, I had 3 different accounts at two different residences opened and abused before I even knew about them.
    • That's just not the point at all.

      Caller ID is a paid service. The telcos make millions a month selling that and other "services", all of which come with the switching equipment, it costs them nothing to give it to you, but they get paid by you. It might be bundled but it is never free. One way or another they are getting paid.

      Now it is found to be unreliable. It turns out the telcos have an insecure system. They've known about it for years, they haven't done anything whatsoever to secure it, and they
  • by spyrochaete (707033) on Thursday March 02, 2006 @08:18PM (#14839285) Homepage Journal
    What really annoys me is that you can subscribe to caller ID and some numbers still appear as "withheld". It's no surprise that you can pay more to upgrade your caller ID to see those numbers. In Canada anyway. False advertising much?

    BTW there was an issue of 2600 with a great CID\ANI spoofing article. I think it was winter 2004.
    • Yeah, I've always really hated that shit. You should not be able to block caller ID. Want to be anonymous? Use a payphone with a paid-with-cash calling card. If I ever have another land line I'm gonna get one of those boxes that tells you to fuck off if you have caller ID blocking. I want to know who's calling me!
    • "What really annoys me is that you can subscribe to caller ID and some numbers still appear as "withheld". It's no surprise that you can pay more to upgrade your caller ID to see those numbers. In Canada anyway."

      As a Canadian who write telephony software for a living I can assure you that it is not true.

    • Doesn't "Anonymous phone call rejection" work? It worked for me.
    • I work with a lot of large scale telco lines and just thought you would like to know that the incoming caller ID blocking is actually being done by the switched networks. If you get a toll-free T1 line with direct connecting 800 numbers every caller id is retrieved, even if you block it at your cell phone or your carrier. The main reason is that since you (as the owner of an 800#) are paying for the person to call you you reserve the right to know who they are (and possibly reject their call). I always t
    • There are some circumstances in which CLI ("Calling Line Identification" - a more appropriate term than Caller ID because CLI doesn't identify the caller, only the line they're calling from) is just about the only screening feature available. Cellphones are an example. Generally though the service is provided "for free" with cellphones.

      For landlines, there is absolutely no reason to subscribe to CLI. I don't recommend it. As you say, it doesn't even identify all numbers, only those on cooperating networks

  • "The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex."

    I've been waiting years for Scream: Home Edition!
  • I hope that this wont lead to more fraud and scams. I hope that the reason people don't commit crimes against other people is because of moral reasons (absolute or relative), and not because they fear getting caught.
    • Keep dreaming buddy. I'm sure 99% of crimes that never get committed aren't because the moral mumbo jumbo.

      For example:

      I don't morally object to running in to the White House naked...I'd just rather not get caught.
    • Doing or not doing something because it is the "right thing" is often the worst reason.

      It's a terrible reason, because anyone can justify anything by saying "well, it was the right thing to do."

      Note the emphasis on anyone. Some of the worst crimes in history have been perpetrated because it was the "right thing" to do.

      There is no such thing as an 'absolute' moral. All morals are relative and as such, the "rightness" of any action is relative.

      Relying on people's moral compass to guide their actions is an inv
      • That's why I said absolute or relative in my original post. We do all have empathy wired into our brains though.
  • Not really... (Score:3, Interesting)

    by 222 (551054) * <stormseeker&gmail,com> on Thursday March 02, 2006 @08:21PM (#14839306) Homepage
    Anyone that manages a VoIP setup can fool simple caller ID, I'll be impressed with something that can fool ANI.

    More information about CLI @ http://www.ainslie.org.uk/callerid/cli_faq.htm [ainslie.org.uk]
    • Actually, weren't ISDN customers fooling ANI in the past, because the service essentially jacks your circuit directly in to the telco switch? I seem to recall people spoofing caller ID info by feeding false ANI data through one of the carrier "D" channels on ISDN?
      • Re:Not really... (Score:3, Informative)

        by AlterTick (665659)
        Actually, weren't ISDN customers fooling ANI in the past, because the service essentially jacks your circuit directly in to the telco switch? I seem to recall people spoofing caller ID info by feeding false ANI data through one of the carrier "D" channels on ISDN?

        No, ANI and CID exist totally separate from one another. ANI is keyed directly to your circuit ID and is utterly beyond your reach there at the end of the pipe, be it POTS, ISDN, T1, or whatever. ANI is used for billing, and is basis for what law

        • Just to clarify (nit-pick?), you can set your CID number, but not your CID name (well, you can set it, but it normally has zero effect). That info is set on the far end of the call.

          When the callee's carrier receives the call, it does a database lookup to find the name associated with the caller's number. If the caller's and the callee's providers don't share their CID name databases with each other, then the name field is populated with "Unknown", "Out of State", "Michigan Call", etc.
    • Re:Not really... (Score:2, Informative)

      by BlakeOPS (807857)
      ANI is a generic industry term. To be more specific, the "holy grail" of spoofing is the Charge Number field (in the SS7 IAM), which Greyarea explains how to do here: http://www.dailyphreak.com/2005/12/25/spoofing-cha rge-number/ [dailyphreak.com]
      • With a bit of social eng its fairly easy to get what I know as a billing telephone number (BTN) and calling party number changed simply by calling the local telco.
        I honestly don't know enough about telephone systems to know if we're talking about the same thing, I've just dealt with these things managing our Cisco voip setup at work.
    • Re:Not really... (Score:2, Informative)

      by nuckfuts (690967)

      ... I'll be impressed with something that can fool ANI.

      As is discussed here [verizonfears.com].

  • I thought you could already block your number from being readable by caller ID? *67 then dial the number of the person you wish to reach. Spoofing is something quite diferent, but if you don't want to give out your number, the option is already there. cheers.
  • For some reason this reminds me of the scene in Byclops Built For Two where Bender disguises himself as a naughty nurse and starts charging people $2.99 a minute.
  • It's nice to finally not have to use a computer to do this. Although the "card" you get is just an email, being able to do spoofing via a cell phone from anywhere is incredibly handy.
  • Not just for IRC anymore.
  • CNBC's "On the Money" is reporting on this right now. A Colorado congressman will be introducing a bill to make this illegal. Hopefull it do so. I canned my landline a year ago and I get no BS calls on my cell phone. My life has become more peaceful and this does not affect me right now. This may change, I am sure as more people do this. Hwever, for the time being I am ok.

    Incidently, "On the Money" broke the story about the cell phone records for sale on the net. They did not drop the story until Con
    • The reason TFA is 'news' is because the caller-id spoofing happened to a Congressman.

      This shit only becomes a problem when someone with the authority to fix it gets effected.

      If Politicians and Captains of Industry had their own special privacy laws, the rest of us would get shit.
    • On the other hand, there are quite a few legitimate uses for this. For example; I have a channel bank hooked into an * box ( asterisk; ask for it by name! ). When any of my users make a phone call out, I want it to look like it's coming from the first line in the hunt group in case anybody uses that number to call back. I do not want them calling the hunt group lines, as I can do some magic with those and hook them directly up to phone extensions as need be, while at the same time being a part of the h
      • If they make it illegal to change the CID, I hope they are going to dedicate a ton of cash to making sure it's enforced. Otherwise it'll just be another bullshit law that most people ignore.

        If they added an 'intent to deceive' clause, I'd be happy. What you describe is perfectly fine, but someone spoofing MBNA is probably up to no good.

  • The real question is : what happens to wire taps ? Does this invalidate the wire taps, or this just another hinderance that wire taps can look past ?
    • It shouldn't have any effect on wiretaps.
    • The real question is : what happens to wire taps ? Does this invalidate the wire taps, or this just another hinderance that wire taps can look past ?

      Caller ID is really little more than a "toy" service, designed for the convenience of consumers. All the real call identification-- such as for billing, or wiretaps, or traces-- is via the ANI (Automatic Number Identification) system. ANI is completely separate from the Caller ID system, and is linked directly to your circuit ID rather than being defined by t

      • However, more than once I've turned up phone installs that had incorrect ANI. Either wrong numbers, which often list wrong company names, or at least wrong addresses. It's not as if you can "order" messed up ANI or change it, but if you had one of these circuits, I don't know how easily, or even if, the telco could back track it.
        • However, more than once I've turned up phone installs that had incorrect ANI. Either wrong numbers, which often list wrong company names, or at least wrong addresses. It's not as if you can "order" messed up ANI or change it, but if you had one of these circuits, I don't know how easily, or even if, the telco could back track it.

          Yeah, I've seen that too. Thing is, the whole thing is keyed to the circuit ID, which is usually a physical port at the CO. The rest is just database links. If dialing the number

  • I don't have caller ID, but I have a friend who does and loves it -- it is even set to display on the TVs, so they know if they want to pause TV/Movie "X" and answer the phone. They also don't answer an unidentified caller very often, which nixes most calls from phone sales comapanies -- and I would be willing to wager a few $$ that these companies would be more than willing to use the technology to get you to answer the phone. Same goes for people attempting to defraud the elderly and disabled.

    However,

  • by Nybble's Byte (321886) on Thursday March 02, 2006 @08:28PM (#14839361) Journal
    The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex.

    And may I ask why this would be of interest to Slashdotters?

    Oops, gotta go, my girlfriend's calling.
  • by inertialmatrix (675777) on Thursday March 02, 2006 @08:32PM (#14839385)
    Is it just me, or do others also prefer to not answer the phone and opt instead to have the answering machine pick up in order to screen calls? I became so sick of getting multiple telemarketing calls between the hours of 5-10pm that I decided to just turn the ringer on its lowest volume setting, and let the machine answer.

    I know it may seem a bit obnoxious, but I am the one paying the bill and it would seem to me that the phone is for my convience, not someone elses.
    • I became so sick of getting multiple telemarketing calls between the hours of 5-10pm that I decided to just turn the ringer on its lowest volume setting, and let the machine answer.

      If you're in the USA, I assume you're already on the national do-not-call list. Past that, if you want a solution, answer the phone, and just tell them before they even get started, "please put me on the do not call list." Really, it's as simple as that. Just repeat the magic phrase, and telemarketing calls will dry up. I did

      • The new scam now is people calling doing "surveys".

        These are immune from calling list rules. In any case, I am amazed you spent 6 months of agro to solve a problem you could have solved for $100 with this:

        http://www.privacycorps.com/products/?id=20 [privacycorps.com]

        What's it worth not to have to go over and look at the caller ID, or getting a call in the middle of the night and having it be a farking fax machine?

        This device lets you program an action for each phone number. Perhaps the coolest thing is that you can program

        • Whitelisting. It had to happen. Not just to email, but to phones as well. When you get cheap and ubiqitious communication, keeping an unlisted phone number/email address isn't enough.

          Of course, you don't have to be black and white -- you can have devices that trust things increasingly more (this person can leave a message, this person cause your phone to ring, etc), and the whitelists don't have to be manually created.

          I expect that making this sort of functionality easily usable to the typical consumer i
        • These are immune from calling list rules.

          I don't know about that, but telling them to put me on the do-not-call list seems to work. Sure, I could screw around with caller ID solution, but I think it's much better to not have the phone ring at all. I can't even remember my last telemarketing/survey call. I'd say it's been years, but I'm sure there's something I'm not remembering. But it's so infrequent that it's effectively zero. I pick up the phone completely without fear.

          I suppose it's useful if you ha

          • but I think it's much better to not have the phone ring at all.

            That is what this box does.. you wire it first in the phone line, and all other phones plug into it..

          • So, you think a man should be allowed to cry "fire" in a crowded theater, and he's not responsible for the deaths that will ensue? Is that your definition of "freedom"?
            Because this is exactly what your sig's post brings: a man that was arrested for inciting racial hatred -- causing a lot of deaths in the process, because every time the neo-nazis come out of the closet they bring with them their personal "final solution", and you know it.
            • So, you think a man should be allowed to cry "fire" in a crowded theater, and he's not responsible for the deaths that will ensue? Is that your definition of "freedom"?

              There is a huge difference between inciting a panic in a crowded space, and having the thought police arrest someone for thinking the wrong thoughts.

              Because this is exactly what your sig's post brings: a man that was arrested for inciting racial hatred -- causing a lot of deaths in the process, because every time the neo-nazis come out o

        • You can do exactly the same thing with software, but it only runs on a Mac Mini.
    • Is it just me, or do others also prefer to not answer the phone and opt instead to have the answering machine pick up in order to screen calls? I became so sick of getting multiple telemarketing calls between the hours of 5-10pm that I decided to just turn the ringer on its lowest volume setting, and let the machine answer.

      There was a time when the phone rang and you answered it because it was somebody you actually wanted to talk to. How times have changed.

      Unless I'm absolutely sure of the phone number

    • Under title 47 of the Code of Federal Regulations it is illegal for telemarketers to spoof caller ID, so don't sweat it. If you want to read the section of law, google for "47 CFR 64.1600" and feel free to use the "I'm feeling lucky" button.

    • I don't need to -- I get very very few unwanted calls.

      But then, I'm not in the US. Here in the UK it's illegal [tpsonline.org.uk] to make unsolicited direct marketing calls to people who've registered with the Telephone Preference Service. (There's a corresponding service [fpsonline.org.uk] for faxes, too.)

      I'm registered, and it works! I get unwanted calls only every few months. (Where they're from the UK, the very mention of the TPS normally causes them to ring off. Though I did have a nice discussion with one local company who'd clear

  • I have caller ID on both my TV and my phone. When the phone rings, each one displays a different number. Just because you pay extra for a service doesnt mean its secure or relyable. It's just an added convienience.
    • The phone next to my TV doesn't have caller-id.

      If you're expecting a call, answer the phone.
      Otherwise, I'll just let it ring and check later to see who it was.

      But yea, how does your TV have Caller ID and where can I get mine? Is it free?
      • In Saskatchewan anyway, MaxTV is a Digital Subscriber Line TV service offered by Sasktel. I don't know if caller display on the TV works for any Max customer who pays $4+$3.80 a month for name and number display on their phone bill, or if they charge another $3.80ish fee for that. I don't know if the on screen display of the phone number would be recorded on a VHS recording, I'd guess it would, so I'd like to have the ability to turn the feature off, or on at my command.

        http://www.sasktel.com/ [sasktel.com] will tell y
  • According to this Wired article [wired.com]:

    The FCC is demanding business records from both companies [TeleSpoof and NuFone], as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.

    Dated February 24th, the FCC letter gives TeleSpoof 20 calendar days to respond.

    I suspect they'll target more of these kinds of services, so you're probably safest setting up your own PBX at home.

  • OLD NEWS (Score:2, Interesting)

    by cuebei (524667)
    Dude, this has been available for years. Any ISDN PRI has this ability built in. In fact, most phone systems on the market include the ability to modify the calling partys number on a per extention basis, if connected to an ISDN PRI. The best part, is that you only have to spoof the number. If the receiver subscribes to callerid with name lookup, it will automatically lookup the name for the number I put in.
  • by Anonymous Coward
    I just installed a PRI card in a PBX at work. The outbound caller ID was hosed at first and lots of stuff was broke because traditional phone systems ... whatever, you always mod me 0 anyway
  • See, the right way to deal with this would be to just ram everything through an encrypted and authenticated tunnel produced by the phone at each end.

    Of course, that would piss the FBI off to no end, and be illegal, but it would solve the problem.

    Of course, since this would require a digital connection, it'd probably be easier to just use VoIP than to run everything through a modem.

    Something like this [slashdot.org].
  • by sgent (874402)

    I hope the publicity doesn't curtial legitimate uses.

    For instance, more than a few doctor's offices use caller ID spoofing to have call centers call patients to confirm / remind appointments.

    These calls are legitmate, authorized in writing by patients, and spoofing is an integral part of doing the service. Patients tend to answer West Main Clinic (who is responsible for hiring the contractor), rather than ABC Call Services. Also, calling ABC Call Services to reschedule is usless as they can't make/cha

    • These calls are legitmate, authorized in writing by patients

      Let me guess. That written authorization comes somewhere on the two page "privacy policy" that ends with the phrase:

      We may change this policy at any time without your consent.

      I hand them my privacy policy instead.

  • I once got a call from caller id 911-999-9999 or something beginning with 911(obviously bogus). It was a prerecorded messsage alerting me of a snow emergency. Not even sure how they got my number, but it was unprofessional to leave that bogus #.

    They could have just left the snow plow hotline.
  • I was under the impression Telcos can check that the CID being reported is actually allocated to that line or at least within the range of numbers that belong to that trunk (say, on an ISDN PRI).

    I thought that here in Australia (with Telstra at least), a badly configured CID would not get passed onto the called party...
    • That's certainly the way it works in the UK - while I can program any CID I like into the PBX, if it doesn't match one of the numbers the line provider has for me, it doesn't get transmitted.

      Businesses who legitimately want to send a different number to the number of the line can request it, but you have to own both numbers.
  • by Hosiah (849792)
    and you thought phreaking was dead...
  • This service will also change your voice and record calls for you.

    GEE. This sounds like it's a trap from the Feds if you use this calling card stuff.

    Some dummy stalker uses this card for a callerID spoof and voice change, calls his victim... 3 hours later the cops show up. Nice.

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Working...