Caller ID spoofing

From Wikipedia, the free encyclopedia

Caller ID spoofing is the practice of causing the telephone network to display a number on the recipient's caller ID display which is not that of the actual originating station; the term is commonly used to describe situations in which the motivation is considered nefarious by the speaker. Just as e-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, caller ID spoofing can make a call appear to have come from any phone number the caller wishes. Because of the high trust people have tended to have in the caller id system, spoofing can call the system's value into question.

Contents 1 Providers 2 Technology and methods 3 Legislation 4 History 5 References 6 External links

[edit] Providers

To use a typical spoofing service, customers pay in advance for a PIN allowing them to make a call for a certain amount of minutes. To begin, customers dial the toll free number given to them by the company and enter their PIN. After which they enter the number they wish to call and the number they wish to appear on the caller ID. Once the customer selects the options, the call is bridged and the person on the other end receives the customer's call. Assuming caller id is used on the receiving end the receiver would normally assume the call was coming from a different phone number (the spoofed number chosen by the caller) than the caller's actual number, thus tricking the receiver into thinking the call was coming from a different individual or organization than the caller's. Most providers work similar to a pre-paid calling card.

The above method is a bit complex, many Caller ID spoofing service providers also allow customers to initiate spoofed calls from a web-based interface. Some providers allow entering the name to display along with the spoofed Caller ID number, but in most parts of the United States for example, whatever name the local phone company has associated with the spoofed Caller ID number is the name that shows up on the Caller ID display.

Using a web-based spoofing service involves creating an account with a provider, logging in to their website and completing a form. Most companies require the following basic fields:

1. Source number
2. Destination number
3. Caller ID number

When the user completes this form and clicks a button to initiate the call, the source number is first called. When the source number line is registered, the destination is then called and bridged together.

Some providers also offer the ability to record calls, change the voice and send SMS text messages.

A new way to make spoofed calls started making its way around the internet in March 2008. A company by the name of SpoofApp launched a caller id spoofing application that runs on the Apple iPhone. With the integration of the users contacts list, a call can be made by just clicking on a phone number.

[edit] Technology and methods

Caller ID is spoofed through a variety of methods and different technology. The most popular ways of spoofing Caller ID are through the use of Voice over IP or PRI lines.

Another method of spoofing is that of emulating the Bell 202 FSK signal. This method, informally called orange boxing, uses software that generates the audio signal which is then coupled to the telephone line during the call. The object is to deceive the called party into thinking that there is an incoming call waiting call from the spoofed number, when in fact there is no new incoming call. This technique often also involves an accomplice who may provide a secondary voice to complete the illusion of a call waiting call. Because the orange box cannot truly spoof incoming caller ID prior to answer, and relies to a certain extent on the guile of the caller, it is considered as much a social engineering technique as a technical hack.

Other methods include: switch access to the SS7 network; and social engineering telephone company operators, who place calls for you from the desired phone number. Another method that is not used as often is VXML, which was gaining popularity before VoIP took over.

It used to be a lot hard to spoof caller ID however with freely available software (such as Asterisk PBX and almost any VOIP company one can spoof calls.

[edit] Legislation

On June 27, 2007, the United States Senate Committee on Commerce, Science and Transportation passed S.704, a bill that would make it a crime to spoof caller ID. Dubbed the "Truth in Caller ID Act of 2007", the bill would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service". Law enforcement is exempted from the rule. A similar bill, HR251, was recently introduced and passed in the House of Representatives, making it a real possibility of becoming law. It has been referred to the same Senate committee that approved S.704; that committee has not yet acted on it, nor has the Senate bill been sent to the floor. ^{[1] [2]}

[edit] History

Caller ID spoofing has been available for years to people with a specialized digital connection to the telephone company, called an ISDN PRI circuit. Collection agencies, law enforcement officials, and private investigators have used the practice, with varying degrees of legality.

The first mainstream Caller ID spoofing service, Star38.com, was launched in September 2004. Star38.com was the first service to allow spoofed calls to be placed from a web interface. It stopped offering service in 2005, as a handful of similar sites were launched.

In August 2006, Paris Hilton was accused of using caller ID spoofing to break into a voicemail system that used caller ID for authentication. ^[3]

Frequently, caller ID spoofing is used for prank calls. For example, someone might call a friend and arrange for "The White House" to appear on the recipient's caller display. In December 2007, a hacker used a Caller ID spoofing service and was arrested for sending a SWAT team to a house of an unsuspecting victim. ^[4] In February 2008, a Collegeville, Pennsylvania man was arrested for making threatening phone calls to women and having their home numbers appear "on their caller ID to make it look like the call was coming from inside the house."^[5]

In March 2008, several residents in Wilmington, Delaware reported receiving telemarketing calls during the early morning hours, where the caller had apparently spoofed its Caller ID to evoke the 1982 Tommy Tutone song 867-5309/Jenny.^[6]

There are legitimate reasons for modifying the caller ID sent with a call, such as commercial answering service bureaus which forward calls back out to a subscriber's cell phone, when both parties would prefer the CNID to display the original caller's information. Also, business owners have been known to use Caller ID spoofing to display their business number on the Caller ID display when calling from outside the office (for example, on a mobile phone)

[edit] References

1. ^ Senate Bill S.704. Retrieved from http://thomas.loc.gov/cgi-bin/bdquery/z?d110:s.00704:.
2. ^ House Bill HR251. Retrieved from http://thomas.loc.gov/cgi-bin/bdquery/z?d110:HR251:.
3. ^ Paris Hilton accused of voice-mail hacking | InfoWorld | News | 2006-08-25 | By Robert McMillan, IDG News Service
4. ^ Hacking caller id systems on the rise - FOX16.com
5. ^ KYW Newsradio 1060 Philadelphia - Man Pleads Guilty to Making Scary Phone Calls
6. ^ Telemarketer's Call Invokes Old Hit Song, (Associated Press, March 11, 2008)

[edit] External links

• Prank Calls, 21st-Century Style
• Spoofing: Creepy prank hits here
• BBC News
• Washington Post
• Wired News report of FCC investigation
• California State Senate Bill SJR15-Florez
• VIDEO - Obscene Caller Used Web Site To Hide Identity, Change Her Voice, Police Say