He spoofed the HR director's work phone number, then the number of that guy's boss, before moving up to a vice president, and finally, the CEO. Says he had no choice. He also says "this thing that I did is bad and should be outlawed."
This thing that he did is perfectly legal, you may know already, although efforts have been under way to have that rectified.
(March 3 update: In defense of Caller-ID spoofing.)
Background: The major telecom equipment maker whose employ A.G. Bell had recently left owed him thousands in unpaid commissions, he says, yet the HR department stopped returning his calls, instead "hiding behind voicemail." Spoofing the HR director's number got his underlings to pick up the phone, at least until they wised to that ploy, at which point Bell - a fictitious name I'm affording him to protect his current job at another telecom vendor - started spoofing numbers right on up to the top of the org chart (not to mention a White House number - seriously).
"Juvenile? Yes," Bell acknowledges. "Effective at getting past call screeners? Absolutely. Subject to horrible abuse? Totally."
He says he always identified himself honestly once he got a live voice on the line.
We've been chatting via e-mail about what he did, his minor ambivalence about having done it, and his major concerns over the ease with which others with more criminal agendas could abuse spoofing services. (Such abuse is already common, experts say.) What follows is an edited transcript:
At what point did the light go on and you thought: "Hey, I'll use a caller-ID spoofing service so they can't hide behind voice mail"?
In my mind I was a victim forced to use distasteful means to take care of my family. I worked in the converged voice space, so the mechanics of caller ID were not unfamiliar to me or to the crew of geeks that I call friends. The light went on over beers - I was complaining about the former employer's call-dodging to some engineer friends and the suggestion of using a local vendor's lab to spoof Caller ID came up. Another engineer at the table said, "Don't reinvent the wheel, just Google 'spoof Caller ID service.'" I got 32,000 hits. Spoofcard came up first.
Explain the mechanics of how Spoofcard works.
So, I gave them $20 for an hour of Caller ID misrepresentation. Although I hate that it seems to be legal for them to offer this service, I love their implementation. Speaking as an engineer and a salesman, they really built a sweet platform.
You call a toll-free number, enter your Spoofcard account number, enter the 10-digit number you wish to call, and then the 10-digit number you wish to be displayed on the recipient's Caller ID. ... Prompts go like this: Press one to record the call, two to not record; press one to use your normal voice, two to use a man's voice, three to use a woman's voice.
The conversation would be recorded with no beeps, artifacts or notification that recording was taking place, and the recording could be downloaded at leisure from Spoofcard.com. For $20 I had a complete record and recording of every call made, of every voicemail left. Beautiful.
Did you have qualms about doing it? Any concerns about legality? Ethical? Moral?
I honestly had more concern with the way it would be perceived if my claim had gone to court (perception of the judge) than over the legality or ethics of the spoofing itself. Had my former employer not been in breach of contract, been acting immorally (in my opinion) or been refusing to take or return my calls, then there is no way that I would have been able to rationalize spoofing other people's ID. To be clear - I always identified myself when the call was picked up; it was the calling party line ID that was misrepresented, not the caller (me).
Did it work for you? Did it get you what you wanted?
It worked great. Certainly it took a tactic (ignore calls, do not engage) away from my former employer, and I know that it directly generated internal dialog (Why is caller ID not working right for my phone. How did he do that? Is he allowed to do that?) which was the objective of the exercise. ... I got 100 percent of what I was owed.
Having used the service yourself, how could you see it being abused?
Say you receive a call from your bank telling you that your card is suspected of having had fraudulent use. The Caller ID says it's your bank and the toll-free number is the real number of their fraud department. You trust the Caller ID displayed and provide all the information needed for Boris in Estonia to rob you blind.
Telemarketers could use this mercilessly. Collections agencies (kind of the role I was forced into) could avoid creditor call screening. Stalkers could use this to harass their victims. ... The truth is Caller ID is near ubiquitous, it is trusted info by most people, and the abuse or fraudulent usage of such a service should be very severely punished.
Yet you went ahead and used it anyway? How can you reconcile that contradiction?
Yep, sure could appear to be hypocrisy and I'm not sure that it isn't. I'm not convinced that we do have tough enough (or clear enough) laws to penalize misrepresentation of Caller ID for criminal purposes, and there is nothing that Spoofcard did that I can see that would prevent its misuse (like announcing "Spoofcard, this call is purely for entertainment purposes" when the call connected; callback with "Spoofcard, the last call your received was a joke", etc.). I feel like a farmer that once used fertilizer and diesel to blow up a tree stump: Sure was easy, worked great, cheap, didn't hurt anyone ... but what could a bad guy do with this?
<!--stopindex-->
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Blackberry outage endangers Valentine's Day.
'Reform' may kill EFF's 'Patent Busting Project.'
Get $500 just for going on a job interview. (No, really.)
Scott Adams on giving away Dilbert via widget: 'risky,' but 'fun'
My brother's brush with Vespa bandits.
Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.
8 can't-miss tech predictions ... for 1998
This year's "25 Geekiest 25th Anniversaries."
<!--startindex-->
The Leader in Network Knowledge
Caller-ID Spoofing is illegal as of 27-Jun-2007
From wikipedia
"On June 27, 2007, the United States Senate Committee on Commerce, Science and Transportation passed S.704, a bill that would make it a crime to spoof caller ID. Dubbed the "Truth in Caller ID Act of 2007", the bill would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service". Law enforcement is exempted from the rule. A similar bill, HR251, was recently introduced and passed in the House of Representatives, making it a real possibility of becoming law. It has been referred to the same Senate committee that approved S.704; that committee has not yet acted on it, nor has the Senate bill been sent to the floor."
Work on your reading comprehension
It is not illegal. And you even quoted text which says as much: "A similar bill, HR251, was recently introduced and passed in the House of Representatives, making it a real possibility of becoming law." Not the 'possibility of becoming law' - as in, it is not yet a law.
All that has happened is that a committee in the Senate passed a bill, and the House passed a similar bill. The full Senate needs to act on the Senate bill before anything else happens. Then, if it passes the full vote, the Senate and House bills would need to be marked up to produce a unified bill that would be accepted by both sides. Only then could it become a law, and make the practice illegal.
Right now they're just Bills - and as School House Rock taught us, Bills aren't yet Laws. ;-)
A bill is not law. (it needs
A bill is not law.
(it needs both houses to approve it, and the president to sign it or a veto override.)
Since this has not been approved by the Senate, let alone the President, it is not law.
Re: Caller-ID Spoofing is illegal as of 27-Jun-2007
It's not illegal until matching bills have been ratified by both houses of Congress and signed by POTUS. Until then it's still legal.
Then it isn't illegal. If
Then it isn't illegal. If you recall your School House Rocks lessons, a bill is just a proposed law. It isn't a law until it is voted on by the House and Senate and signed by El Presidente'
Until then, it's just a bill, yes it's only a bill...
With regard to whether it's
With regard to whether it's a law or not, I think everyone is missing the real issue: even if it was a law, it wouldn't stop the criminals from spoofing IDs to get your personal information. Do you really think someone intent on getting your personal information is going to say, 'oh, wait; there's a law that says I can't do this. So I shouldn't.' Last I checked, criminals don't abide by the law; that's why they are criminals.
The important thing to remember is that you should never give out personal data to someone who calls you. If the caller claims to be some institution you deal with, then tell them you'll call them back. Find their number on any legitimate correspondence you have, like a bill; don't use any number they may give you.
Just my 2 cents worth....
LQTM. Too right.
LQTM. Too right.
In response to the earlier
In response to the earlier posts about 800 services not being spoofable...not true. In fact, VoIP spoofing is possible, and since the VoIP service will generate the SS7 message that contains the Caller-ID AND the other details (which in this case, will be the same as the Caller-ID), the "skipping" will not be fooled.
This technique is nightmarish in that it can be employed simultaneously with a spoof email that really creates a strong social engineering attack. Imagine that you get a call and the caller ID indicates it is your bank (or any other service). Now normally, you might be suspicious, but if the attacker also says, I'm sending you an email right now that will request entry of some of your personal data, and that email appears authentic, the victim might let their guard down enough to be fooled. Come to think of it... want to impress your Boss? Spoof your callerID and voice, and tell him you are a VP in some other part of the company, and create a story about how you (the staff member) really came through in a clinch recently, and recommending you get a raise. Indicate that you are sending an email with an attachment with more "proof" of this great deed, and you have a pretty convincing story!
It's easier with the iphone
Spoofapp makes it easier than that! No more dialing a 1-800 number or going to the website for your caller ID spoofing if you have an iphone or itouch!!
Show your office number when calling from your cell. Stop giving out your cell number to people or using *67 to block your number.
Getting someone to pick up your calls. Don't you hate it when people see your number and ignore your calls? Use a more "appealing" number to them and they'll be sure to answer.
Spoofapp
You can record your calls and change your voice too.
illegal
I just wanted to point out that it is illegal, if the person doing it is a telemarketer
FCC Caller ID Rules for Telemarketers
Federal Communications Commission (FCC) rules prohibit telemarketers from blocking Caller ID information and require them to pass accurate caller ID numbers. FCC rules specifically require that a telemarketer:
*
transmit or display its telephone number, and, if possible, its name or the name and telephone number of the company for which it is selling products or services.
*
display a telephone number that you can call during regular business hours to ask to no longer be called. This rule applies even to companies that already have an established business relationship with you.
For violations of these rules, the FCC can seek a monetary fine. If the violator is not an FCC licensee, the FCC must first issue a warning and the telemarketer may be fined only for violations committed after the warning.