Caller ID spoofing: Time to check your defenses

For years, we’ve used caller ID as an example of a “secure” identification, especially in comparison to the more “open” capabilities of IP and SMTP. For instance, it’s common knowledge that one may set one’s own IP address (even though it may or may not work in your network), and it’s beyond “Simple” to spoof the “from” field in Simple Mail Transfer Protocol (SMTP).

For years, we’ve used caller ID as an example of a “secure” identification, especially in comparison to the more “open” capabilities of IP and SMTP. For instance, it’s common knowledge that one may set one’s own IP address (even though it may or may not work in your network), and it’s beyond “Simple” to spoof the “from” field in SMTP.

By contrast, we’ve pointed out that in order to spoof caller ID as an identification mechanism, one would have to have access to the service provider infrastructure. But no more.

Last week, stories hit the popular press pointing out that services are now available that allow users to specify the caller ID that is displayed when making a phone call. So, just to give it a try, we decided to make the modest investment in order to try one of the services for 60 minutes worth of calling time.

Turned out it worked flawlessly. In fact, one of us forgot that the other was going to call back within an hour using the phone number of our buddy, Wireless in the Enterprise author Joanie Wexler. So when he saw the missed call from Joanie on his cell phone, he “returned” her call – much to her surprise. THEN he remembered that he was supposed to receive the spoofed call.

So while this was entertaining among the three of us, it’s also darned scary. Not only does the caller ID show up as the spoofed party, it’s even possible to have the system make your voice appear to be a male or female voice. (This doesn’t work perfectly. It’s clearly a synthetic voice.)

The implications are immense. If your business – from credit card verification to automatic call routing – for whatever reason depends on caller ID for security purposes, this is no longer a strong assumption, and you must re-evaluate your policies immediately.

Of course, the Web sites for the spoofing companies are loaded with disclaimers stating that this is for entertainment purposes only and may not be used for fraudulent or illegal purposes. And that does about as much good as having to click a check box on a Web site stating that you are over 18 years of age.

We always face a moral dilemma in writing about this type of capability. But let’s face it. The crooks and scammers already know this, and it’s our job to help the telecom professionals stay as few steps behind as possible. By the way, that’s the reason we’re not including the URL for the service that we tried.