Security Focus
This is the President's Office Calling....
A Short (Fictional) Story
The telephone rang at 4:56 p.m. in the Admission's office. Elaine almost didn't answer until she noticed that the caller ID showed that the call came from the President's Office. "Registration Office, Elaine speaking," she pleasantly responded into her headset. The equally pleasant response was, "Hi Elaine, my name is Bill, and I'm new in President Smith's office. Everyone said you were the person to help me. The President would like some information about one of our applicants, the one that's the senator's daughter. Can you help me?" "Sure, you've called the right place," Elaine responded as she glanced at her watch.
The next day over a Latte with her best friend from the President's Office, Elaine asked about Bill. "Bill who? We don't have anyone named Bill in the office," was her friend's response. With growing concern Elaine blurted out, "But I gave him all of the Senator's financial information."
Caller ID Spoofing
My story was fictional. But the technology behind it is all too real. As you probably guessed from the story, caller ID spoofing causes the "caller ID" display on a phone to display something other than the real caller. It isn't a new technology; it's been around since caller ID became popular. While the original spoofing implementations were somewhat kludgy, with the advent of Voice Over IP (VoIP) they became much better.
In 2004 the first commercial service offering to spoof caller IDs for a fee was launched. By 2006 commercial spoofing was covered by the popular press when SpoofCard, now one of the largest and most feature-rich of the spoofing services, suspended Paris Hilton's account because it was being used to harass Lindsay Lohan and to access her voicemail account. Now Googling "caller ID spoofing" yields more than 200,000 returns--including scores of companies who offer the service for a fee.
Is It Legal?
Yes. While legislation has been proposed to restrict caller ID spoofing, it is currently legal, although some states have passed laws that make it illegal to spoof caller ID for certain purposes, such as "to mislead, defraud or deceive the recipient of a telephone call." Even in those states, calls for amusement or revenge are generally legal. If you are interested in a more detailed history of caller ID spoofing, check out calleridspoofing.info.
Potential for Abuse
In addition to situations similar to the one described at the beginning of this column, imagine the damage that could be done to someone's reputation from having politically incorrect telephone numbers appear on their phone bill. (The spoofed numbers appears on the monthly phone bill as well as the readout on the phone.) While the companies providing these services emphasize "amusement," the mischief sometimes goes a good deal further, as in the case of a Washington State teanager who was sentenced to 30 days in jail and a $24,000 fine for using caller ID spoofing to send SWAT teams to the homes of innocent individuals--a practice known as "swatting."
It is worth noting that even though providers of spoofing services treat their call records as confidential, they do make them available under court order in cases of illegal activity. For this to be an effective deterrent to misuse, however, you have to assume that the criminal is dumb enough to use their real identity when they subscribe to the spoofing service.
Does caller ID spoofing have legitimate (versus legal) uses? Certainly. For example, a professional who returns a call from a number he would rather remain private might spoof his own business number. Or the call recording feature offered by some providers could be used by a businessman to have a record of a verbal order or transaction.
How It Works in Practice
To see how the system works in the real world I went to Spoofcard.com on the Web and, being the cheapskate that I am, selected their free trial. I had to enter three telephone numbers: mine, the number to be called, and the number to appear on the called phone's caller ID. For the latter two I used my spouse's line and the phone number of one of her friends. A few seconds after I hit the "submit" key on my computer, my phone rang with the message "enter 1 to complete your call." I did so and my wife answered, "Hello Marilyn," which was her friend's name.
If that isn't easy enough, Macintosh users can even download a Widget to their desktop to make the process even easier.
The cost, after the first free call, is minimal, 60 minutes for $10. And there are additional options available, including:
- Change your voice to male or female in real time.
- Record your conversation for later download (although the company points out that it is illegal in many states to record a telephone call without informing the other party that the call is being recorded).
For the more technically inclined who want to set up their own VoIP-based caller ID spoofing service or understand how the service works, the instructions can be found in "Fake caller ID: Fun, legal and easy to do" and Rootsecure.net.
What This Means to Higher Education
Caller ID spoofing is a really easy hack--no technical skill required. Because it is so easy and has the potential to be so damaging, we need to make sure that faculty and staff understand three basic rules:
- Protect your voicemail with a password. (When you call your own phone number you are automatically routed into voice mail.)
- Only give information to people whose voice you recognize or phone numbers that you yourself have dialed.
- Don't accept calls from financial institutions asking for account information. If you are unsure, call them back using a phone number obtained from an independent source.
The fundamentals are even easier to remember and can be summarized with a single rule:
- Rule No. 1: Caller ID is not to be trusted.
