India Broadband Forum

Admin · 04-03-06, 03:41 AM

Many in the VoIP service industry have known for years that caller ID can be spoofed (that is, misrepresented) relatively easily. In fact, one need not be an expert at using Asterix's Linux PBX software or know the other tricks of the trade - he can simply pay a few dollars for an Internet telephone caller ID spoofing service. (We're not going to provide free advertising for these services here.) While this may seem harmless, it opens up the door to a number of serious vulnerabilities.
More and more caller ID is being used to authenticate people's identity. Credit card companies have long been using caller ID in the card activation process. Financial institutions such as Citibank and American Express are now using it to authenticate identity of account holders who dial in to their telephone service. In business, caller ID is used to signal whether a caller is calling from inside or outside the firm. 911 call centers use it to determine who is calling and where to send emergency responders. Voicemail systems, particularly cell phone voicemail systems, automatically playback messages based on caller ID.
This is just a handful of potential targets for and methods of attack. To make matters worse, the list is only expanding, as companies continue to embrace the convenience of speed of using caller ID as an identification method.
To date, it appears that most caller ID attacks have been of the "prank phone call" type, and not concerted attacks, such as massive credit card fraud. However, it seems that the clock is ticking, and that it is only a matter of time before this type of fraud really takes off if the door is not shut first.

The FCC is investigating action against some of the caller ID spoofing services, but this is not really a solution - the underlying vulnerability remains, it just may be more difficult for amateurs. VoIP service providers can help matters by closing this security hole so that their customers cannot take advantage of them, as well.
But the best solution in the foreseeable future lies with businesses themselves. Though it may be painful, businesses are going to reevaluate the risk they are taking by using caller ID for identification. In some cases the risk may be low, but in many cases it will probably make sense for them to stop this practice.
It will be interesting to see where this issue goes over the next year.

04-03-06, 03:41 AM	#1
Admin Join Date: Jan 2006 Location: New Delhi Age: 32 Posts: 4,700 Rep Power: 12	VoIP Caller ID Spoofing - Still Dangerous Many in the VoIP service industry have known for years that caller ID can be spoofed (that is, misrepresented) relatively easily. In fact, one need not be an expert at using Asterix's Linux PBX software or know the other tricks of the trade - he can simply pay a few dollars for an Internet telephone caller ID spoofing service. (We're not going to provide free advertising for these services here.) While this may seem harmless, it opens up the door to a number of serious vulnerabilities. More and more caller ID is being used to authenticate people's identity. Credit card companies have long been using caller ID in the card activation process. Financial institutions such as Citibank and American Express are now using it to authenticate identity of account holders who dial in to their telephone service. In business, caller ID is used to signal whether a caller is calling from inside or outside the firm. 911 call centers use it to determine who is calling and where to send emergency responders. Voicemail systems, particularly cell phone voicemail systems, automatically playback messages based on caller ID. This is just a handful of potential targets for and methods of attack. To make matters worse, the list is only expanding, as companies continue to embrace the convenience of speed of using caller ID as an identification method. To date, it appears that most caller ID attacks have been of the "prank phone call" type, and not concerted attacks, such as massive credit card fraud. However, it seems that the clock is ticking, and that it is only a matter of time before this type of fraud really takes off if the door is not shut first. The FCC is investigating action against some of the caller ID spoofing services, but this is not really a solution - the underlying vulnerability remains, it just may be more difficult for amateurs. VoIP service providers can help matters by closing this security hole so that their customers cannot take advantage of them, as well. But the best solution in the foreseeable future lies with businesses themselves. Though it may be painful, businesses are going to reevaluate the risk they are taking by using caller ID for identification. In some cases the risk may be low, but in many cases it will probably make sense for them to stop this practice. It will be interesting to see where this issue goes over the next year.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How VoIP Works	Admin	Voice over IP	3	10-15-09 12:23 AM
Will VoIP Join the Telco Counterrevolution?	India Broadband	Voice over IP	0	07-17-06 09:04 AM
Which? report says VoIP is the future	India Broadband	Voice over IP	0	07-17-06 08:43 AM
Why Hack VoIP Service? Or Recognizing Consulting Opportunities	Admin	Voice over IP	0	07-04-06 03:18 AM
Voice over IP (Voice over Internet Protocol)	Admin	Voice over IP	0	01-29-06 01:11 AM

India Broadband Forum

VoIP Caller ID Spoofing - Still Dangerous

VoIP Caller ID Spoofing - Still Dangerous

Similar Threads