Caller ID Falsification Service

Dan writes " A US website will offer Caller ID falsification service...Slated for launch this week, Star38.com would offer subscribers a simple Web interface to a Caller ID spoofing system that lets them appear to be calling from any number they choose. [...] SecurityFocus took the site for a test drive, and found it worked as advertised. The user fills out a simple Web form with his phone number, the number he wants to call, and the number he wants to appear to be calling from. Within two seconds, the system rings back, and patches the user through to the destination. The recipient sees only the spoofed number displayed on Caller ID. Any number works, from nonsense phone numbers like "123 4567" to the number for the White House switchboard."

Fun for all ages and campaigns!

[garcia]

Star38.com claims it will screen subscribers, and initially make the service available only to licensed private investigators and collection agencies. Jepson and his partners believe that collection agencies in particular will find the service invaluable for getting recalcitrant debtors to answer the phone.

Debt collection agencies already mask their online and phone identities pretty well. Using common telephone setups (before the big Asterik "save the children" bullshit) they just appeared as whatever they wanted. In fact their web-presence is generally unknown and they even mask their hostnames to the rest of the world with benign addresses like mta-mailserver.alliedfinancial.com (this is a recreation of an actual NAT host used by a collection agency).

Private Investigators should opt for paying the phone company to offer them a similar service (or better yet don't call from your business phone).

If they are really allowing ANY number it isn't going to make it very far out of the "hype-stages". Think of what this could do to our children and what could happen in the hands of the terrorists!

CallerID: "J. KERRY CAMP. OFF. HQ"
Caller: "Hi, I'm calling you to vote for John Kerry via absentee ballot."
John_Overseas: "Ok. Count me in. Down with Bush!"
Caller: "Done. Thanks for helping Bu...I mean...Kerry win!"

Caller: "Another close one Dubya."

Re:Fun for all ages and campaigns!

[JimBobJoe]

Debt collection agencies already mask their online and phone identities pretty well.

True...it's ok for a debt collection agency to call you with no caller ID identity, or their real caller ID identity. Though I am not an attorney, and I don't even play one on television*, the attorney's comments at the end of the article saying that the practice of making up a fake caller ID identity would violate the fair debt practices collection act seem right on. (If you're hounded by creditors, you have a surprisingly large amount of rights, including the ability to tell them to just stop contacting you.)

*I am however an actor and I could play one on television.

Re:Fun for all ages and campaigns!

[garcia]

Though I am not an attorney, and I don't even play one on television*, the attorney's comments at the end of the article saying that the practice of making up a fake caller ID identity would violate the fair debt practices collection act seem right on. (If you're hounded by creditors, you have a surprisingly large amount of rights, including the ability to tell them to just stop contacting you.)

I have, thankfully, never been hounded by debt collectors but I know someone who does do it for a living. Telling them not to call YOU doesn't mean that they stop. They call your friends, your family, your boss, your co-workers, your babysitters, anyone...

As far as what comes up on Caller ID. His shows up UNKNOWN, ALLIED GROUP (name changed to protect the guilty/innocent), or PRIVATE. I suppose if you knew it was them you could just ignore it and they would just keep calling everyone you know under the sun...

Honestly, if they were calling MY boss daily about having me pay up I'd think twice about letting the answering machine pick that up.

Re:Fun for all ages and campaigns!

[SomeoneGotMyNick]

Telling them not to call YOU doesn't mean that they stop. They call your friends, your family, your boss, your co-workers, your babysitters, anyone...

I'm pretty sure Friends/Family/Bosses enjoy the same privileges, by law, of telling someone else's creditors where to stick it ^H^H^H^H to not call anymore.

That's why I'm in the IT profession. As all my positions get outsourced, I'm never in the same job long enough. If I ever get behind in the bills, I guess they can call my old boss, because I don't bend over backwards telling creditors where I'm working now. Unless, I feel I need a new loan.

Re:Fun for all ages and campaigns!

[SillyNickName4me]

> Honestly, if they were calling MY boss daily about having me pay up I'd think twice about letting the answering machine pick that up.

If they were calling my boss (if I had one, I'm self employed ;) we'd meet again in court where they'll have to explain to the judge why they ignored local privacy laws.

Re:Fun for all ages and campaigns!

[clifyt]

Yeah, I would have never noticed this bullshit either, but I started entering the dates in the calendar, and it made no f'n sense.

They had it 7 days for payment from time of it being sent, but if you tried to guess at it and were a day early, it was counted for the previous month.

I learned the tricks for this shit too -- if you can get an automated payment, set it up to do the bare minimum and nothing more. Send in the extra once you get the bill. That way ya should have everything in the bank and not have to worry...

hidden methods

[BoldAC]

The methods behind this are still hidden. They claim that it's not VoIP as most people currently do...

Any speculation what it could be?

Re:hidden methods

I don't know the technicalities behind it but I remember Mitnick saying in The Art of Deception that this is dead easy once you have access to a PBX. He used to call radio call in shows and it would look to the DJ like he'd be calling from the White House. I'm sure someone can fill in the details.

Re:hidden methods

[funaho]

This is so brain dead simple to set up it isn't even funny. I can do this at work easily. All you need:

A computer running Linux and Asterisk

A T100P (Asterisk T1 card)

A PRI to a telco that lets you specify Calling-Party-ID (you can get this pretty easily from a lot of CLECs)

About 30 minutes of coding up a simple perl or PHP script to parse a web form and use the data to dump a call request file into Asterisk's outbound spool directory.

Voila. Done. Setup cost is whatever you pay for the computer plus $500 for the T1 card (or spring for the quad T1 model at $1500). Your monthly cost to run this service should be no more than about $500 per PRI, plus a little more if you'd rather colo the box somewhere.

How is this even remotely legal?

[Gentoo+Fan]

Right off the bat doesn't this violate wiretapping laws? I thought there was a clause that prohibits mucking around with phone tech like this.

Re:How is this even remotely legal?

isn't there a wider law about false identity?

Telemarketers

[StevenHenderson]

Jepson claims the service will charge a twenty-five cent connection fee for each call, and seven to fourteen cents per minute.

Hopefully this will deter the telemarketers. That's my biggest fear.

Simple callback system?

[WanderingGhost]

This sounds to me like a simple callback system. It has been used by people who want to reduce the price they pay for international calls -- for several years.

(You call the callback answering maching, it waits until you dial the number you want; then you hang up; the machine calls the number for you, and calls you. You're not calling "from" your country, and won't have to pay the rates charged there.)

http://www.google.com/search?q=callback+phone+serv ice

Re:Social Engineering

[blackmonday]

Howard doesn't call anyone - thats some guy named Captain Janks, and certaintly doesn't need this, he does just fine already.

Although the calls are funny - he actually provides a useful service to all of us - he shows how easy it is for a complete phoney to get through on the news. The media gets into such a major rush to be first on everything that they put him right on the air and give him the chance to say "Howard Stern's balls" or something like that. The scary part is, who's doing this and doesn't let in on the joke? We can never know for sure. Don't trust those people who call in during news broadcasts!

This is nothing new

[mhesseltine]

As Kevin Mitnick pointed out in his book The Art of Deception, anyone with a PBX system can program their outgoing Caller-ID information to show anything they want.

As far as star38.com goes, I wonder what purpose they hope to serve by doing this. After all, it's a free service, and as we all know, nothing in this world is free. Could it be that star38.com will sit in the middle and record these conversations, either to sell prank calls a la The Jerky Boys? Or, maybe they'll gleam little bits of information about people and sell that marketing information to companies?

Strike it Down

[Doesn't_Comment_Code]

While technically neat, I think most would agree that this is an abuse, and that it is wrong.

I don't think the FCC will let this stand long. Especially if telemarketers, or similar crud start using it in the obvious ways.

Could the DMCA be applicable here? I can't recall all of its subtle clauses right now. But I wouldn't be suprised if such a technology violated it (everything else seems to). Can you imagine? The DMCA being used for good !?

Spoof for Truth

[Doc+Ruby]

I need a service like this, to make my CallerID more accurate. I have a VoIP landline and a mobile phone, with two different numbers. The landline rings my mobile simultaneously, at no charge, so I distribute only that phone#, and answer whichever phone is nearest - I'd prefer the mobile# remain undisclosed, to funnel all calls through the landline#. But when I initiate calls from my mobile, the recipient gets only the mobile#, which they might call back directly, insert into their contacts list, etc. But incoming calls on that mobile# won't ring my landline (although a less robust service for the mobile has a charge, while the landline multiringing doesn't). So I'd like to spoof the landline# when making mobile calls.

One way to do it would be to call a service at my VoIP landline, authenticate my mobile# CallerID, and replace the call to the actual recipient, from the landline with the landline# sent in CallerID. A better way would be to learn from email, and include both a "From:" and a "Reply-To:" field in the sent CallerID metadata. This service is a step in the right direction.

Re:CallerID != ANI

[Tazzy531]

It seems like what this service does is calls the two numbers and conference them together. So even if they get the ANI, it's going to be the ANI for the central server.

Here comes the wave of young boys calling girls...

[TruthDefender]

...and breathing heavily on the phone.

Why would a website want to offer this kind of service and put themselves in legal jeopardy?

And could traditional phone companies block them the way spam is blocked, to say anything originating from their service is blocked? I hope the telemarketers don't start using this kind of system. I am on the do not call list, and suddenly the number from which telemarketers call has switched from USA numbers to numbers located in Canada.

Dept colection? Great

[Felinoid]

Reminds me of the day when I receaved a bill for $100 for a mag subscription to a sports mag I never wanted.
(Not a sports fan)

They identified themselfs and I contacted a laywer who was apparently handling a class action lawsute against thies people (not the dept colection agentcy but the people they were colecting for) for fraud.

Dept colection agentcys should not be alowed to hide who they are (or who they work for) for this reason.

Re:Dept colection? Great

[stratjakt]

Debt collection agencies cant (in the US) hide who they are. They can't hide the purposes for which they call you. Ie; every call you get starts with "any information collected is for the purpose of collecting a debt..."

They can't call you on Sunday, they can't call you at work or after 6PM (IIRC), without your explicit permission.

There's very little a debt agency can do. They have no power, and they can't make you pay. They can only remind you that you owe. They like to sound official and intimidating, because they want to scare you into paying up, and paying all the ridiculous late fees and stuff they assess.

The only way they can make you do anything is through the courts. Once things get that far, you can cut a deal, like paying off the debt but dropping the late fees etc. Because then they compare the late fees to legal fees. Note that by this point your credit report is already boned so you aren't hurting yourself by not bending over for the thugs.

Re:Dept colection? Great

[Alioth]

Well, they DO call after 6pm. A friend of mine got in debt trouble after his son crashed his motorcycle (without wearing a helmet I may add) and suffered serious brain damage. All the stuff he had on credit became secondary to paying medical bills.

They called him at 11pm, 1am etc. He changed his phone number. So they called his family and found his new phone number and started again. Someone who can't even pay off their debts probably can't pay a lawyer to stop the harrassment.

Good God...

[TruthDefender]

Debt collection agencies already mask their online and phone identities pretty well. Using common telephone setups (before the big Asterik "save the children" bullshit) they just appeared as whatever they wanted. In fact their web-presence is generally unknown and they even mask their hostnames to the rest of the world with benign addresses like mta-mailserver.alliedfinancial.com (this is a recreation of an actual NAT host used by a collection agency).

My state has laws saying if you tell a creditor to stop calling and only communicate with mail, they have to honor that. Yet I know people with bad credit, and the phone rings with "Unidentified" in the caller ID. He is pretty sure it is the collection agencies because it happens all day long, at least once every other hour. About every 10th one of these unidentified calls is a recorded message saying "call 1-913-xxx-xxxx" or some number like that.

How can collection agencies circumvent the law? How can someone prove it is them?

Re:Good God...

[Tassach]

Perhaps the people should pay their fucking bills on time and not just ignore them for weeks/months/years?

Perhaps you should get off your fucking high horse and realize that there are legitimate reasons for not paying a bill. Fraud happens. Billing errors happen.

Re:Good God...

[garcia]

And while I am not defending those who owe money, do you have any idea how many college kids get 4 or 5 credit cards, thrown their way. Heck, they hand out t-shirts and phones and cd's for students who sign up. Students should be a little smarter, but it can be hard to resist the free give away.

Crazy as it may sound I went to college and I saw those tables set up all over campus, I got those envelopes in the mailbox in my dorm and off-campus, and I even passed every single one of those T-shirts up. Can you believe that? Self-restraint!

I have no qualms in telling someone that has run themselves into debt because they couldn't pass up a free t-shirt to get a life. I am actually quite disappointed that you would support those kids. Yet another example of no one needs to be responsible for their own actions. It was the fault of the CC companies throwing freebies away! OOOOOOH shiny plastic. Give me a break.

Even if the debt is valid, do you think it resonable for collection agencies to call every day. It stinks of harrasment. Perhaps the credit card companies should be a little more picky with who they grant credit to.

Do you think it is reasonable to go for weeks/months/years without paying off what you owe? You apparently do because you seem to be flatly defending them. Yeah CC's suck and their terms suck. The promise of free money that you don't have is nice but you certainly don't have to give in to the temptations.

Re:Good God...

[Alioth]

I have to ask why she bought a $8000 car on credit instead of a $500 car with cash. An $8000 car is a luxury (especially on credit - I make it a point NOT to borrow money to buy a car because the depreciation + interest rate almost always makes it a lousy deal). When I couldn't afford a nice car, I bought a cheap one. Even if you have to spend $500 a year buying a "new" run-out once a year 'cos the old one breaks, it's cheaper than the debt. Then save up for a better car with the money you'd have otherwise spent on interest, and have the better car without ending up in the situation where you've paid $14000 for a depreciating asset that's now only worth $3000.

Of course it's a free country and you can borrow money for a car if you like, but don't whine about it when you find it's a crappy deal - basic junior school arithmetic can be used to tell it's a crappy deal before even entering it. I do have some sympathy for many in this trap because they've often fallen for high-pressure sales, but it still doesn't change the fact that they did it to themselves.

Re:Good God...

[gregmac]

I guess you've never been in the situation where some faceless company decided you owed them money for no reason.

Bell Canada decided our office owed them money. We had a DSL account with them for about two years. One day, all of a sudden, I could no longer connect to port 25. Called them up, and asked. First guy said "No, we haven't made any changes at all. must be your end". Looked around some more, found I was definately being blocked. Called back, and this guy told me that they had noticed one of their connection racks hadn't been blocking port 25, so they "fixed it". Fine, whatever, created a dns alias for the network to send our smtp mail to their smtp server.

This was fine for a month or so, but then it would randomly die.. their SMTP server just stopped working intermittently, for an hour or so. About the third time it happened (and this time it lasted a few hours, beyond the point of being a major annoyance, where it was hindering the business), and I was actually in the office this time, I called them to see what was going on. The tech told me that they were getting hammered by viruses sending spam, and that it would go away eventually. "Eventually" does not work for business.

So I asked them to unblock port 25 for me (since it's virus free), even if to only my own properly configured mail server, so I could send email. He told me they can't. So I asked how I was supposed to be able to send email, to which he replied that their webmail was working. Yeah, that's great, I have webmail too .. but I can't tell everyone in the office to switch to webmail. I also had no interest in going around and reconfiguring everyone's mail client to use a non-standard port (my router at the time didn't have the capability to do that itself).

So I called up another ISP, and asked them when they could have DSL in.. they said 5 days, which just happened to correspond with my billing period with Bell. So I called bell back, and told them to cancel the account.

Here's where it got real fun. They said ok, we can cancel, but you will still owe us $300 or something for terminating the contract early. Contract? I looked at our bills.. initially, we had signed on with a one-year contract, but all of our bills after that just said "monthly recurring charge" with absolutely no mention of a yearly contract. The month where it would have renewed was no different from any of the rest of them.

So we pointed this out, and they said that regardless of what the bills said, we were on a year contract still. So we asked them to fax the contract to us. "Uh.. we don't have it". Well, we didn't have this supposed contract either.. most people at this point would assume with no contract anywhere, that there was no contract. Well, next they told us it was a "verbal contract" to renew, but couldn't tell us who exactly made this contract (only me and the owner would be authorized to do that, and being the IT person, I'm the only one who actually would have done it), nor produce a recording of it or anything. So at this point we said, well, no contract, come get your modem, we're done.

A few months later, we got a notice in the mail from bell saying we owed them $500 or something now, for an outstanding balance plus interest plus late fees etc. Called them up to clairify this, and again went through the same stupid banter, with the same conclusion. That was about a year ago, and we haven't heard anything else from them since. Maybe they'll decide to sue us or something, I don't know. But taking us to court over a "verbal contract" without knowing who exactly made it or anyone at our company who's authorized having any recollection of it seems a bit flakey to me.

Since that happened, I've learned a few other people have been burnt by them as well. The trick is, they'll never take you to a collection agency. They have their own internal collections, and they'll get it through their subsidary companies. Ie, If you owe money (or they think you do) on a Sympatico internet

Re:Good God...

[maximilln]

it's the complete lack of understanding what a credit card is that students get into trouble with

I'd just like to say, politely, that you need to be knocked down a few notches. There is no lack of understanding what a credit card is. What gets people into trouble with credit cards is that they're being financially manipulated. They're starved. It's the same biological response as not eating for seven days and then being offered a $10 cheeseburger. $10 is way too much but hunger plays a factor.

Credit agencies, insurance agencies, government agencies, collection agencies--they all work to keep the general population starved of cash. They can do it because they CONTROL the financial system. Give me one good reason why the bean-counters crunching numbers for banks and credit agencies WOULDN'T take advantage of their position to hamstring a few hundred million people. Look at the overwhelming evidence: The National Debt is up to what, about $6 trillion? Which segment of the taxpaying public is carrying the greatest burden of that as a percentage of their annual income? Minimum wage hasn't gone up in how many years? The cost of living goes up at a steady rate of how much? Student loans have increased by how much yearly? It doesn't take a conspiracy theory to demonstrate how easily the financial institutions can manipulate credit to keep people starved for funding which they RIGHTFULLY worked for but were sorely undercompensated.

Rather than being so self-important perhaps you should consider a little perspective. I'll have none of this "well, back in my day" crap. Things were different back in your day--there was community and a sense of good society. In today's world, it's all about Alan Greenspan's profit margin.

Re:Good God...

[bryanp]

For some reason, many people think of a credit card as free money - that if it's not draining their account right now, it's not real money. Parents are to blame, not heartless corporations (this time).

Uh, no. The people running up debts they can't afford to pay are to blame. It is quite possible the parents "should" have done a better job of teaching their kids how to handle money, but in the end you're responsible for your own actions.

Oh, wait. I forgot - nobody is responsible for the consequences of their own actions anymore. Never mind.

Re:Good God...

[jjhall]

The problem is, we have 16 year old kids (even younger sometimes) having kids. These 16 year old kids don't know how to raise kids, so they basically don't. Yes, I feel it is still the parents' responsibility to teach their kids all of these things, including not to lie, cheat, and steal. However, when the parents are too young to fully understand those concepts themselves, well you get the idea.

Back when I graduated high school, there were kids who passed their algebra class, but did not know how to count back change without a calculator. Most of those even had problems giving correct change even when the little screen said Change: 1.48.

Unfortunately, our school systems need to change some to take this into account. My Home Economics class focused almost entirely on safe sex. Shouldn't that be a small portion of what is taught in Health class? The teacher was not even qualified to discuss that matter without turning it into a big joke. It was a wasted 72 minutes every day the whole trimester.

To me, Home Economics should have been Economics. How to ballance a checkbook. How to figure out that Credit Card X at 16.99% compounding will take me Y decades to pay off. It should have been how to count change, how to make sure you were given the correct change from the kid behind the register at Drawl-Mart. It should have been about how to modify a recipe "I only have 2 tbls of butter, but the recipe calls for 3. How many cookies can I make and what amount of other ingredients need to be added?" Car insurance is Z dollars every 6 months, and I get paid X every other week. How much per paycheck do I need to put in savings each paycheck to pay that bill every 6 months?" I think you see what I mean.

My point is, schools any more are not teaching what is relevant to students that will not attend higher education. I realize it is out of "fairness" to everyone, so no student feels they are "behind." But as a result, they are not able to fully function as productive members of society, and remain "behind" the rest of their lives. Next, they raise kids who don't know the difference, and the process continues. Unfortunately we have to start teaching the students to be responsible for themselves, because their parents are not responsibile enough to do it themselves. I'm all for self-responsibility, and I hold myself to a very high degree of it. But we are now at the point that we have to start teaching it to the younger generations and break the cycle.

Jeremy

Re:Illegal for Telemarketers?

[UnknowingFool]

Yes but it's also illegal for telemarketers to call you if you've asked them not to or if your number is on a do-not-call list. Legit telemarketers will follow the law. People running scams and telemarketers that don't care will ignore the law.

One way to do it

My daughter and her friends figured out a way to do this years ago. Here's the scenario:

Amy is supposed to be having a sleepover at Beth's house, but instead is spending the night with her boyfriend Carl.

Dad calls Beth's house to speak to Amy. Beth says, "Oh, Amy's in the bathroom. I'll have her call you back when she gets out." A minute later, Dad's phone rings, Beth's number displays on the Caller ID, and Amy's voice is on the line. Dad is satisfied that Amy is at Beth's house. Wrong!

What happened is that after speaking to Dad, Beth calls Amy at Carl's house, initiates 3-Way Calling back to Dad's number, then hangs up as soon as Das picks up the phone. Amy (at Carl's house) is on the line, but it's Beth's number on the Caller-ID because that's where the call originated from.

I have gray hair.

Very easy

[Punk+Walrus]

Dude, we used to do this all the time when I programmed for call centers. The ANI (telecom term for caller ID) was programmed at the Layer 2 level, and like a MAC address was easy to change. We usually used ANI via a software bridge to simultaneously launch a trouble ticket indexed via phone number, but there was always the issues with Pay Phones, Hotels, or companies that hid the originating ANI behind a PBX (i.e., for security).

So, sometimes, we changed the number enroute so that it would launch a new ticket window instead of a ticket with 20,000 IDs all indexed to the same phone number. We just marked it with a random number that let the techs know this was not their real home phone, and thus, had to ask for a callback number if needed.

We also had hackers that did this as well, like one guy in Vancouver who hacked the ANI so he could make illegal and harrassing long distance calls in the US using a US 800 number that would, in theory, make the call unbillable.

Then there's the mysterious 604 number that people get from time to time...

This has a legitimate use

[blueforce]

I don't like the thought of goofballs mucking around with the service either but I can see legitimate uses for it.

Take a look at some of these nifty caller-id features such as "Prevent Your Number from Displaying on Caller ID" or "Caller ID with Anonymous Call Block"

Suppose your phone number is unlisted and typically shows up as "Anonymous" or "Unavailable" to caller ID. Now suppose the recipient of your call has Caller ID with Anonymous blocking. You can't get through or, with some services, you have to leave your name at the tone and hope they pick-up and decide to take your call.

It would serve as a way to make your own number show up when you want it to but otherwise remain anonymous and not defeat the purpose of having an unlisted telephone number.

I used to to credit before IT

[onyxruby]

I did credit before getting into IT. If collection companies do this they will run headlong into FDCPA problems. Attorney Generals love to stick it to collection companies (and they often deserve it), and won't hesitate to nail any collection company that does this to the wall.

Standards for honesty for any method of a collection company presenting itself are very strict. Wording of exactly what can be said is drilled into collectors. You can't claim to be an old college buddy, a cop, lawyer, or anything else to try to get someone on the phone. If you can't tell someone a lie like that, I don't see how telling a lie by caller ID would be any more allowed.

Re:Great!

[Beryllium+Sphere(tm)]

>Now the neighbor's kid can activate my credit cards he stole from my mailbox without breaking into my place to use my phone line.

I would hope the credit card company is using the ANI (Automatic Number Identification) on their 800- line instead of caller ID. It's not subject to the same spoofs.

Re:Sooner or Later...

[mr100percent]

Steve Wozniak, co-creator of Apple and maker of the Blue Box, did prank call the Vatican one time with his invention.

"During one demonstration, Wozniak called the Vatican posing as Secretary of State Henry Kissinger and asked to speak to Pope Paul VI. Informed that the pope was sleeping but would be awakened, Wozniak lost his nerve and hung up."

MPAA conspiracy theory

[kb9vcr]

I was wondering how the MPAA was going continuing making horror films!

Every time a killer taughted his victim over the phone you'd know right away who John Q. Killer was but, leave it to the MPAA and their crafty ways to secretly fund this anti-Caller ID technology....

...Who else is looking forward to a "Scream 4: keep on screamin'"? ;)

Re:Social Engineering

[attam]

if you actually had bill's number to begin with, you probably deserve his passwords as well... have you ever called Microsoft? if you don't know the exact name of the person you want to talk to, they won't even talk to you. if you ask for a "department" they will tell you to bugger off!

This is really dangerous in a lot of ways...

[dnaboy]

This has trouble written all over it. As mentioned a million times throughout the comments, there is a huge risk in terms of people using, what is by definition, wire fraud, to get credit cards etc...

I think there's another risk here though, which is less stated. This service is to go live Sept 1st, from the web site. Unless it's on a minimal page after getting /.ed, I couldn't find any link to terms and conditions. What exactly are you submitting to when you use this? Is your information safe? Keep in mind, the call is routed through their system. Right now, until I see T and C which specifically states that my information is priviledged and cannot be listened in on or used against me, I can only assume it will be. They must have some concept of how they intend to make money.

Also, who's liable for the damages WHEN (not if) someone uses it to commit a crime? This company, I can forsee turning anyone over at the drop of a hat. They're going to have a hard time pleading the internet provider's argument that they are merely the conduit (and therefore not liable for the actions of individuals on their networks), since there is little or no use for the system for legal ethical purposes.

VoIP/Spoofing/and other

This "service" won't last long. This was brought up on a Telehpreak.org conference (shameless plug). There's better ways to do this _with_ VoIP. It's much easier to go down to my local store (with cash), by a pre-paid Visa card with any name I want. Then, use that card to signup with a VoIP server (Voicepulse, Vonage, etc). Then, using the fun of Asterisk, set my caller ID to anything I want. No ANI [it's VoIP], spoofed caller ID, and anonymous.

We actually thought about setting up a similar type of service (more of a concept service, really) to allow CID spoofing. After much discussion, between ourselves and the EFF, we decided that it wasn't a very smart thing to do.

http://www.telephreak.org

Re:How'd you find out?

Amy was spending waaaaaay too much time in Beth's bathroom. ;-)

Actually, Beth's mother got pissed at the number of 3-Way Calls on her bill, and demamded that I pay for some, since they involved my number -- as well as Carl's.

From that point, it didn't take long to figure it out.

Reverse Social Engineering

[Black+Parrot]

> Let's not even start talking about all the wonderful social engineering that can now be performed with this great service. "This is Bill Gates. I forgot my password. Give it to me."

It's probably a front for an FBI sting operation, an invitation for stupid criminals to use them as a middle-man in their crimes.

Re:Great!

[stratjakt]

Yes, but as another poster pointed out, this system calls both numbers then conferences them together. So they'd get the ANI from the central server. Which still wouldn't let the kid activate your credit card.

Even if, however, they used CallerID, this kid would be caught about a half hour after you notice the fraud.

This company obviously keeps records of the real numbers on each end, the kid has to pay somehow (aside, do even they verify credit cards to see if you're calling from an approved ship-to address?).

To avoid serious legal troubles, I'm sure they'd have no problems turning these logs over. At most they'd require a subpoena.

It's much easier to just plug a handset into the demarq spot outside your home. Or dig up a section of cable and spice your own extension into it.

The POTS really isn't uber-secure, I'd figure people would take that as a given by now.

Good idea to use this for toll-free numbers

[MichaelCrawford]

My understanding is that companies that have toll-free numbers have the option of capturing the calling number regardless of caller ID blocking. The reasoning behind this is that the recipient pays for the call, so they have good reason to want to know who's costing them for the call.

So if you call a toll-free number for whatever reason, they can capture your number and sell it to telemarketers - or collection agents.

Re:ICLID, ANI, name lookup, tephone cumpnies etc.

[blanks]

OK well I guess while you were yawning you missed the first line : "Implementation quirks in Voice over IP are making it easy for hackers to spoof Caller I.D., and to unmask blocked numbers. " And another quote explaing how they are able to do it. "There are little exploits that you can do," says Lucky. But the most powerful tool for manipulating and accessing CPN data is the open-source Linux-based PBX software Asterisk, used in combination with a permissive VoIP provider. "It's fully configurable, you can pretty much do anything you want with it," says Lucky. "That's why Voice over I.P. is changing things." Next time spend less time yawning and more time reading :p

Re:Social Engineering

[Darth_Burrito]

Any good security policy would include callbacks to ensure the person you're talking to is actually within your organization.

Every good security policy is a balance of risk mitigation, ease of use, and a number of other factors. Forcing callbacks would not be an acceptable security measure in most organizations.

Yes, I do!

Feel free to tell Darl to take a chill pill. A number of people have supposedly sent him death threats (just as other wierdos have sent threats to PJ of Groklaw). While I seriously doubt any of those people were serious, Darl is pretty stressed out about them. He has even started carrying a gun and should be considered armed and dangerous. I don't doubt that he'd shoot someone who tried to approach him if he even so much as suspected they might attack him.

Anyhow, so long as you're not stupid enough to get yourself killed by him, here's all the contact info you could want:

The SCO Group
355 South 520 West
Suite 100
Lindon, Utah 84042 USA
(801) 765-4999 phone
(801) 765-1313 fax

Contact SCO online
http://www.thescogroup.com/company/feedbac k/index. html

Darl C McBride
1799 Vintage Oak Ln
Salt Lake City, UT 84121-6539

Darl's home phone #: (801) 424-2006
Darl's office phone #: (801) 932-5820

Email Darl: darl@sco.com

Re:Seems useless to me.

[Marimus]

Having a phone doesn't indicate need or desire to call somebody.

My bank no longer has a phone, although plenty of people want to ring them. The found answering the phone was costing them money, so they got rid of it.

I think you can fax them, but you can't ever talk to a human being, unless you enter the branch (where incidently, they charge you for just about everything). Small town, one bank - what you gonna do?