Slashdot Mirror
Caller ID Spoofing for the Masses
lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"
you can already do this using an asterisk pbx and a VoIP provider. Although once this starts being abused I doubt it will remain a feature.
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
I signed up for the service while this article was still in the mysterious future. Tried it out, didn't work.
I got to file my first Paypal dispute claim!
Seriously though, the website is just text and there's no contact info for anything.
Scam.
Figured $5 through PayPal (and yes, it really was PayPal, not some spoofed tab or scam site) was worthwhile.
However, even though their FAQ said it would be ready in 30 seconds, my account still shows zero minutes. Don't know if that's because PayPal takes a while to do the transfer, but I wasn't about to use a credit card with them.
For what it's worth, their "Privacy Guard" service page looks like this:
Camophone.com Home | Login to Privacy Guard | Frequently Asked Questions | Signup for Service
Logged in: das
Time Remaining in Seconds: 0
Time Remaining in Minutes: 0
Recharge Account
Enter all phone numbers without a leading "1" and with no dashes or spaces. Example: 9095551212
Caller ID must be ten digits to be passed properly through the telephone network. When the system calls you, the caller ID you set will be sent to you as well.
number to call [recipient]: (format: NPANXXXXXX)
your number [caller]: (format: NPANXXXXXX)
caller ID to send:
You're mixing callerID (in the case of "voice mail access without password") with ANI (in the case of credit card activation) :) You can't disable this with star codes, or with the "Private Name" feature of callerID blocking.
CallerID is spoofable, but ANI info is not. Any time you call an 800 number (or 888, or 877, or any of the other variants that are out now) your info is sent prior to the first ring. This is ANI (Automatic Number Identification? It's been a while. I'm sure someone will correct me if I've got it wrong
CallerID, on the other hand, can be enabled or disabled, and can be spoofed.
Easy way to remember -- who's paying for the call? If it's you, then it's callerID. If it's the other guy, then it's ANI.
--
Just use a calling card...
I have a calling card that I got through WalMart. The caller ID comes up as Denver, CO. I live in PA. This is via my cell or my land-line...
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
No one's mentioned that Caller ID isn't really used for that much authentication. Let me give you a little bit of background on caller ID.
There is actually two types of calling number identification one being the popular Caller ID which as we know can be manipulated and blocked and the other being ANI or Automatic Number Identification which the user has no (or minimal) control over. Caller ID is used for the little displays on your phone and can have a flag set to block it, as well as define what number displays usually on outbound or two way trunks for use with DID (Direct Inward Dialing).
The reason the phone companies allow you to set your outbound caller ID is so when you are using DID, you can have people reach you back directly instead of thru the companies generic number. Now a little bit of background on DID: Mid and large sized companies use DID for everything, it's how everyone has a seperate phone number or fax number on their desk. It would be uneconomical for the businesses to bring in a seperate phone line for everone in the office, so they share them. So say for example a company with 100 employees would have a block of 100 phone numbers, but only 23 incoming phone lines, any number can come in on any one of those phone lines and the company's PBX determines which desk to route the call to. Pretty simple. So when an employee wants to make a call, again he can use any phone line, and the PBX sets the outbound caller ID to his real number so it's easy for people to call him back. Some phone companies limit you to what Caller ID data you can send them, (which makes sense that you can only have outbound Caller ID on numbers that are in your block.)
ANI always knows the calling trunk, and location. It's what's used for credit card verification, 911, etc. You can't block it and usually can't set it. ANI is transmitted (amongst other things) over SS7, which is basically an out of band protcol (which actually does carry caller ID too) that is used between switches. Few companies have phone systems that speak SS7, or a link into the SS7 network for that matter, it's just not useful. Phone companies would crack down pretty hard on fake SS7 info, because they could loose money on billing.
So in summary, Caller ID - not secure, ANI - A little more secure.