Slashdot Mirror
Caller ID Spoofing for the Masses
lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"
I am not a proponent of bigger government but I think that this is something that should be made illegal. Communication is too important to our society. It's one thing to block your I.D., it's a whole 'nother thing to falsify it.
It is most likely a mistake for them to boast of their annonymity. Someone will figure out who they are and I am betting that more than intrepid hacker will take down Camophone's website repeatedly.
We should keep track of this one for a while, it should get real interesting.
http://www.busyweather.com/
you can already do this using an asterisk pbx and a VoIP provider. Although once this starts being abused I doubt it will remain a feature.
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
I signed up for the service while this article was still in the mysterious future. Tried it out, didn't work.
I got to file my first Paypal dispute claim!
Seriously though, the website is just text and there's no contact info for anything.
Scam.
Now we will have scammers blackmailing businesses with the threat of sending falsified phone calls to the general public.
Or /. it!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Of the /. story, that is? Their website is currently up (this posting will probably be the 10th or so), but is surprisingly minimal. No images at all. Plain, unadorned HTML. Not even a CSS file.
I have a feeling they'll withstand the slashdotting.
This could make telemarketing nearly untraceable, a company just uses a call center that utilizes this technology, and people will never know where the phone call is coming from. Imagine getting a phone call from a telemarketer, and it says 911 on the caller ID.
I'm glad this happened. I am so sick of people using Caller ID as an authentication mechanism. It has been so easy to spoof if you had connections before and is even moreso now.
:)
My cell phone doesn't even require a password to get to my voicemail because it uses caller id. Every credit card I've activated required me to call from my home number, verifying it with caller id. When I order pizzas, they verify I am who I say I am with caller id.
It is ridiculous and is worthless as an authentication mechanism. Its only use is a convienience, to decide if you want to answer the phone. Lesson: don't rack up bills you can't pay
Anyway, it's always nice to have another way to screw with your friends' minds.
With such a professional-looking website I can't see how this can possibly go wrong.
So which one of you smartasses is messing with me?
...911 calls you!
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
The call shows up to be from 425-789-4268 - it doesn't show the Caller ID info that I put in. I guess I'll have to file a Paypal claim too.
These services are the harbinger of a dazzling array of VoIP services just over the horizon. Today's telcos need millions of customers to want any given feature before it's worth their while to roll it out, because of their monolithic architecture. While a VoIP service can be plugged into the VoIP pipeline by a startup, putting their feature server on the Neb, and accepting connections through open, standard protocols. Anonymizing or spoofing are just the kind of TCP/IP services we'll see. And since the infrastructure is much cheaper, and more competition can get started globally, the prices for niche features will be much lower than the rates for voice provisioning itself.
--
make install -not war
to get a call from Jack Mehoff.
This company is probably nothing more than someone running Asterisk, using Nufone for the PSTN service.
/var/spool/asterisk/outgoing and bridge the two calls together.
A simple php script will dump a callfile into
Then all you need to do is write something to manage user accounts, and accept paypal payments and bam. You've got camophone.com.
This whole configuration could probably be whipped up in a day.
Figured $5 through PayPal (and yes, it really was PayPal, not some spoofed tab or scam site) was worthwhile.
However, even though their FAQ said it would be ready in 30 seconds, my account still shows zero minutes. Don't know if that's because PayPal takes a while to do the transfer, but I wasn't about to use a credit card with them.
For what it's worth, their "Privacy Guard" service page looks like this:
Camophone.com Home | Login to Privacy Guard | Frequently Asked Questions | Signup for Service
Logged in: das
Time Remaining in Seconds: 0
Time Remaining in Minutes: 0
Recharge Account
Enter all phone numbers without a leading "1" and with no dashes or spaces. Example: 9095551212
Caller ID must be ten digits to be passed properly through the telephone network. When the system calls you, the caller ID you set will be sent to you as well.
number to call [recipient]: (format: NPANXXXXXX)
your number [caller]: (format: NPANXXXXXX)
caller ID to send:
Why do we need the government, when our address books can authenticate the caller cryptographically? Unfamiliar callers should all be treated as untrustworthy until proven otherwise. That can be established through an automated web of trust, and callback, or shunted to voicemail or /dev/null. Distributed software is much better protection than the FBI, much cheaper, and doesn't come with dirty stormtrooper boots muddying up your foyer.
--
make install -not war
I know for a while there has been a phreaking tool called Orange Box, which supposedly lets you spoof caller ID. But my understanding is it only works *after* the other person has picked up the phone, so it's not really good for much, or at least it's a lot trickier to take advantage of.
Of course, there is a very cool software version of this tool: Software Orange Box, here. You enter in the caller ID details you want to spoof, and it generates the phone tones that transmit that data, which you can then play thru your speakers and to the phone, or connect directly to the phone for better results.
Again, it's not a great spoofer, but it is pretty cool to mess around with.
this is *the* faq on orange boxing.
-------------
Rate free iPod offers: RateTheOffers.com
(Flat screens and Desktop PCs too)
When someone offers a reliable, professional version of this service that's affordable to everyone, people will stop trusting Caller-ID and stop paying for it.
You'll also see political pressure to regulate such services, mostly from the telcos who see revenue from CID drying up. Eventually, I think a compromise will be reached:
You'll be allowed to spoof your ID, provided it's from a non-existant # or a # you have permission to use. There will also be a legal requirement to keep logs so the police or civil courts can issue subpeonas.
Under such rules, people who want true anonymity will be forced to use international versions of this service which will show up as "out of area" or as an international #, or break the law.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The ISP community has long had Acceptable Use Policies which forbid certain things (such as sending out spam). This is because when I get spam, I can fairly easily identify where it came from with the help of traceroute and whois, and its in the interest of the ISP not to have problem customers.
Unfortunately there is no way for me to trace the provider behind that sales call with the caller-id of my mother's phone, short of obtaining a court order. Thus, there is no incentive whatsoever for the phone companies to enforce caller-id. If phone providers provided the ability to trace the call (hopefully voluntarily, or even by law), this would not be an issue.
Traceability is what we need, that's all. Caller-id faking should be legal. But more likely what will happen is the lawmakers will make caller-id spoofing punishable by death and declare this a non-issue.
"Hi, this is the Big Name Legitimate Charity, we're raising money to promote the glorious teachings of Adolf Hitler. Would you care to make a donation [click] hello? hello?"
Word spreads, and Big Name Legitmate Charity's contributions dry up.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
guess what. the old fashioned method still works. just hang up on them. regardless of what CID says. duh.
or. ever try screening with an answering machine..? that works well too!
abcdefghijklmnopqrstuvwxyz
Honestly, it's much simpler and cheaper than constantly trying to "one up" the next technological doohickey.
Just my Luddite $.02
blue
Folks, I'm all for cool technology, and I realize one can spoof caller id information. But caller ID can be a very good thing. I know...
Three years ago I had the very unpleasant surprise of finding out my (ex) wife was having an affair. Unfortunately, she had also decided on using tactics designed to ensure her utter victory in the divorce. She'd actually purchased books (I saw them), giving her advice on dirty divorce tactics - "Divorce War! 50 Strategies Every Woman Needs to Know to Win." Apparently, one of the recommended strategies was to call your ex and try to drive him nuts - hopefully he'll say something nasty and you'll be able to bring it up in court, etc.
Well, I realized what she was doing once I started getting anonymous calls at 2:00 - 3:00 AM. Strange, nasty stuff, weird messages. Technology was actually useful - the caller ID information allowed me to get a pretty damn good idea of who was calling. (Hint would-be-nasty-callers: remember to hit *69 before you call!). The police thought it was fun, too. Caller ID and outright stupidity saved the day.
Look, in my case I wasn't directly threatened. it was cruel, it was viscous, it was nasty. But I was never in any danger. However, what if it had been something dangerous? When one's depressed, your willing to listen to anything - and when you see the ID comes out as "Police" or "Crisis Center" - you could be lured into a bad situation. This is real folks - stalkers are out there, I've seen and heard it.
All technology can be abused, I know that. But in this case, let's try to prevent a service which provides fundamental identification information from being turned into something potentially dangerous.
Incidentally, she pretty much wiped me out. Bummer. But all in all, it was for the best...
/* Dang, I can't type that well. */
Just use a calling card...
I have a calling card that I got through WalMart. The caller ID comes up as Denver, CO. I live in PA. This is via my cell or my land-line...
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
So, I decided to see if a credit card paypal transaction would be any "faster".
:-)
It did indeed show my account credited with 100 minutes.
But the service did not work.
I *really* *don't care* about the $10 I've now wasted; just wanted to see if it worked or not.
Anyway, there ya go.
If you just want to hide your number, not necessarily spoof your enemies, any calling card will do, like another posted mentioned.
I use OneSuite as my long distance service because their rates are excellent. Caller ID from OneSuite shows up as either Unknown or some random out of state number.
You can login to check out the interface with their unguarded testing account:
user: test
pass: test
No cash on the account, but fyi.
No one's mentioned that Caller ID isn't really used for that much authentication. Let me give you a little bit of background on caller ID.
There is actually two types of calling number identification one being the popular Caller ID which as we know can be manipulated and blocked and the other being ANI or Automatic Number Identification which the user has no (or minimal) control over. Caller ID is used for the little displays on your phone and can have a flag set to block it, as well as define what number displays usually on outbound or two way trunks for use with DID (Direct Inward Dialing).
The reason the phone companies allow you to set your outbound caller ID is so when you are using DID, you can have people reach you back directly instead of thru the companies generic number. Now a little bit of background on DID: Mid and large sized companies use DID for everything, it's how everyone has a seperate phone number or fax number on their desk. It would be uneconomical for the businesses to bring in a seperate phone line for everone in the office, so they share them. So say for example a company with 100 employees would have a block of 100 phone numbers, but only 23 incoming phone lines, any number can come in on any one of those phone lines and the company's PBX determines which desk to route the call to. Pretty simple. So when an employee wants to make a call, again he can use any phone line, and the PBX sets the outbound caller ID to his real number so it's easy for people to call him back. Some phone companies limit you to what Caller ID data you can send them, (which makes sense that you can only have outbound Caller ID on numbers that are in your block.)
ANI always knows the calling trunk, and location. It's what's used for credit card verification, 911, etc. You can't block it and usually can't set it. ANI is transmitted (amongst other things) over SS7, which is basically an out of band protcol (which actually does carry caller ID too) that is used between switches. Few companies have phone systems that speak SS7, or a link into the SS7 network for that matter, it's just not useful. Phone companies would crack down pretty hard on fake SS7 info, because they could loose money on billing.
So in summary, Caller ID - not secure, ANI - A little more secure.
Emergency services should be using an e911 service with the telco that isn't caller ID. e911 existed before CID was in place and works in areas where switches are not capable of carrying the service. If the local setup is relying on CID instead of whatever the telco should be serving up you all are in SERIOUS trouble.
[insert sig file here]
Telco equipment is still "vertical": NorTel switches require NorTel plugins. The most important vertical "silo" is the telco itself, which might outsource feature supply, but users get all their services from the telco, in whatever bundles they integrate and sell. No third party service provision direct to the customer, integrated with telco equipment or services, has ever survived. Even something as simple as DSL was blown away by the telcos' extreme competitive (including legislative) advantages.
:). This callerID spoof is an example of the blurred lines. Those blurred lines will make transition to VoIP smoother, bringing the benefits of open interop to every user and provider.
VoIP is different. It's inherently distributed. Since it's entirely executable on commodity hardware with open source software and published standards, distributed interop comes first. So a component architecture is available for any integrator, even an agressive end user. Of course all that changes the marketing, customer service, technical support. Even the "customer care", integrated billing and customer service, becomes a necessity rather than a luxury, and gets pushed closer to the customer than in the proprietary telco model. Customer care itself can be an addon from a third party with aggregated niches around the Net.
Sure telcos have slowly moved towards their versions of some of the features and architectures of VoIP. The ATM long lines network between COs is VoIP (for lowercase "i" and some value of "P"
--
make install -not war
They're already using the email. Why, just the other day, I received a message from Citibank telling me that they needed to re-verify my identity. They even provided a really easy-to-access web site for me to enter my card number and personal information, no sweat. The really cool thing is that I don't even have a Citibank card yet. Talk about proactive!
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Call the local operator and ask them to place your call to the toll-free number. Obviously this doesn't work with toll calls, but they'll do it for you on toll free calls. It's been a while since I tried it, since I have little reason to hide when placing calls, but it's surprising how often they have no trouble doing it for you. I was never even asked why I wanted them to place the call.
[insert sig file here]
Because they didn't create a way to do it that was backwards-compatible.
CallerID is sent as 1200baud FSK between the first and second rings. ANI is, for E&M trunk lines, sent as DTMF codes by the phone switch, or for BRI/PRI trunks, sent digitally with the other call connection information. DTMF incurs a significant connection delay - sending ANI plus DNIS (dialed number identification service, basically telling you which number the call was placed to) means sending 17 or more DTMF tones - so PRI is the preferred method.
So ANI in its current form really only works with trunk lines. In some areas with some ILECs trunks can be analog (leaving you stuck with E&M DTMF) but otherwise you're looking at the expense of ISDN or a T1.
The current CallerID protocol is flawed in that if you answer the call before the second ring, you don't get the CallerID information. I don't know why the telcos released such a flawed protocol or why they aren't interested in fixing it today. Maybe they figured that ISDN would replace POTS by now. Instead, as you mentioned, probably VoIP will instead.
The system that 1-800 numbers and 911 calls is different than caller id. And yes, you could use a PBX and pick any random number. Kevin Mitnick (hypothetically) used it in his book to give a number like "x213" to make it look like a call was internal.
How long until someone puts all that in a cheap appliance (say a cordless phone base) so that the base screens calls and only rings the handsets if the caller is authorized? Or do they have that now?
They did have it now. Microsoft made a 900Mhz cordless phone with this feature. It relied on computer software (the phone base had an RS232 port), but worked very well. I still have it laying around, but don't use it anymore as the software doesn't run on anything later than Windows 98.
Microsoft should really concentrate on what they're good at: Hardware.
Maybe I'm just getting old, but doesn't this seem lame as hell? Sure it's fun calling up your buddies T-Mobile cell phone # and getting into his VM, changing his greeting to something ubscene..but..
Doesn't this just seem rather weak? It's only fun for about 5 minutes and has been around forever. For me, it's like the equivilent of spoofing smtp headers. MAN, THAT WAS FUN IN 1994...
I guess I'm just getting old and bitter.
1) Payment by paypal only (no problem for me)
2) Service then lets you log in, but it's not secure (no encryption, wth!) so choose a temp password that you wouldn't mind someone stealing
3) You enter the "target" number, your number then 10 digit caller ID string
4) As soon as you hit submit, it does call you, calls the other number and bridge them together.
5) But!! The caller ID string does not work. I've tested this with several land line phones, cell phones, etc. I always show up as "unknown".
Conclusion:
Allows bridge calls but does not produce the caller ID string you put in. So this service is a bust in my opinion.
Case closed
I don't know about you, but I'd *way* rather give a potentially crooked company five bucks via PayPal, instead of my credit card number.
Do daemons dream of electric sleep()?