Slashdot Mirror
Caller ID Spoofing for the Masses
lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"
I am not a proponent of bigger government but I think that this is something that should be made illegal. Communication is too important to our society. It's one thing to block your I.D., it's a whole 'nother thing to falsify it.
It is most likely a mistake for them to boast of their annonymity. Someone will figure out who they are and I am betting that more than intrepid hacker will take down Camophone's website repeatedly.
We should keep track of this one for a while, it should get real interesting.
http://www.busyweather.com/
you can already do this using an asterisk pbx and a VoIP provider. Although once this starts being abused I doubt it will remain a feature.
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
I signed up for the service while this article was still in the mysterious future. Tried it out, didn't work.
I got to file my first Paypal dispute claim!
Seriously though, the website is just text and there's no contact info for anything.
Scam.
Now we will have scammers blackmailing businesses with the threat of sending falsified phone calls to the general public.
Or /. it!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Of the /. story, that is? Their website is currently up (this posting will probably be the 10th or so), but is surprisingly minimal. No images at all. Plain, unadorned HTML. Not even a CSS file.
I have a feeling they'll withstand the slashdotting.
This could make telemarketing nearly untraceable, a company just uses a call center that utilizes this technology, and people will never know where the phone call is coming from. Imagine getting a phone call from a telemarketer, and it says 911 on the caller ID.
I'm glad this happened. I am so sick of people using Caller ID as an authentication mechanism. It has been so easy to spoof if you had connections before and is even moreso now.
:)
My cell phone doesn't even require a password to get to my voicemail because it uses caller id. Every credit card I've activated required me to call from my home number, verifying it with caller id. When I order pizzas, they verify I am who I say I am with caller id.
It is ridiculous and is worthless as an authentication mechanism. Its only use is a convienience, to decide if you want to answer the phone. Lesson: don't rack up bills you can't pay
Anyway, it's always nice to have another way to screw with your friends' minds.
With such a professional-looking website I can't see how this can possibly go wrong.
So which one of you smartasses is messing with me?
...911 calls you!
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
to get a call from Jack Mehoff.
This company is probably nothing more than someone running Asterisk, using Nufone for the PSTN service.
/var/spool/asterisk/outgoing and bridge the two calls together.
A simple php script will dump a callfile into
Then all you need to do is write something to manage user accounts, and accept paypal payments and bam. You've got camophone.com.
This whole configuration could probably be whipped up in a day.
Figured $5 through PayPal (and yes, it really was PayPal, not some spoofed tab or scam site) was worthwhile.
However, even though their FAQ said it would be ready in 30 seconds, my account still shows zero minutes. Don't know if that's because PayPal takes a while to do the transfer, but I wasn't about to use a credit card with them.
For what it's worth, their "Privacy Guard" service page looks like this:
Camophone.com Home | Login to Privacy Guard | Frequently Asked Questions | Signup for Service
Logged in: das
Time Remaining in Seconds: 0
Time Remaining in Minutes: 0
Recharge Account
Enter all phone numbers without a leading "1" and with no dashes or spaces. Example: 9095551212
Caller ID must be ten digits to be passed properly through the telephone network. When the system calls you, the caller ID you set will be sent to you as well.
number to call [recipient]: (format: NPANXXXXXX)
your number [caller]: (format: NPANXXXXXX)
caller ID to send:
Why do we need the government, when our address books can authenticate the caller cryptographically? Unfamiliar callers should all be treated as untrustworthy until proven otherwise. That can be established through an automated web of trust, and callback, or shunted to voicemail or /dev/null. Distributed software is much better protection than the FBI, much cheaper, and doesn't come with dirty stormtrooper boots muddying up your foyer.
--
make install -not war
I know for a while there has been a phreaking tool called Orange Box, which supposedly lets you spoof caller ID. But my understanding is it only works *after* the other person has picked up the phone, so it's not really good for much, or at least it's a lot trickier to take advantage of.
Of course, there is a very cool software version of this tool: Software Orange Box, here. You enter in the caller ID details you want to spoof, and it generates the phone tones that transmit that data, which you can then play thru your speakers and to the phone, or connect directly to the phone for better results.
Again, it's not a great spoofer, but it is pretty cool to mess around with.
this is *the* faq on orange boxing.
-------------
Rate free iPod offers: RateTheOffers.com
(Flat screens and Desktop PCs too)
When someone offers a reliable, professional version of this service that's affordable to everyone, people will stop trusting Caller-ID and stop paying for it.
You'll also see political pressure to regulate such services, mostly from the telcos who see revenue from CID drying up. Eventually, I think a compromise will be reached:
You'll be allowed to spoof your ID, provided it's from a non-existant # or a # you have permission to use. There will also be a legal requirement to keep logs so the police or civil courts can issue subpeonas.
Under such rules, people who want true anonymity will be forced to use international versions of this service which will show up as "out of area" or as an international #, or break the law.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"Hi, this is the Big Name Legitimate Charity, we're raising money to promote the glorious teachings of Adolf Hitler. Would you care to make a donation [click] hello? hello?"
Word spreads, and Big Name Legitmate Charity's contributions dry up.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Honestly, it's much simpler and cheaper than constantly trying to "one up" the next technological doohickey.
Just my Luddite $.02
blue
Folks, I'm all for cool technology, and I realize one can spoof caller id information. But caller ID can be a very good thing. I know...
Three years ago I had the very unpleasant surprise of finding out my (ex) wife was having an affair. Unfortunately, she had also decided on using tactics designed to ensure her utter victory in the divorce. She'd actually purchased books (I saw them), giving her advice on dirty divorce tactics - "Divorce War! 50 Strategies Every Woman Needs to Know to Win." Apparently, one of the recommended strategies was to call your ex and try to drive him nuts - hopefully he'll say something nasty and you'll be able to bring it up in court, etc.
Well, I realized what she was doing once I started getting anonymous calls at 2:00 - 3:00 AM. Strange, nasty stuff, weird messages. Technology was actually useful - the caller ID information allowed me to get a pretty damn good idea of who was calling. (Hint would-be-nasty-callers: remember to hit *69 before you call!). The police thought it was fun, too. Caller ID and outright stupidity saved the day.
Look, in my case I wasn't directly threatened. it was cruel, it was viscous, it was nasty. But I was never in any danger. However, what if it had been something dangerous? When one's depressed, your willing to listen to anything - and when you see the ID comes out as "Police" or "Crisis Center" - you could be lured into a bad situation. This is real folks - stalkers are out there, I've seen and heard it.
All technology can be abused, I know that. But in this case, let's try to prevent a service which provides fundamental identification information from being turned into something potentially dangerous.
Incidentally, she pretty much wiped me out. Bummer. But all in all, it was for the best...
/* Dang, I can't type that well. */
Just use a calling card...
I have a calling card that I got through WalMart. The caller ID comes up as Denver, CO. I live in PA. This is via my cell or my land-line...
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
No one's mentioned that Caller ID isn't really used for that much authentication. Let me give you a little bit of background on caller ID.
There is actually two types of calling number identification one being the popular Caller ID which as we know can be manipulated and blocked and the other being ANI or Automatic Number Identification which the user has no (or minimal) control over. Caller ID is used for the little displays on your phone and can have a flag set to block it, as well as define what number displays usually on outbound or two way trunks for use with DID (Direct Inward Dialing).
The reason the phone companies allow you to set your outbound caller ID is so when you are using DID, you can have people reach you back directly instead of thru the companies generic number. Now a little bit of background on DID: Mid and large sized companies use DID for everything, it's how everyone has a seperate phone number or fax number on their desk. It would be uneconomical for the businesses to bring in a seperate phone line for everone in the office, so they share them. So say for example a company with 100 employees would have a block of 100 phone numbers, but only 23 incoming phone lines, any number can come in on any one of those phone lines and the company's PBX determines which desk to route the call to. Pretty simple. So when an employee wants to make a call, again he can use any phone line, and the PBX sets the outbound caller ID to his real number so it's easy for people to call him back. Some phone companies limit you to what Caller ID data you can send them, (which makes sense that you can only have outbound Caller ID on numbers that are in your block.)
ANI always knows the calling trunk, and location. It's what's used for credit card verification, 911, etc. You can't block it and usually can't set it. ANI is transmitted (amongst other things) over SS7, which is basically an out of band protcol (which actually does carry caller ID too) that is used between switches. Few companies have phone systems that speak SS7, or a link into the SS7 network for that matter, it's just not useful. Phone companies would crack down pretty hard on fake SS7 info, because they could loose money on billing.
So in summary, Caller ID - not secure, ANI - A little more secure.
They're already using the email. Why, just the other day, I received a message from Citibank telling me that they needed to re-verify my identity. They even provided a really easy-to-access web site for me to enter my card number and personal information, no sweat. The really cool thing is that I don't even have a Citibank card yet. Talk about proactive!
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Call the local operator and ask them to place your call to the toll-free number. Obviously this doesn't work with toll calls, but they'll do it for you on toll free calls. It's been a while since I tried it, since I have little reason to hide when placing calls, but it's surprising how often they have no trouble doing it for you. I was never even asked why I wanted them to place the call.
[insert sig file here]
Maybe I'm just getting old, but doesn't this seem lame as hell? Sure it's fun calling up your buddies T-Mobile cell phone # and getting into his VM, changing his greeting to something ubscene..but..
Doesn't this just seem rather weak? It's only fun for about 5 minutes and has been around forever. For me, it's like the equivilent of spoofing smtp headers. MAN, THAT WAS FUN IN 1994...
I guess I'm just getting old and bitter.
1) Payment by paypal only (no problem for me)
2) Service then lets you log in, but it's not secure (no encryption, wth!) so choose a temp password that you wouldn't mind someone stealing
3) You enter the "target" number, your number then 10 digit caller ID string
4) As soon as you hit submit, it does call you, calls the other number and bridge them together.
5) But!! The caller ID string does not work. I've tested this with several land line phones, cell phones, etc. I always show up as "unknown".
Conclusion:
Allows bridge calls but does not produce the caller ID string you put in. So this service is a bust in my opinion.
Case closed