Caller ID Spoofing for the Masses

lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"

Somebody will figure it out

[erick99]

I am assuming that someone will figure out who the owner(s) of this company is/are. PayPal would have some information but even that could be mostly false accept for an actual checking account number. Would a law enforecement agency be able to track down the owners?

I am not a proponent of bigger government but I think that this is something that should be made illegal. Communication is too important to our society. It's one thing to block your I.D., it's a whole 'nother thing to falsify it.

It is most likely a mistake for them to boast of their annonymity. Someone will figure out who they are and I am betting that more than intrepid hacker will take down Camophone's website repeatedly.

We should keep track of this one for a while, it should get real interesting.

do this for free

[Prophetic_Truth]

you can already do this using an asterisk pbx and a VoIP provider. Although once this starts being abused I doubt it will remain a feature.

Re:do this for free

[Lumpy]

for about 3 weeks back in 1999 I had the new PBX here reporting our outgoing caller ID information as "Touch my Monkey"

we were setting it up, messing around and forgot to set it to the company information after we put it online.

The Director of sales was, for some strange reason, not amused.

Doesn't Work

[The_Rippa]

I signed up for the service while this article was still in the mysterious future. Tried it out, didn't work.

I got to file my first Paypal dispute claim!

Seriously though, the website is just text and there's no contact info for anything.

Scam.

Oh no!

[mconeone]

Now we will have scammers blackmailing businesses with the threat of sending falsified phone calls to the general public.

Telemarketing

[Ambient_Developer]

This could make telemarketing nearly untraceable, a company just uses a call center that utilizes this technology, and people will never know where the phone call is coming from. Imagine getting a phone call from a telemarketer, and it says 911 on the caller ID.

Glad

[alatesystems]

I'm glad this happened. I am so sick of people using Caller ID as an authentication mechanism. It has been so easy to spoof if you had connections before and is even moreso now.

My cell phone doesn't even require a password to get to my voicemail because it uses caller id. Every credit card I've activated required me to call from my home number, verifying it with caller id. When I order pizzas, they verify I am who I say I am with caller id.

It is ridiculous and is worthless as an authentication mechanism. Its only use is a convienience, to decide if you want to answer the phone. Lesson: don't rack up bills you can't pay :)

Anyway, it's always nice to have another way to screw with your friends' minds.

Re:Glad

[JUSTONEMORELATTE]

You're mixing callerID (in the case of "voice mail access without password") with ANI (in the case of credit card activation)
CallerID is spoofable, but ANI info is not. Any time you call an 800 number (or 888, or 877, or any of the other variants that are out now) your info is sent prior to the first ring. This is ANI (Automatic Number Identification? It's been a while. I'm sure someone will correct me if I've got it wrong :) You can't disable this with star codes, or with the "Private Name" feature of callerID blocking.
CallerID, on the other hand, can be enabled or disabled, and can be spoofed.

Easy way to remember -- who's paying for the call? If it's you, then it's callerID. If it's the other guy, then it's ANI.
--

I also signed up...

[daveschroeder]

Figured $5 through PayPal (and yes, it really was PayPal, not some spoofed tab or scam site) was worthwhile.

However, even though their FAQ said it would be ready in 30 seconds, my account still shows zero minutes. Don't know if that's because PayPal takes a while to do the transfer, but I wasn't about to use a credit card with them.

For what it's worth, their "Privacy Guard" service page looks like this:

Camophone.com Home | Login to Privacy Guard | Frequently Asked Questions | Signup for Service

Logged in: das
Time Remaining in Seconds: 0
Time Remaining in Minutes: 0
Recharge Account

Enter all phone numbers without a leading "1" and with no dashes or spaces. Example: 9095551212
Caller ID must be ten digits to be passed properly through the telephone network. When the system calls you, the caller ID you set will be sent to you as well.
number to call [recipient]: (format: NPANXXXXXX)
your number [caller]: (format: NPANXXXXXX)
caller ID to send:

A horrible idea, real experience...

[bstarrfield]

Folks, I'm all for cool technology, and I realize one can spoof caller id information. But caller ID can be a very good thing. I know...

Three years ago I had the very unpleasant surprise of finding out my (ex) wife was having an affair. Unfortunately, she had also decided on using tactics designed to ensure her utter victory in the divorce. She'd actually purchased books (I saw them), giving her advice on dirty divorce tactics - "Divorce War! 50 Strategies Every Woman Needs to Know to Win." Apparently, one of the recommended strategies was to call your ex and try to drive him nuts - hopefully he'll say something nasty and you'll be able to bring it up in court, etc.

Well, I realized what she was doing once I started getting anonymous calls at 2:00 - 3:00 AM. Strange, nasty stuff, weird messages. Technology was actually useful - the caller ID information allowed me to get a pretty damn good idea of who was calling. (Hint would-be-nasty-callers: remember to hit *69 before you call!). The police thought it was fun, too. Caller ID and outright stupidity saved the day.

Look, in my case I wasn't directly threatened. it was cruel, it was viscous, it was nasty. But I was never in any danger. However, what if it had been something dangerous? When one's depressed, your willing to listen to anything - and when you see the ID comes out as "Police" or "Crisis Center" - you could be lured into a bad situation. This is real folks - stalkers are out there, I've seen and heard it.

All technology can be abused, I know that. But in this case, let's try to prevent a service which provides fundamental identification information from being turned into something potentially dangerous.

Incidentally, she pretty much wiped me out. Bummer. But all in all, it was for the best...

Re:A horrible idea, real experience...

[Lumpy]

I'll add some tips for guys looking down the double barrel gun of divorce.

#1 - never EVER meet her without a witness. period. No excuses, nada...

#2 - get a telephone recording device and install it. RECORD EVERY phone call. get in the habit of saying first thing. I am recording this.... if your state requires it, in michigan only one person in the conversation has to know it... you.

#3 - at the first sign of things going wrong, get a GOOD lawyer, one that is specific to helping men in divorce, or the best lawyer in town. This is the best thing to do. Do not give her any money, have it go through the lawyers only and only if ordered to by a judge or advise to by the lawyers.. why do you want to finance her fight against you? you need an audit trail. I went the expensive route hiring the best lawyer in town... I ran and controlled the divorce. Secondly, if you file for it first, you are in the drivers seat.... beat her to the punch.

#4 - document everything... absolutely everything. keep a logbook and write down everything that happen's and everything you notice.

Finally, if you are going to hide assets, dont. if you did not liquidate things the second you thought things were getting a little wierd and before she/you left then you are breaking the law... The judge will fry your ass hard if you try to hide assets.

Lastly you need to keep your nose clean. be perfect for the next year as things progress. act like you are being watched, (you might be) followed, (you might be) or recorded (you probably are). DO NOT be vengeful. this is the time to be the mature adult... if friends offer to do things tell them loudly "NO! are you crazy!" having them replace her taillights with burned out bulbs when she goes to the bar, let's air out of tires, puts a I hate F**king cops bumpersticker on her car and other things is a very bad idea. do not be a part of it and do NOT be connected to it.

Finally prank calls using this spoofing service is also stupid. it is not worth it to lose over something stupid.

I'll probably get modded offtopic, but if I can help a fellow guy from getting screwed hard by his soon-to-be ex.... then the points are certianly worth it.

SS7 - ANI

[Qbans]

No one's mentioned that Caller ID isn't really used for that much authentication. Let me give you a little bit of background on caller ID.

There is actually two types of calling number identification one being the popular Caller ID which as we know can be manipulated and blocked and the other being ANI or Automatic Number Identification which the user has no (or minimal) control over. Caller ID is used for the little displays on your phone and can have a flag set to block it, as well as define what number displays usually on outbound or two way trunks for use with DID (Direct Inward Dialing).

The reason the phone companies allow you to set your outbound caller ID is so when you are using DID, you can have people reach you back directly instead of thru the companies generic number. Now a little bit of background on DID: Mid and large sized companies use DID for everything, it's how everyone has a seperate phone number or fax number on their desk. It would be uneconomical for the businesses to bring in a seperate phone line for everone in the office, so they share them. So say for example a company with 100 employees would have a block of 100 phone numbers, but only 23 incoming phone lines, any number can come in on any one of those phone lines and the company's PBX determines which desk to route the call to. Pretty simple. So when an employee wants to make a call, again he can use any phone line, and the PBX sets the outbound caller ID to his real number so it's easy for people to call him back. Some phone companies limit you to what Caller ID data you can send them, (which makes sense that you can only have outbound Caller ID on numbers that are in your block.)

ANI always knows the calling trunk, and location. It's what's used for credit card verification, 911, etc. You can't block it and usually can't set it. ANI is transmitted (amongst other things) over SS7, which is basically an out of band protcol (which actually does carry caller ID too) that is used between switches. Few companies have phone systems that speak SS7, or a link into the SS7 network for that matter, it's just not useful. Phone companies would crack down pretty hard on fake SS7 info, because they could loose money on billing.

So in summary, Caller ID - not secure, ANI - A little more secure.

Re:Until a few years ago, it pretty much WAS good

[GreyPoopon]

I expect within a couple years that credit card companies will be doing call-back verification - you call them, then they call you back AND send you a confirmation in the mail.

They're already using the email. Why, just the other day, I received a message from Citibank telling me that they needed to re-verify my identity. They even provided a really easy-to-access web site for me to enter my card number and personal information, no sweat. The really cool thing is that I don't even have a Citibank card yet. Talk about proactive!