Slashdot Mirror
Handling Caller ID Spoofing?
An anonymous reader writes "A nice little old lady I know has had her number spoofed by some car warranty scammers. They're calling hundreds of potential victims per day pretending to use her phone number, and the angry ones call her back; some of them have even left death threats. She's terrified. Some well-intending anti-telemarketing folks have posted her address on the 'net as well. How can we figure out where these scammer bastards are, and what's the state of the current legislation to prevent caller ID spoofing? I called the FBI in Boston (near where she lives) and they said they can't help. She's called her phone company, but they said they can't help either. She's had the same number for over 50 years and doesn't want to change it." If the Feds can't or won't handle it, what's the best approach here?
Call local elected reps (state & federal) saying that you're unable to get anyone to deal with the issue. Call the FBI in DC as well. If she's getting interstate death threats, that's illegal and the FBI can call the people back. I've had good luck with my local FBI office (Ann Arbor) when I received an interstate death threat.
In Canada, we have a governing body similar to your FCC called the CRTC. Whenever we have such problems we can contact them and they'll conduct an investigation. So far I've put an end to three instances of harassing telemarketing / late night fax blitzing. I'd contact the FCC next, see what they have to say. Someone somewhere is in charge of moderating this...
I'm guessing based on my own experience with calls from various phone scammers that they left a 1-800 call back number, right?
If thats the case, see if you can figure out who sold the 1-800 number. I have been dealing with annoying bogus credit counselors that won't stop calling and leaving their 1-800 numbers as callbacks. There are some good resources for this stuff online that may be able to help you find the company who sold the number - they are sold similarly to web domains, though without any obligation to anyone to release the data on who has it.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I'd call the FBI and the telephone company again. Be firm but polite when asking for help. Get names and phone numbers of everyone you talk to. If that person says no, ask for the next person up in the chain of command.
Oftentimes, people just don't know how to ask for help correctly when contacting an agency such as the FBI or telephone company. If she can't clearly articulate the problem to the person on the other end of the phone they simply might not be aware of the issue or its ramifications.
If you're able to clearly articulate the issue and still get denied, start writing letters. To the SAC of the local FBI office, or as high up as you can go to the telco. And as others suggested, contact the media: the local newspaper omsbudman, the local TV station's investigative reporter. And also as others have suggested contact your local elected representatives.
I'm not defending the FBI or phone company, but I've seen instances where a problem simply isn't stated clearly enough for the other party to understand what's going on. So the first thing to do is ensure that when the FBI and telco are involved, that the problem is stated in correct terms (and that you're talking to the proper person in the organization).
I think you have to actually defraud someone out of money for it to be wire fraud. Otherwise, I think it's just "wire lying".
If they spoofed her caller ID and then called and got Social Security to send them her checks, that would be wire fraud.
-Peter
The idea of contacting the news media is a good idea. But first she should contact the person who represents her district in the U.S. Congress and the person who represents her district in the State legislature. Many times these individuals are happy to go to bat for someone like this little old lady. There is a federal law against spoofing caller id.
The truth is that all men having power ought to be mistrusted. James Madison
The phone companies shall have so called call data records, often declared as CDR:s. These provide information about the calls made to/from a certain number. Using these records it is possible to back-track the phone call to the originating operator. The phone companies have a lot of information available to allow for tracking, but since it requires a lot of work to dig through the data they are very reluctant to do so.
Another way is to catch on to the caller and check who purchased their service and then follow the money trail.
Unfortunately it is possible that the caller that spoofs the number is offshore somewhere.
And if the FBI won't help, I suggest that you also check other channels of law enforcement and keep everything in writing so that you have a history to refer to. Taking help from a lawyer may be one way to continue this. It's always interesting if you can get in touch with the right lawyer who knows which buttons to push to get some results.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
http://www.digitcom.net/
I can't believe what I am reading. A lot of people are talking about different methods the FBI should use to trace these people. Some people are saying take this to the media to shame those agencies into doing something. THEY CAN'T. There are two methods for caller ID spoofing. There is one method that is completely untraceable. This lady is SOL. The reason why those agencies haven't taken action is because they CAN'T. Her best option is to change her number.
This probably won't help, since telemarketers probably wouldn't call VoIP DIDs, especially if they are doing sketchy stuff like this. However, if you're receiving their calls and happen to be using a SIP phone, this comment is for you. I don't know of how people would mask their caller ID on a normal land line. Of course people can get those caller ID spoof cards, but where are they calling when they call those numbers? Chances are, it's a VoIP service. If someone who has a SIP phone is called by these telemarketers, they may be able to retrieve their real caller ID. Unless the telemarketers really know what they're doing, they probably only changed the caller ID field in the SIP header, and didn't touch the P-Asserted-Identity field. Using asterisk, one can obtain the caller ID out of the P-Asserted-Identity field like this, before having the phone ring of course: exten => s,1,Set(passertedid=${SIP_HEADER(P-Asserted-Identity)}) exten => s,2,Set(CALLERID(all)=${CUT(passertedid,@,1):5})
Technically, abuses like this fall under the Federal Trade Commission. They have a website for taking complaints: https://www.ftccomplaintassistant.gov/
Unfortunately, her best option is still to get a new phone number.
There has been a recent rash of telemarketing calls particularly to cell phones using spoofed caller ID. The calls are being made from spoofed caller IDs because it is illegal to make telemarketing calls to cell phones and whoever is doing this does not want to be easily traced.
In my experience, everything about cellular is a rip off. They need to be regulated by consumer advocacy and engineers - not payola politicians. If we pass laws that make them PAY I bet they'll figure out how to handle all those FREE MINUTES before its streamed to the Fed's data mine. Face it people, Cellular somehow accounts for every dollar that they steal from us on 2 year "contracts". If they have to pay, then they'll fix it, yesterday! Lets fire up some torches angry villagers !!
Here they are: http://www.digitcom.net/
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Actually... they can send whatever ANI(caller ID) they choose. Almost all telcos rely on the sending party to provide accurate ANI information when using any kind of digital trunking.
I can (since I have access to my pbx here at work) tell my phone to display 900-555-1234 on external caller ID if I so choose, regardless of if it's valid or not. I can also choose to send nothing, in which case you would receive the standard 'Unavailable' or 'Restricted' depending on how your telco handles missing ANI information.
I've worked accounts receivable before. If you call a company and don't like the answer you get, be polite, say thank you, then hang up. Call back immediately and 9 times out of 10, you get a different person. It's called "shopping", and people do it with doctors, salesmen, and even government offices. Call back until you get the answer you want or someone who's willing to help.
Evil Walrus >83=
WEST LOS ANGELES
12923 Venice Blvd, Los Angeles, CA 90066
(On Venice Blvd. between Lincoln and Beethoven,
across the street from Venice High School)
Phone (310) 358-7000
(800) 464-5446
Fax (310) 437-4105
Dosn't matter a bit FBI? CIA? RGB? TFB?
If she was getting call backs, she should tell EVERY ONE WHO CALLS, AWS are scammers, and they should register with the FTC: and START Signed and dated PHONE LOGS. Every one I hear gets these phone calls, I show them the origional post card that started it all, and my phone log. I have clued in about 20 people, and we have filed over 15 reports for illegal telemarketing contact, i.e. Dont call EVER, and ... they ... call @ $500 per complaint.
http://www.ftc.gov/
Scammer name:
Automotive Warranty Solutions
6501 congress ave, ste 140, boca raton, fl 33487
877-700-5880,
Call their 800 number, and ask to be put on their do not call list. ( just everone call plz )
This is a Attorney General who is taking this problem seriously. ( Note: California and Florida are probibly NOT ):
http://www.ct.gov/AG/cwp/view.asp?A=2795&Q=411422
a blogger who did a lot of flatfoot work:
http://www.markturner.net/2007/11/08/car-warranty-scam-continued/
Remember: REMEMBER! Documented phone logs make diffrence. If you can document DNC and the call back time and date. Give them a call and get on their DNC list ANYWAY. So when they do call...
Ah, well lucky for her that the federal wire fraud statute punishes a scheme to defraud, not just the fraud itself. So if somebody is using communications in interstate commerce in a scheme to defraud, it's illegal. The hard part is getting a US Attorney to prosecute.
dom
The US Senate Committee on Commerce, Science, and Transportation passed S. 704, a bill that would make it a crime to spoof caller ID.
Dubbed the "Truth in Caller ID Act of 2007," the bill would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement is exempted from the rule.
Specifically these sections:
SEC. 2. PROHIBITION REGARDING MANIPULATION OF CALLER IDENTIFICATION INFORMATION.
Section 227 of the Communications Act of 1934 (47 U.S.C. 227) is amended -
(1) by redesignating subsections (e), (f), and (g) as subsections (f), (g), and (h), respectively; and
(2) by inserting after subsection (d) the following new subsection:
`(e) Prohibition on Provision of Inaccurate Caller Identification Information. -
`(1) IN GENERAL - It shall be unlawful for any person within the United States, in connection with any telecommunications service or IP-enabled voice service, to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value, unless such transmission is exempted pursuant to paragraph (3)(B).
`(3) REGULATIONS -
`(A) IN GENERAL - Not later than 6 months after the enactment of this subsection, the Commission shall prescribe regulations to implement this subsection.
`(B) CONTENT OF REGULATIONS -
`(i) IN GENERAL - The regulations required under subparagraph (A) shall include such exemptions from the prohibition under paragraph (1) as the Commission determines is appropriate.
`(ii) SPECIFIC EXEMPTION FOR LAW ENFORCEMENT AGENCIES OR COURT ORDERS - The regulations required under subparagraph (A) shall exempt from the prohibition under paragraph (1) transmissions in connection with -
`(I) any authorized activity of a law enforcement agency; or
`(II) a court order that specifically authorizes the use of caller identification manipulation.
Law enforcement is negligent if they fail to take action. IMO - If the Law doesn't work, the local newspaper and/or television station might get the ball rolling.
To avoid corruption, one must remain dishonest.
First off, I like the idea of intercepting this with an auto attendant, I think that's the simplest and most important thing you can do in the short term. I think you could ask your local telco if they can put an intercept message on the line - that should be completely possible. If not, look for some kind of device that will pick up, play back a recorded message, then pass the call on to the phone. A service like this would work well but costs money:
http://www.americanvoicemail.com/autoattendant.html
Or, you can probably do some call forwarding tricks, but that will require switching the number to a different carrier because a regular 1FR line won't do the necessary tricks.
Oh, and some idiot on this forum is going to suggest doing some tricks with Asterisk - ignore them because it's 20 times more work than you need to do and in the end it's just going to confuse her.
To really nab these guys, you're going to need to some how trace it back to the origin, and that's going to be damn hard. If you can't get a callback number to trace it with, then it would be nice if you could some how get ANI (automatic number identification) information. And that could be possible. Do it this way: find an agreeable caller who'll work to help nab this guy. Then get them to go to their telco and request their phone records get pulled and the ANI from the phone call retrieved. Then go to the telco's with that ANI and find out who owns it. Anyone can spoof caller ID, but it takes some real magic to spoof ANI. (Unfortunately some carriers toss away ANI records and translate caller ID to ANI, so be careful. It may take a few interations to get that info.)
Now, that's still probably not going to work. I have no doubt these guys are offshore and using a VOIP box (probably Asterisk, lol). The VOIP calls terminate to a VOIP carrier in the US with an account that was set up under some fraudulent information. Then that VOIP carrier is peered with the real telco's via some regular old PRI's and that's the ANI information you'll get. However, I have no doubt that somewhere, some how a bill is generated and paid for, so if you can get to the VOIP carrier, you might be able to track this down.
----- obSig
ANI and Caller ID are not the same. You can send whatever Caller ID you want, but you can't change the ANI data. http://en.wikipedia.org/wiki/Automatic_number_identification
The same reason we don't have a reliable traceback system for email...
Security wasn't a concern when it was designed.
There is a hardware product (google "Caller ID Manager") that costs about $100 which can enable white-list filtering on her phone. White list filtering means she enters a list of phone numbers she wants to ring through. Numbers not on her white list go either to voicemail or just get lost. This box wouldn't stop angry strangers from leaving a message, but it would stop them from ringing her phone.
You are thinking about the CCS7 switching protocol in comparison to the Calling Name and Number system.
CCS7 is the protocol that's used to send originating/terminating phone number information across the telephone system in order to help route calls. The Calling Name and Number system is used to send phone number/customer name information to a telephone set. CCS7 cannot be lied to, as it's populated by the telephone company on a per call basic. The Calling Name and Number system can be lied to, as in certain cases (for instance, a telemarketer with a PRI) it's actually the CUSTOMER that provides the information.
Quandary in the Making
The people suggesting "call the media" are not wanting the media on the scammers. They're wanting the media on the law enforcement officials so they will go after the scammers.
upon the advice of my lawyer, i have no sig at this time
No they can't. CallerID is spoofable. ANI is not.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I would contact your State Attorney General's office. The terminating and transit carriers rely on originating carrier to pass the originating number. The terminating and transit carriers may have event records which provides a trunk ID which may indicate what network passed the call to the terminating carrier. If each transit carrier has the same type of record you may eventually identify the originating carrier. Then the originating carrier can search their records for the terminating number and that may identify the source. This assumes you can convince each carrier in the link to provide records (which may not exist) and may get lucky and identify the source. This works whether VoIP or circuits are used if the carriers keep records. After all that you may find the source to be worthless (prepaid phone or international location for example). Since the source is telemarketing calls I suspect they have a brick and mortar building somewhere.
A CDR may or may not have accurate information as to the source of the call. If the call is entirely local (the LEC handles call termination on both ends as well as transit), then it should have all the information. However, if the call transits a different carrier, then the LEC that handles termination for the target of the scammer only knows the caller ID that was passed to it from the transit carrier. If it's unknown, then that's what is passed into the CDR. You may be able to glean other source information about the handoff to the transit carrier, then get THEM involved to find the call that was routed to that handoff at that time, and so on.
Oh, and since those aren't her calls (the scammer wasn't calling HER), then you must have a subpoena. If one of the scam targets cooperates, then THEY might be able to request their own records, but to get intervening carriers to cooperate, you'll need a lawyer or law enforcement. I'd try the latter, first. Keywords like "terroristic threats" and such may get you some attention. Once you know it crosses state lines, and perhaps some idea of how wide sweeping the scope is, then you might have something the FBI can/will look at. Try your local state bureau of investigation first, as they may have more immediate resources.
Ob. disclaimer: Though employed in telecom, I am not a lawyer.
Dump the IRS - http://www.fairtax.org
Wrong, neither of those entities are supposed to take care of this king of thing.
The correct agencies are the FCC and the FTC.
Here is an article about Caller ID fraud that gives the contact name and number for the FTC investigator in charge of this kind of thing.
http://www.ftc.gov/opa/2006/05/scorpio.shtm
It is from 2006, so the hierarchy may have changed, but it will send you to the right office. It the number doesn't work call - 1-877-FTC-HELP
I've got AT&T on the home phone and I'm required to enter a password when I try to check my voicemail from the home phone.
Maybe it's a regional thing (I was originally a BellSouth customer).
*sigh* back to work...
However, if the call transits a different carrier, then the LEC that handles termination for the target of the scammer only knows the caller ID that was passed to it from the transit carrier.
That's not entirely accurate. ANI exists separately from caller id and is generally much harder to spoof. The LEC probably has access to this information -- whether or not they will share it with you sans subpoena is another matter altogether.....
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
on my voice mail it says to "enter your password followed by the # key" but if you're calling from the number associated by the account you can simply press "#" and get your voice mail... it doesn't say it on the message but that's how it works.
Collector's Edition
Varies by corporation. Part of my job is to read those letters. I read every single one of them, in English and in French, that gets sent to us, and I decide what, if any, action is needed on them. And I see too it that when action is required, it gets done. That means ensuring that customers are given the service to which they have a right, but it also means protecting the company's interests... generally, as long as your request is reasonable, I have a lot of authority to help you. But there has to be some compromise... if you're demanding that I replace your product years after you bought it because you dropped it off a balcony, and you're threatening to sue us if I don't (a request I got last week), my response is going to be an invitation to bring it on.
And I know for a fact that everybody who answers the phone knows exactly where to find information like our corporate mailing address so they can give it with minimum fuss when asked. Hell, it's on the transfer list of extensions we give to our operators, so you can call our toll free, press zero, and the first person who answers can give you our mailing address without any fuss. They've got our Canada head office contact information in Toronto, and they've got our Global head office contact information in the states, and they know exactly where to go on the intranet to find addresses for any of our global offices: it's part of their initial training.
That, again, varies by company. If you're not getting anywhere on the phone, you have a right to be frustrated. You're even entitled to raise your voice. But if you start to take those frustrations out on the person who's trying to help you as best they can, then our customer care, technical support, and sales teams are allowed to hang up on you. They are told, point blank, that they're not being paid to take abuse, and if they feel that you're abusing them, then it's at their discretion whether or not you've crossed the line. You get one warning, and then you get disconnected. And I've never seen anybody get fired over it... I've actually only ever seen one person get coaching on his call mangement skills. Management is there to protect the employees first. I've been with the company quite some time... I started in the sales department, and now I'm in customer relations. If you are wasting my time, and we are getting nowhere, I will tell you point blank: "these are your options, which do you want me to do?" If you don't take one of the options given, then I will tell you that at this point, there is nothing more to discuss, and I will hang up on you. We've actually severed business relations with customers rather than reverse my decisions on matters like that, too, at which point if they ever call again, they will be told "We choose not to do business with you, have a nice day." and be hung up on.
So be very careful who you yell at, because there are consequences.
If you believe everything you read, you'd better not read. - Japanese proverb
I've asked, they said it could not be changed.
Actually, I am sure that ANI is what is being spoofed here. (I have received calls from the same group myself.) ANI can be spoofed if the originating carrier allows, which is common practice for high-volume outbound automated calling campaigns. It is usually used legitimately to provide a number via which the called party can call back later if they miss the call or are disconnected.
(I work for a company which legitimately performs this sort of high-volume outbound calling.)
One other thing to note - this is actually the jursidiction of the FCC, not the FBI (at least not yet). As soon as you can prove that there is some sort of actual fraud going on beyond just violating FCC rules, then they might get involved.
That is not a solution. You can only find out who calls you. The source is the spammer who uses your phone number as caller ID when he calls other people (the people who then call you to complain, shout expletives, etc.)
Perhaps you're more familiar with email. There's an analogous problem with email spam: When a spammer uses your email address in the "from:" header, then you will find your inbox flooded with "no such user" errors, "we have received your message and will get back to you shortly" promises, out-of-office notices and various other automated replies, in addition to the occasional "fuck you, spammer, I've looked up your hoster and will get you disconnected" threats from clueless anger management candidates.
If you're lucky, then some of those messages will cite the spam back to you. If you're extra lucky, some of those will include complete headers. Most however will not give any indication who the person is who sent the message with your email address in the "from:" header. This is the norm with telephone communications, as there are no easily available "headers" which a spam target could relay to you.
You can try to have the phone company track down all irate callers (who see themselves as the victim) one by one, but what good is that going to do? You can just as well tell them when they call that someone else uses a fake caller ID with your number. You really want to get the spammer who causes all these people to get mad at you. That is not something that your phone company can help you with.
There are two "caller-id" fields that are sent in SS7 (the out-of-band signaling that occurs between telcos) -- the BTN (Bill To Number), and the CPN (Calling Party Number). The BTN refers to the actual carrier, and account number that is placing the call, and the CPN is what is displayed by consumer Caller-ID units.
Large customers who have direct access to SS7 information over ISDN would be able to pick up the BTN, which would identify, at the very worst, the caller's local exchange carrier.
The phone companies are not allowed to reveal the BTN to a consumer or police agency without a signed subpoena by a judge with jurisdiction of the crime. The only exception to the rule seems to be the whitehouse, but that is a different matter all together. There are direct FCC violations to reveal that information without the proper paperwork.
As far as the lady keeping her phone number, that is akin to somebody keeping their credit card number after fraud. Yes, it is the number that she has had for years, and its the number that everybody knows, but in all honesty, the number is black listed now. She hasn't had the number for 50 years, as in the 70's going into the 80's NuStar renumber all the phone numbers from 4,5, and 6 digits to 10 digit numbers.
You can't just "file a lawsuit," you have to allege some particular violation of civil law.
Not in the U.S.
\x72\x6D\x20\x2D\x72\x66
Defamation of character. These people think SHE is calling them. They are pretending to be her by calling "from" her number.
It's to the point where SHE is getting harassed and getting death threats. I think a judge would allow the discovery.
SS7 can be spoofed, too. It's just a lot more work and needs access very few people have. No telco I've ever worked at, with, or ever walked through would even know someone had set something like this up. (they don't expect it, nor look for it.)
PRI's use DNIS and ANI. They are not caller-id. Most phone companies ignore the information sent to them from a customer's PRI; the switch fills the origin of the call based on the origin of the call. Caller-id spoofing is rather easy as it's just a short burst of ancient modem tones (1200 baud) between rings. The real problem is dumb callerid hardware that will listen to any broadcast and not the one between first and second ring (the one sent by the telco equipment.)
Caller ID spoofing comprises a number of TCPA violations, most of which have explicit civil penalties.
The telco can transmit the caller ID info anyway, because they have no "intent to defraud, cause harm, or wrongfully obtain anything of value". Instead, this qualification should be removed so that the telco itself is disallowed to transmit a caller ID that is wrong. They have the means to determine if it is wrong (at least the first telco the caller is serviced by).
now we need to go OSS in diesel cars
It doesn't use Caller ID, it uses ANI, which is not the same thing.
I'm a call center engineer. Call center agents often use ANI as once point of caller authentication.
Most calling systems (eg. ACDs and PBXs) can insert any caller ID information with an outbound call, which is usually used to send out the generic 800 number for a company, but unfortunately it sometimes gets set to some poor old ladies home phone number.
$7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.