Caller ID R.I.P.?

| | Comments (2)

Caller ID has been compromised. No longer do you have the assurance that the number displayed on your ringing telephone actually represents the person on the other end of the line.

With the advent of so-called Caller ID spoofing services, anyone with a credit card can initiate outbound calls with the Caller ID of their choice. Aside from the fact that these services easily allow anyone to compromise the integrity of the Caller ID service, they also open up a number of critical security concerns across different voice-based systems.

Logging into my cellphone website account today, I noticed a security alert for the voicemail system. My provider's voicemail system has an option to bypass the requirement to enter your PIN if you're calling from your own cellphone. Hackers have been able to access the voicemail accounts of others through exploiting this 'feature'. If you have a cellphone voicemail account, you really should consider enabling PIN-based authentication.

Think about the other types of systems today that use Caller ID for authentication. Caller ID spoofing will have a big impact on all of these if it is the sole authentication token. Here's another example: Recently I received a replacement debit card, and, when I made the call to enable the card, it confirmed that it had matched my telephone number to the number on file and would not require any further confirmation. This is scary - banking institutions should seriously reconsider the authentication model used for new card enablement.

I'm not completely familiar with the intricacies of the switching network (SS7 et. al.), however I do hope that some steps are taken to restore integrity to the network. Caller ID is a useful feature, but, with the advent of spoofing services, its value has diminished.

2 Comments

Well said. Why hasn't this made bigger news I wonder?

Adam Hallett said:

It's been my experience that abuse of Caller ID isn't used just by hackers. I got a DID line from Voxeo that had been previously used to obtain free spoofed calls. I logged all the numbers calling the line and called them back to ask them why they used the service. Sure some of the kids use the service for pranks but others use it to evade their parents. They spoof their friends landline when they are really at their boyfriends house. Another thing that some people do is spoof an in network number and then call their friends so they can talk for hours at a time and their friends won't be charged for minutes.

About this Entry

This page contains a single entry by published on April 29, 2005 7:39 AM.

NASA's Java PathFinder was the previous entry in this blog.

quickSub 0.3.5 released is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.