How can caller ID be faked?Can the source of an SMS message be spoofed?How the hacker managed to steal a CNN tech reporter's phone number?Is it possible to make a phone call appear to come from another phone, even to the network provider?Bring your own phone to a (new) job: Consequences?Getting spam calls from numbers similar to my ownCan a telephone caller be authenticated?Accidentally calling a scammerHow advisable is to give my phone number as part of dating/ casually socializing?
Is it okay to have an email address called "SS"?
SQL Server trusted connection additional security
replacing single quotes with double quote in a file
ASCII Expansion
Multithreading program stuck in optimized mode but runs normally in -O0
Word or phrase for turning the tide against a rival in a competition in the last moments
The falling broom handle
What websites can be protected by an SSL certificate?
Building a phone charger 500 years ago
What are the applications of the Mean Value Theorem?
Convert Unix timestamp to human-readable time
How do I handle a paladin who falls, but wants to choose a different class instead of taking the Oathbreaker subclass?
Simple n-body class in C++
I can be found near gentle green hills and stony mountains
Black hole as a storage device?
Are ^ and _ the only commands in LaTeX not preceded by a backslash?
What is the most life you can have at the end of your first turn with only three cards?
How to write the sum of function inside LaTeX?
Why derailleur guard is present only on more affordable bicycles
What is the physical explanation for energy transport in simple electrical circuits?
How can I tell if I have simplified my talk too much?
Power supply - purpose of the capacitor on the side of the transformer before full bridge rectifier
Best way to get my money back from a friend having family problems
Internals of backup compression with TDE (SQL Server)
How can caller ID be faked?
Can the source of an SMS message be spoofed?How the hacker managed to steal a CNN tech reporter's phone number?Is it possible to make a phone call appear to come from another phone, even to the network provider?Bring your own phone to a (new) job: Consequences?Getting spam calls from numbers similar to my ownCan a telephone caller be authenticated?Accidentally calling a scammerHow advisable is to give my phone number as part of dating/ casually socializing?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
My late brother was contacted by someone on landline number operated by a carrier in Australia and which displayed on caller ID. I traced the number to a company and though they did call him on a number of occasions from this number over a couple of days, they did not make the particular call in question which occurred in the same time frame.
This has left me asking, is it possible someone could hack in and use their telephone number to phone my brother?
The company is a financial services company and they were set up to make outbound calls using various landline numbers programmed into an auto dialler machine or possibly cloud-based phone system. They have been very cooperative and I am confident they did not make the call in question. I have also established the identity of the person who made the call to my brother, but how on earth did he get one of the company landline numbers to show in caller ID? This has me stumped.
phone spoofing
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
|
show 4 more comments
My late brother was contacted by someone on landline number operated by a carrier in Australia and which displayed on caller ID. I traced the number to a company and though they did call him on a number of occasions from this number over a couple of days, they did not make the particular call in question which occurred in the same time frame.
This has left me asking, is it possible someone could hack in and use their telephone number to phone my brother?
The company is a financial services company and they were set up to make outbound calls using various landline numbers programmed into an auto dialler machine or possibly cloud-based phone system. They have been very cooperative and I am confident they did not make the call in question. I have also established the identity of the person who made the call to my brother, but how on earth did he get one of the company landline numbers to show in caller ID? This has me stumped.
phone spoofing
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
8
"or possibly cloud based phone system" If this is the case, then – presumably – any other company could be using the same cloud-based system, and the land-line number belongs to the cloud company and not the financial services company.
– TripeHound
Jun 13 at 9:22
2
Not a full answer but an interesting listen on a piece that Reply All did about this topic gimletmedia.com/shows/reply-all/awhk76
– VerasVitas
Jun 13 at 17:07
7
Related tidbit from the FCC's website: "[S]poofing is not always illegal. There are legitimate, legal uses for spoofing, like when a doctor calls a patient from her personal mobile phone and displays the office number rather than the personal phone number or a business displays its toll-free call-back number." I know you're asking about how, but their article mentions some of the why it can be faked which visitors to this question may want to know about.
– Davy M
Jun 13 at 18:27
1
Also see Caller ID (CID) on Wikipedia. The article provides the details, including the protocols used by the telephone company. It also discusses some of the scams, like Dip Fee Fraud. You really need access to the Automatic Number Identification (ANI) data. That's the information telcos use for billing purposes. ANI is accurate, unlike CID. When call traces are performed the ANI is recorded, not the CID.
– user29925
Jun 13 at 21:52
1
Does anything of this has to do with your brothers death? Otherwise I would suggest to remove the 'late'
– Kami Kaze
Jun 14 at 8:17
|
show 4 more comments
My late brother was contacted by someone on landline number operated by a carrier in Australia and which displayed on caller ID. I traced the number to a company and though they did call him on a number of occasions from this number over a couple of days, they did not make the particular call in question which occurred in the same time frame.
This has left me asking, is it possible someone could hack in and use their telephone number to phone my brother?
The company is a financial services company and they were set up to make outbound calls using various landline numbers programmed into an auto dialler machine or possibly cloud-based phone system. They have been very cooperative and I am confident they did not make the call in question. I have also established the identity of the person who made the call to my brother, but how on earth did he get one of the company landline numbers to show in caller ID? This has me stumped.
phone spoofing
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
My late brother was contacted by someone on landline number operated by a carrier in Australia and which displayed on caller ID. I traced the number to a company and though they did call him on a number of occasions from this number over a couple of days, they did not make the particular call in question which occurred in the same time frame.
This has left me asking, is it possible someone could hack in and use their telephone number to phone my brother?
The company is a financial services company and they were set up to make outbound calls using various landline numbers programmed into an auto dialler machine or possibly cloud-based phone system. They have been very cooperative and I am confident they did not make the call in question. I have also established the identity of the person who made the call to my brother, but how on earth did he get one of the company landline numbers to show in caller ID? This has me stumped.
phone spoofing
phone spoofing
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
edited Jun 15 at 13:07
Rodrigo de Azevedo
2012 silver badges12 bronze badges
2012 silver badges12 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
asked Jun 13 at 3:45
stumpedstumped
2791 gold badge2 silver badges3 bronze badges
2791 gold badge2 silver badges3 bronze badges
8
"or possibly cloud based phone system" If this is the case, then – presumably – any other company could be using the same cloud-based system, and the land-line number belongs to the cloud company and not the financial services company.
– TripeHound
Jun 13 at 9:22
2
Not a full answer but an interesting listen on a piece that Reply All did about this topic gimletmedia.com/shows/reply-all/awhk76
– VerasVitas
Jun 13 at 17:07
7
Related tidbit from the FCC's website: "[S]poofing is not always illegal. There are legitimate, legal uses for spoofing, like when a doctor calls a patient from her personal mobile phone and displays the office number rather than the personal phone number or a business displays its toll-free call-back number." I know you're asking about how, but their article mentions some of the why it can be faked which visitors to this question may want to know about.
– Davy M
Jun 13 at 18:27
1
Also see Caller ID (CID) on Wikipedia. The article provides the details, including the protocols used by the telephone company. It also discusses some of the scams, like Dip Fee Fraud. You really need access to the Automatic Number Identification (ANI) data. That's the information telcos use for billing purposes. ANI is accurate, unlike CID. When call traces are performed the ANI is recorded, not the CID.
– user29925
Jun 13 at 21:52
1
Does anything of this has to do with your brothers death? Otherwise I would suggest to remove the 'late'
– Kami Kaze
Jun 14 at 8:17
|
show 4 more comments
8
"or possibly cloud based phone system" If this is the case, then – presumably – any other company could be using the same cloud-based system, and the land-line number belongs to the cloud company and not the financial services company.
– TripeHound
Jun 13 at 9:22
2
Not a full answer but an interesting listen on a piece that Reply All did about this topic gimletmedia.com/shows/reply-all/awhk76
– VerasVitas
Jun 13 at 17:07
7
Related tidbit from the FCC's website: "[S]poofing is not always illegal. There are legitimate, legal uses for spoofing, like when a doctor calls a patient from her personal mobile phone and displays the office number rather than the personal phone number or a business displays its toll-free call-back number." I know you're asking about how, but their article mentions some of the why it can be faked which visitors to this question may want to know about.
– Davy M
Jun 13 at 18:27
1
Also see Caller ID (CID) on Wikipedia. The article provides the details, including the protocols used by the telephone company. It also discusses some of the scams, like Dip Fee Fraud. You really need access to the Automatic Number Identification (ANI) data. That's the information telcos use for billing purposes. ANI is accurate, unlike CID. When call traces are performed the ANI is recorded, not the CID.
– user29925
Jun 13 at 21:52
1
Does anything of this has to do with your brothers death? Otherwise I would suggest to remove the 'late'
– Kami Kaze
Jun 14 at 8:17
8
8
"or possibly cloud based phone system" If this is the case, then – presumably – any other company could be using the same cloud-based system, and the land-line number belongs to the cloud company and not the financial services company.
– TripeHound
Jun 13 at 9:22
"or possibly cloud based phone system" If this is the case, then – presumably – any other company could be using the same cloud-based system, and the land-line number belongs to the cloud company and not the financial services company.
– TripeHound
Jun 13 at 9:22
2
2
Not a full answer but an interesting listen on a piece that Reply All did about this topic gimletmedia.com/shows/reply-all/awhk76
– VerasVitas
Jun 13 at 17:07
Not a full answer but an interesting listen on a piece that Reply All did about this topic gimletmedia.com/shows/reply-all/awhk76
– VerasVitas
Jun 13 at 17:07
7
7
Related tidbit from the FCC's website: "[S]poofing is not always illegal. There are legitimate, legal uses for spoofing, like when a doctor calls a patient from her personal mobile phone and displays the office number rather than the personal phone number or a business displays its toll-free call-back number." I know you're asking about how, but their article mentions some of the why it can be faked which visitors to this question may want to know about.
– Davy M
Jun 13 at 18:27
Related tidbit from the FCC's website: "[S]poofing is not always illegal. There are legitimate, legal uses for spoofing, like when a doctor calls a patient from her personal mobile phone and displays the office number rather than the personal phone number or a business displays its toll-free call-back number." I know you're asking about how, but their article mentions some of the why it can be faked which visitors to this question may want to know about.
– Davy M
Jun 13 at 18:27
1
1
Also see Caller ID (CID) on Wikipedia. The article provides the details, including the protocols used by the telephone company. It also discusses some of the scams, like Dip Fee Fraud. You really need access to the Automatic Number Identification (ANI) data. That's the information telcos use for billing purposes. ANI is accurate, unlike CID. When call traces are performed the ANI is recorded, not the CID.
– user29925
Jun 13 at 21:52
Also see Caller ID (CID) on Wikipedia. The article provides the details, including the protocols used by the telephone company. It also discusses some of the scams, like Dip Fee Fraud. You really need access to the Automatic Number Identification (ANI) data. That's the information telcos use for billing purposes. ANI is accurate, unlike CID. When call traces are performed the ANI is recorded, not the CID.
– user29925
Jun 13 at 21:52
1
1
Does anything of this has to do with your brothers death? Otherwise I would suggest to remove the 'late'
– Kami Kaze
Jun 14 at 8:17
Does anything of this has to do with your brothers death? Otherwise I would suggest to remove the 'late'
– Kami Kaze
Jun 14 at 8:17
|
show 4 more comments
7 Answers
7
active
oldest
votes
Ars Technica did a superb piece on this a couple of years ago. A woman who is a real estate agent and publishes her cell phone, was inundated with junk calls. What was odd about these was
- They were fully automated calls
- They never played a message
- They used a different number every time
They detailed her nightmare
On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.
France installed robocall blocking tools on her phone, but they didn't stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don't block calls when the Caller ID has been spoofed to hide the caller's true number.
They included this quote from a security researcher (emphasis mine)
Because it's an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don't need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.
I've had to explain this to numerous family and friends. The pinnacle there was my father-in-law, who called me up one day to ask how he got robo-dialed from his own number. I even get random calls sometimes from people saying "I'm returning your call" when I have no idea who they even are, let alone know how to call them.
Caller ID is never verified. That is hard to explain to most people, because their cell phone sends a proper ID and they can't easily spoof it. But the rise of VOIP, combined with the plummeting cost of phone calls in general and turnkey software that makes spoofing a breeze, has made this an incredibly cheap way to spam and scam people, especially from abroad. The FCC is proposing some changes to address this, but those changes are likely years off.
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
13
Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that.
– Joshua
Jun 13 at 18:21
8
@Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are)
– Machavity
Jun 13 at 18:29
28
@Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them).
– Mark
Jun 13 at 19:37
7
@Mark While that's true, VOIP has made that process a lot harder to track down. In this case here the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult.
– Machavity
Jun 13 at 19:46
4
@Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless
– MSalters
Jun 13 at 20:50
|
show 9 more comments
Security of the PSTN is horrifically poor. It's very easy to spoof anyone's number on Caller ID, without having to hack into any of their systems. As such, Caller ID provides no real assurance of who actually called you. There are even services available that the general public can use (for a small fee) to spoof any number they want.
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
2
That is supposed to change soon, at least in the US. Also see Caller ID Authentication and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling.
– user29925
Jun 15 at 21:54
add a comment
|
The CallerID displayed on the phone was never designed to be secure. Most VoIP (telephone over the internet) providers will allow the end user to set the outgoing number to be whatever they want. There's good reasons for this, one of which is your incoming provider doesn't have to be (and often isn't) your outgoing provider.
This is commonly seen in spam calls in the US, where robo-callers will set their callerID to be in the same local calling area, or sometimes also the first three digits after the area code, to be the same as the called party number in an attempt to fool the caller into thinking it's a neighbor, or someone they might know rather than a Long Distance caller.
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
22
"There's good reasons for this." No, there really aren't. Plenty of bad ones, though.
– Mason Wheeler
Jun 13 at 14:43
7
@MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP.
– Steve Sether
Jun 13 at 15:34
12
"It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago!
– Mason Wheeler
Jun 13 at 15:39
6
That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate.
– Mason Wheeler
Jun 13 at 15:40
9
@MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath.
– Steve Sether
Jun 13 at 15:49
|
show 12 more comments
The simile I generally use for less technical people is that the caller ID is like the return address on a envelope sent through the post, and you shouldn't trust it any more than you trust that. Most people don't fake it because they're interested in getting back, but anybody can write anything they want in that spot.
(I provide no technical explanation here because the other answers already do a great job of that.)
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
add a comment
|
There are even Android apps (example) which allow spoofing the caller ID. You can enter pretty much anything in them, including a landline number or even a number which can't be dialed.
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
add a comment
|
Very much similar to the way that an email's from and reply-to headers can be spoofed (but worse because at least you can inspect an email's headers and see what's going on). I recently had to block my own phone number because someone was spoofing calls to my phone from my own number. Anyone with an asterisks box and an IQ -gt 90 can make calls with fake CID info.
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
add a comment
|
There are three possible methods:
The least likely is that someone splices into a landline. Yes, this is extremely low probability, but the possibility remains.
Second, which is easier is to hack into the robocaller system and add an extra call. Unlikely in your brother's case if he spoke to a live person, not just received a message.
The VoIP is the simplest method and doesn't take much effort. No effort at all if the VoIP provider neglects to restrict the calling party ID. Mine did when I was initially working on VoIP programming and I had lots of fun spoofing my friends.
See: https://www.tripwire.com/state-of-security/featured/caller-id-spoofing/
and: https://www.spoofcard.com/
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
1
Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same asFrom:spoofing for email).
– R..
Jun 14 at 1:46
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211778%2fhow-can-caller-id-be-faked%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
Ars Technica did a superb piece on this a couple of years ago. A woman who is a real estate agent and publishes her cell phone, was inundated with junk calls. What was odd about these was
- They were fully automated calls
- They never played a message
- They used a different number every time
They detailed her nightmare
On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.
France installed robocall blocking tools on her phone, but they didn't stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don't block calls when the Caller ID has been spoofed to hide the caller's true number.
They included this quote from a security researcher (emphasis mine)
Because it's an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don't need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.
I've had to explain this to numerous family and friends. The pinnacle there was my father-in-law, who called me up one day to ask how he got robo-dialed from his own number. I even get random calls sometimes from people saying "I'm returning your call" when I have no idea who they even are, let alone know how to call them.
Caller ID is never verified. That is hard to explain to most people, because their cell phone sends a proper ID and they can't easily spoof it. But the rise of VOIP, combined with the plummeting cost of phone calls in general and turnkey software that makes spoofing a breeze, has made this an incredibly cheap way to spam and scam people, especially from abroad. The FCC is proposing some changes to address this, but those changes are likely years off.
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
13
Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that.
– Joshua
Jun 13 at 18:21
8
@Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are)
– Machavity
Jun 13 at 18:29
28
@Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them).
– Mark
Jun 13 at 19:37
7
@Mark While that's true, VOIP has made that process a lot harder to track down. In this case here the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult.
– Machavity
Jun 13 at 19:46
4
@Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless
– MSalters
Jun 13 at 20:50
|
show 9 more comments
Ars Technica did a superb piece on this a couple of years ago. A woman who is a real estate agent and publishes her cell phone, was inundated with junk calls. What was odd about these was
- They were fully automated calls
- They never played a message
- They used a different number every time
They detailed her nightmare
On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.
France installed robocall blocking tools on her phone, but they didn't stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don't block calls when the Caller ID has been spoofed to hide the caller's true number.
They included this quote from a security researcher (emphasis mine)
Because it's an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don't need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.
I've had to explain this to numerous family and friends. The pinnacle there was my father-in-law, who called me up one day to ask how he got robo-dialed from his own number. I even get random calls sometimes from people saying "I'm returning your call" when I have no idea who they even are, let alone know how to call them.
Caller ID is never verified. That is hard to explain to most people, because their cell phone sends a proper ID and they can't easily spoof it. But the rise of VOIP, combined with the plummeting cost of phone calls in general and turnkey software that makes spoofing a breeze, has made this an incredibly cheap way to spam and scam people, especially from abroad. The FCC is proposing some changes to address this, but those changes are likely years off.
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
13
Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that.
– Joshua
Jun 13 at 18:21
8
@Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are)
– Machavity
Jun 13 at 18:29
28
@Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them).
– Mark
Jun 13 at 19:37
7
@Mark While that's true, VOIP has made that process a lot harder to track down. In this case here the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult.
– Machavity
Jun 13 at 19:46
4
@Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless
– MSalters
Jun 13 at 20:50
|
show 9 more comments
Ars Technica did a superb piece on this a couple of years ago. A woman who is a real estate agent and publishes her cell phone, was inundated with junk calls. What was odd about these was
- They were fully automated calls
- They never played a message
- They used a different number every time
They detailed her nightmare
On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.
France installed robocall blocking tools on her phone, but they didn't stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don't block calls when the Caller ID has been spoofed to hide the caller's true number.
They included this quote from a security researcher (emphasis mine)
Because it's an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don't need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.
I've had to explain this to numerous family and friends. The pinnacle there was my father-in-law, who called me up one day to ask how he got robo-dialed from his own number. I even get random calls sometimes from people saying "I'm returning your call" when I have no idea who they even are, let alone know how to call them.
Caller ID is never verified. That is hard to explain to most people, because their cell phone sends a proper ID and they can't easily spoof it. But the rise of VOIP, combined with the plummeting cost of phone calls in general and turnkey software that makes spoofing a breeze, has made this an incredibly cheap way to spam and scam people, especially from abroad. The FCC is proposing some changes to address this, but those changes are likely years off.
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
Ars Technica did a superb piece on this a couple of years ago. A woman who is a real estate agent and publishes her cell phone, was inundated with junk calls. What was odd about these was
- They were fully automated calls
- They never played a message
- They used a different number every time
They detailed her nightmare
On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.
France installed robocall blocking tools on her phone, but they didn't stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don't block calls when the Caller ID has been spoofed to hide the caller's true number.
They included this quote from a security researcher (emphasis mine)
Because it's an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don't need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.
I've had to explain this to numerous family and friends. The pinnacle there was my father-in-law, who called me up one day to ask how he got robo-dialed from his own number. I even get random calls sometimes from people saying "I'm returning your call" when I have no idea who they even are, let alone know how to call them.
Caller ID is never verified. That is hard to explain to most people, because their cell phone sends a proper ID and they can't easily spoof it. But the rise of VOIP, combined with the plummeting cost of phone calls in general and turnkey software that makes spoofing a breeze, has made this an incredibly cheap way to spam and scam people, especially from abroad. The FCC is proposing some changes to address this, but those changes are likely years off.
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
edited Jun 14 at 17:01
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
answered Jun 13 at 13:33
MachavityMachavity
3,0381 gold badge8 silver badges25 bronze badges
3,0381 gold badge8 silver badges25 bronze badges
13
Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that.
– Joshua
Jun 13 at 18:21
8
@Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are)
– Machavity
Jun 13 at 18:29
28
@Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them).
– Mark
Jun 13 at 19:37
7
@Mark While that's true, VOIP has made that process a lot harder to track down. In this case here the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult.
– Machavity
Jun 13 at 19:46
4
@Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless
– MSalters
Jun 13 at 20:50
|
show 9 more comments
13
Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that.
– Joshua
Jun 13 at 18:21
8
@Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are)
– Machavity
Jun 13 at 18:29
28
@Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them).
– Mark
Jun 13 at 19:37
7
@Mark While that's true, VOIP has made that process a lot harder to track down. In this case here the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult.
– Machavity
Jun 13 at 19:46
4
@Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless
– MSalters
Jun 13 at 20:50
13
13
Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that.
– Joshua
Jun 13 at 18:21
Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that.
– Joshua
Jun 13 at 18:21
8
8
@Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are)
– Machavity
Jun 13 at 18:29
@Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are)
– Machavity
Jun 13 at 18:29
28
28
@Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them).
– Mark
Jun 13 at 19:37
@Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them).
– Mark
Jun 13 at 19:37
7
7
@Mark While that's true, VOIP has made that process a lot harder to track down. In this case here the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult.
– Machavity
Jun 13 at 19:46
@Mark While that's true, VOIP has made that process a lot harder to track down. In this case here the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult.
– Machavity
Jun 13 at 19:46
4
4
@Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless
– MSalters
Jun 13 at 20:50
@Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless
– MSalters
Jun 13 at 20:50
|
show 9 more comments
Security of the PSTN is horrifically poor. It's very easy to spoof anyone's number on Caller ID, without having to hack into any of their systems. As such, Caller ID provides no real assurance of who actually called you. There are even services available that the general public can use (for a small fee) to spoof any number they want.
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
2
That is supposed to change soon, at least in the US. Also see Caller ID Authentication and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling.
– user29925
Jun 15 at 21:54
add a comment
|
Security of the PSTN is horrifically poor. It's very easy to spoof anyone's number on Caller ID, without having to hack into any of their systems. As such, Caller ID provides no real assurance of who actually called you. There are even services available that the general public can use (for a small fee) to spoof any number they want.
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
2
That is supposed to change soon, at least in the US. Also see Caller ID Authentication and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling.
– user29925
Jun 15 at 21:54
add a comment
|
Security of the PSTN is horrifically poor. It's very easy to spoof anyone's number on Caller ID, without having to hack into any of their systems. As such, Caller ID provides no real assurance of who actually called you. There are even services available that the general public can use (for a small fee) to spoof any number they want.
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
Security of the PSTN is horrifically poor. It's very easy to spoof anyone's number on Caller ID, without having to hack into any of their systems. As such, Caller ID provides no real assurance of who actually called you. There are even services available that the general public can use (for a small fee) to spoof any number they want.
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
answered Jun 13 at 3:59
Joseph SibleJoseph Sible
4,3941 gold badge13 silver badges25 bronze badges
4,3941 gold badge13 silver badges25 bronze badges
2
That is supposed to change soon, at least in the US. Also see Caller ID Authentication and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling.
– user29925
Jun 15 at 21:54
add a comment
|
2
That is supposed to change soon, at least in the US. Also see Caller ID Authentication and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling.
– user29925
Jun 15 at 21:54
2
2
That is supposed to change soon, at least in the US. Also see Caller ID Authentication and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling.
– user29925
Jun 15 at 21:54
That is supposed to change soon, at least in the US. Also see Caller ID Authentication and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling.
– user29925
Jun 15 at 21:54
add a comment
|
The CallerID displayed on the phone was never designed to be secure. Most VoIP (telephone over the internet) providers will allow the end user to set the outgoing number to be whatever they want. There's good reasons for this, one of which is your incoming provider doesn't have to be (and often isn't) your outgoing provider.
This is commonly seen in spam calls in the US, where robo-callers will set their callerID to be in the same local calling area, or sometimes also the first three digits after the area code, to be the same as the called party number in an attempt to fool the caller into thinking it's a neighbor, or someone they might know rather than a Long Distance caller.
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
22
"There's good reasons for this." No, there really aren't. Plenty of bad ones, though.
– Mason Wheeler
Jun 13 at 14:43
7
@MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP.
– Steve Sether
Jun 13 at 15:34
12
"It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago!
– Mason Wheeler
Jun 13 at 15:39
6
That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate.
– Mason Wheeler
Jun 13 at 15:40
9
@MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath.
– Steve Sether
Jun 13 at 15:49
|
show 12 more comments
The CallerID displayed on the phone was never designed to be secure. Most VoIP (telephone over the internet) providers will allow the end user to set the outgoing number to be whatever they want. There's good reasons for this, one of which is your incoming provider doesn't have to be (and often isn't) your outgoing provider.
This is commonly seen in spam calls in the US, where robo-callers will set their callerID to be in the same local calling area, or sometimes also the first three digits after the area code, to be the same as the called party number in an attempt to fool the caller into thinking it's a neighbor, or someone they might know rather than a Long Distance caller.
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
22
"There's good reasons for this." No, there really aren't. Plenty of bad ones, though.
– Mason Wheeler
Jun 13 at 14:43
7
@MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP.
– Steve Sether
Jun 13 at 15:34
12
"It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago!
– Mason Wheeler
Jun 13 at 15:39
6
That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate.
– Mason Wheeler
Jun 13 at 15:40
9
@MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath.
– Steve Sether
Jun 13 at 15:49
|
show 12 more comments
The CallerID displayed on the phone was never designed to be secure. Most VoIP (telephone over the internet) providers will allow the end user to set the outgoing number to be whatever they want. There's good reasons for this, one of which is your incoming provider doesn't have to be (and often isn't) your outgoing provider.
This is commonly seen in spam calls in the US, where robo-callers will set their callerID to be in the same local calling area, or sometimes also the first three digits after the area code, to be the same as the called party number in an attempt to fool the caller into thinking it's a neighbor, or someone they might know rather than a Long Distance caller.
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
The CallerID displayed on the phone was never designed to be secure. Most VoIP (telephone over the internet) providers will allow the end user to set the outgoing number to be whatever they want. There's good reasons for this, one of which is your incoming provider doesn't have to be (and often isn't) your outgoing provider.
This is commonly seen in spam calls in the US, where robo-callers will set their callerID to be in the same local calling area, or sometimes also the first three digits after the area code, to be the same as the called party number in an attempt to fool the caller into thinking it's a neighbor, or someone they might know rather than a Long Distance caller.
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
answered Jun 13 at 4:38
Steve SetherSteve Sether
19.3k8 gold badges45 silver badges70 bronze badges
19.3k8 gold badges45 silver badges70 bronze badges
22
"There's good reasons for this." No, there really aren't. Plenty of bad ones, though.
– Mason Wheeler
Jun 13 at 14:43
7
@MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP.
– Steve Sether
Jun 13 at 15:34
12
"It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago!
– Mason Wheeler
Jun 13 at 15:39
6
That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate.
– Mason Wheeler
Jun 13 at 15:40
9
@MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath.
– Steve Sether
Jun 13 at 15:49
|
show 12 more comments
22
"There's good reasons for this." No, there really aren't. Plenty of bad ones, though.
– Mason Wheeler
Jun 13 at 14:43
7
@MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP.
– Steve Sether
Jun 13 at 15:34
12
"It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago!
– Mason Wheeler
Jun 13 at 15:39
6
That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate.
– Mason Wheeler
Jun 13 at 15:40
9
@MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath.
– Steve Sether
Jun 13 at 15:49
22
22
"There's good reasons for this." No, there really aren't. Plenty of bad ones, though.
– Mason Wheeler
Jun 13 at 14:43
"There's good reasons for this." No, there really aren't. Plenty of bad ones, though.
– Mason Wheeler
Jun 13 at 14:43
7
7
@MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP.
– Steve Sether
Jun 13 at 15:34
@MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP.
– Steve Sether
Jun 13 at 15:34
12
12
"It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago!
– Mason Wheeler
Jun 13 at 15:39
"It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago!
– Mason Wheeler
Jun 13 at 15:39
6
6
That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate.
– Mason Wheeler
Jun 13 at 15:40
That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate.
– Mason Wheeler
Jun 13 at 15:40
9
9
@MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath.
– Steve Sether
Jun 13 at 15:49
@MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath.
– Steve Sether
Jun 13 at 15:49
|
show 12 more comments
The simile I generally use for less technical people is that the caller ID is like the return address on a envelope sent through the post, and you shouldn't trust it any more than you trust that. Most people don't fake it because they're interested in getting back, but anybody can write anything they want in that spot.
(I provide no technical explanation here because the other answers already do a great job of that.)
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
add a comment
|
The simile I generally use for less technical people is that the caller ID is like the return address on a envelope sent through the post, and you shouldn't trust it any more than you trust that. Most people don't fake it because they're interested in getting back, but anybody can write anything they want in that spot.
(I provide no technical explanation here because the other answers already do a great job of that.)
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
add a comment
|
The simile I generally use for less technical people is that the caller ID is like the return address on a envelope sent through the post, and you shouldn't trust it any more than you trust that. Most people don't fake it because they're interested in getting back, but anybody can write anything they want in that spot.
(I provide no technical explanation here because the other answers already do a great job of that.)
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
The simile I generally use for less technical people is that the caller ID is like the return address on a envelope sent through the post, and you shouldn't trust it any more than you trust that. Most people don't fake it because they're interested in getting back, but anybody can write anything they want in that spot.
(I provide no technical explanation here because the other answers already do a great job of that.)
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
answered Jun 15 at 22:50
Curt J. SampsonCurt J. Sampson
2791 silver badge6 bronze badges
2791 silver badge6 bronze badges
add a comment
|
add a comment
|
There are even Android apps (example) which allow spoofing the caller ID. You can enter pretty much anything in them, including a landline number or even a number which can't be dialed.
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
add a comment
|
There are even Android apps (example) which allow spoofing the caller ID. You can enter pretty much anything in them, including a landline number or even a number which can't be dialed.
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
add a comment
|
There are even Android apps (example) which allow spoofing the caller ID. You can enter pretty much anything in them, including a landline number or even a number which can't be dialed.
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
There are even Android apps (example) which allow spoofing the caller ID. You can enter pretty much anything in them, including a landline number or even a number which can't be dialed.
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
edited Aug 5 at 7:09
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
answered Jun 14 at 12:56
Dmitry GrigoryevDmitry Grigoryev
8,95323 silver badges50 bronze badges
8,95323 silver badges50 bronze badges
add a comment
|
add a comment
|
Very much similar to the way that an email's from and reply-to headers can be spoofed (but worse because at least you can inspect an email's headers and see what's going on). I recently had to block my own phone number because someone was spoofing calls to my phone from my own number. Anyone with an asterisks box and an IQ -gt 90 can make calls with fake CID info.
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
add a comment
|
Very much similar to the way that an email's from and reply-to headers can be spoofed (but worse because at least you can inspect an email's headers and see what's going on). I recently had to block my own phone number because someone was spoofing calls to my phone from my own number. Anyone with an asterisks box and an IQ -gt 90 can make calls with fake CID info.
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
add a comment
|
Very much similar to the way that an email's from and reply-to headers can be spoofed (but worse because at least you can inspect an email's headers and see what's going on). I recently had to block my own phone number because someone was spoofing calls to my phone from my own number. Anyone with an asterisks box and an IQ -gt 90 can make calls with fake CID info.
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
Very much similar to the way that an email's from and reply-to headers can be spoofed (but worse because at least you can inspect an email's headers and see what's going on). I recently had to block my own phone number because someone was spoofing calls to my phone from my own number. Anyone with an asterisks box and an IQ -gt 90 can make calls with fake CID info.
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
answered Jun 14 at 18:23
Chev_603Chev_603
1477 bronze badges
1477 bronze badges
add a comment
|
add a comment
|
There are three possible methods:
The least likely is that someone splices into a landline. Yes, this is extremely low probability, but the possibility remains.
Second, which is easier is to hack into the robocaller system and add an extra call. Unlikely in your brother's case if he spoke to a live person, not just received a message.
The VoIP is the simplest method and doesn't take much effort. No effort at all if the VoIP provider neglects to restrict the calling party ID. Mine did when I was initially working on VoIP programming and I had lots of fun spoofing my friends.
See: https://www.tripwire.com/state-of-security/featured/caller-id-spoofing/
and: https://www.spoofcard.com/
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
1
Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same asFrom:spoofing for email).
– R..
Jun 14 at 1:46
add a comment
|
There are three possible methods:
The least likely is that someone splices into a landline. Yes, this is extremely low probability, but the possibility remains.
Second, which is easier is to hack into the robocaller system and add an extra call. Unlikely in your brother's case if he spoke to a live person, not just received a message.
The VoIP is the simplest method and doesn't take much effort. No effort at all if the VoIP provider neglects to restrict the calling party ID. Mine did when I was initially working on VoIP programming and I had lots of fun spoofing my friends.
See: https://www.tripwire.com/state-of-security/featured/caller-id-spoofing/
and: https://www.spoofcard.com/
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
1
Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same asFrom:spoofing for email).
– R..
Jun 14 at 1:46
add a comment
|
There are three possible methods:
The least likely is that someone splices into a landline. Yes, this is extremely low probability, but the possibility remains.
Second, which is easier is to hack into the robocaller system and add an extra call. Unlikely in your brother's case if he spoke to a live person, not just received a message.
The VoIP is the simplest method and doesn't take much effort. No effort at all if the VoIP provider neglects to restrict the calling party ID. Mine did when I was initially working on VoIP programming and I had lots of fun spoofing my friends.
See: https://www.tripwire.com/state-of-security/featured/caller-id-spoofing/
and: https://www.spoofcard.com/
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
There are three possible methods:
The least likely is that someone splices into a landline. Yes, this is extremely low probability, but the possibility remains.
Second, which is easier is to hack into the robocaller system and add an extra call. Unlikely in your brother's case if he spoke to a live person, not just received a message.
The VoIP is the simplest method and doesn't take much effort. No effort at all if the VoIP provider neglects to restrict the calling party ID. Mine did when I was initially working on VoIP programming and I had lots of fun spoofing my friends.
See: https://www.tripwire.com/state-of-security/featured/caller-id-spoofing/
and: https://www.spoofcard.com/
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
edited Jun 13 at 13:40
schroeder♦
88.2k36 gold badges201 silver badges236 bronze badges
88.2k36 gold badges201 silver badges236 bronze badges
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
answered Jun 13 at 13:16
Hussain AkbarHussain Akbar
11 bronze badge
11 bronze badge
1
Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same asFrom:spoofing for email).
– R..
Jun 14 at 1:46
add a comment
|
1
Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same asFrom:spoofing for email).
– R..
Jun 14 at 1:46
1
1
Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same as
From: spoofing for email).– R..
Jun 14 at 1:46
Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same as
From: spoofing for email).– R..
Jun 14 at 1:46
add a comment
|
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211778%2fhow-can-caller-id-be-faked%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
8
"or possibly cloud based phone system" If this is the case, then – presumably – any other company could be using the same cloud-based system, and the land-line number belongs to the cloud company and not the financial services company.
– TripeHound
Jun 13 at 9:22
2
Not a full answer but an interesting listen on a piece that Reply All did about this topic gimletmedia.com/shows/reply-all/awhk76
– VerasVitas
Jun 13 at 17:07
7
Related tidbit from the FCC's website: "[S]poofing is not always illegal. There are legitimate, legal uses for spoofing, like when a doctor calls a patient from her personal mobile phone and displays the office number rather than the personal phone number or a business displays its toll-free call-back number." I know you're asking about how, but their article mentions some of the why it can be faked which visitors to this question may want to know about.
– Davy M
Jun 13 at 18:27
1
Also see Caller ID (CID) on Wikipedia. The article provides the details, including the protocols used by the telephone company. It also discusses some of the scams, like Dip Fee Fraud. You really need access to the Automatic Number Identification (ANI) data. That's the information telcos use for billing purposes. ANI is accurate, unlike CID. When call traces are performed the ANI is recorded, not the CID.
– user29925
Jun 13 at 21:52
1
Does anything of this has to do with your brothers death? Otherwise I would suggest to remove the 'late'
– Kami Kaze
Jun 14 at 8:17