From Wikipedia, the free encyclopedia - View original article
Caller ID spoofing is the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. For example, a Caller ID display might display a phone number different from that of the telephone from which the call was placed. The term is commonly used to describe situations in which the motivation is considered malicious by the speaker or writer.
Caller ID spoofing has been available for years to people with a specialized digital connection to the telephone company, called an ISDN PRI circuit. Collection agencies, law-enforcement officials, and private investigators have used the practice, with varying degrees of legality.
The first mainstream Caller ID spoofing service, Star38.com, was launched in September 2004. Star38.com was the first service to allow spoofed calls to be placed from a web interface. It stopped offering service in 2005, as a handful of similar sites were launched.
In August 2006, Paris Hilton was accused of using caller ID spoofing to break into a voicemail system that used caller ID for authentication. Caller ID spoofing also has been used in purchase scams on web sites such as Craigslist and eBay. The scamming caller claims to be calling from Canada into the U.S. with a legitimate interest in purchasing advertised items. Often the sellers are asked for personal information such as a copy of a registration title, etc., before the (scamming) purchaser invests the time and effort to come see the for-sale items. In the 2010 election, fake caller IDs of ambulance companies and hospitals were used in Missouri to get potential voters to answer the phone. In 2009, a vindictive Brooklyn wife spoofed the doctor’s office of her husband’s lover in an attempt to trick the other woman into taking medication which would make her miscarry.
Frequently, caller ID spoofing is used for prank calls. For example, someone might call a friend and arrange for "The White House" to appear on the recipient's caller display. In December 2007, a hacker used a Caller ID spoofing service and was arrested for sending a SWAT team to a house of an unsuspecting victim. In February 2008, a Collegeville, Pennsylvania man was arrested for making threatening phone calls to women and having their home numbers appear "on their caller ID to make it look like the call was coming from inside the house."
In March 2008, several residents in Wilmington, Delaware reported receiving telemarketing calls during the early morning hours, when the caller had apparently spoofed the Caller ID to evoke the 1982 Tommy Tutone song "867-5309/Jenny." By 2014, an increase in illegal telemarketers displaying the victim's own number, either verbatim or with a few digits randomised, was observed as an attempt to evade caller ID-based blacklists.
In the Canadian federal election of May 2, 2011, both live calls and robocalls are alleged to have been placed with false caller ID, either to replace the caller's identity with that of a fictitious person (Pierre Poutine of Joliette, Quebec) or to disguise calls from an Ohio call centre as Peterborough, Ontario domestic calls. See Robocall scandal.
In June 2012, a search on Google returned nearly 50,000 consumer complaints by individuals receiving multiple continuing spoofed Voice Over IP (VoIP) calls on lines leased / originating from “Pacific Telecom Communications Group” located in Los Angeles, CA (in a mailbox store), in apparent violation of the FCC. Companies such as these lease out thousands of phone numbers to anonymous voice-mail providers who, in combination with dubious companies like “Phone Broadcast Club” (who do the actual spoofing), allow phone spam to become an increasingly widespread and pervasive problem. In 2013, the misleading caller name "Teachers Phone" was reported on a large quantity of robocalls advertising credit card services as a ruse to trick students' families into answering the unwanted calls in the mistaken belief they were from local schools.
On January 7, 2013, the Internet Crime Complaint Center issued a Scam Alert for various telephony denial of service attacks by which fraudsters were using spoofed caller ID to impersonate police in an attempt to collect bogus payday loans, then placing repeated harassing calls to police with the victim's number displayed. While impersonation of police is common, other scams involved impersonating utility companies to threaten businesses or householders with disconnection as a means to extort money, impersonating immigration officials or impersonating medical insurers to obtain personal data for use in theft of identity. Bogus caller ID has also been used in grandparent scams which target the elderly by impersonating family members and requesting wire transfer of money.
In the past, Caller ID spoofing required an advanced knowledge of telephony equipment that could be quite expensive. However, with open source software (such as Asterisk or FreeSWITCH, and almost any VoIP company), one can spoof calls with minimal costs and effort.
Some VoIP providers allow the user to configure their displayed number as part of the configuration page on the provider's web interface. No additional software is required. If the caller name is sent with the call (instead of being generated from the number by a database lookup at destination) it may be configured as part of the settings on a client-owned analog telephone adapter or SIP phone. The level of flexibility is provider-dependent. A provider which allows users to bring their own device and unbundles service so that direct inward dial numbers may be purchased separately from outbound calling minutes will be more flexible. A carrier which doesn't follow established hardware standards (such as Skype) or locks subscribers out of configuration settings on hardware which the subscriber owns outright (such as Vonage) is more restrictive. Providers which market "wholesale VoIP" are typically intended to allow any displayed number to be sent, as resellers will want their end user's numbers to appear.
In a rare few cases, a destination number served by voice-over-IP is reachable directly at a known SIP address (which may be published through ENUM telephone number mapping, a .tel DNS record or located using an intermediary such as SIP Broker). Some Google Voice users are directly reachable by SIP, as are all iNum Initiative numbers in country codes +883 5100 and +888. As a Federated VoIP scheme provides a direct Internet connection which does not pass through a signaling gateway to the public switched telephone network, it shares the advantages (nearly free unlimited access worldwide) and disadvantages (vulnerability to spam and abuse, including bogus header info) as e-mail or many other standard Internet applications.
Some spoofing services work similarly to a prepaid calling card. Customers pay in advance for a personal identification number (PIN). Customers dial the number given to them by the company, their PIN, the destination number and the number they wish to appear as the Caller ID. The call is bridged or transferred and arrives with the spoofed number chosen by the caller — thus tricking the called party.
Many providers also provide a Web-based interface or a mobile application where a user creates an account, logs in and supplies a source number, destination number and the bogus caller ID information to be displayed. The server then places a call to each of the two endpoint numbers and bridges the calls together.
Another method of spoofing is that of emulating the Bell 202 FSK signal. This method, informally called orange boxing, uses software that generates the audio signal which is then coupled to the telephone line during the call. The object is to deceive the called party into thinking that there is an incoming call waiting call from the spoofed number, when in fact there is no new incoming call. This technique often also involves an accomplice who may provide a secondary voice to complete the illusion of a call-waiting call. Because the orange box cannot truly spoof an incoming caller ID prior to answering and relies to a certain extent on the guile of the caller, it is considered as much a social engineering technique as a technical hack.
Other methods include switch access to the Signaling System 7 network and social engineering telephone company operators, who place calls for you from the desired phone number.
Telephone exchange equipment manufacturers vary in their handling of caller name display. Much of the equipment manufactured for Bell System companies in the United States sends only the caller's number to the distant exchange; that switch must then use a database lookup to find the name to display with the calling number. Canadian landline exchanges often run Nortel equipment which sends the name along with the number. Mobile, CLEC, Internet or independent exchanges also vary in their handling of caller name, depending on the switching equipment manufacturer. Calls between numbers in differing country codes represent a further complication, as Caller ID often displays the local portion of the calling number without indicating a country of origin or in a format that can be mistaken for a domestic or invalid number.
This results in multiple possible outcomes:
According to a report from the India Department of Telecommunications, the Government of India has taken following steps against the CLI spoofing Service Providers:
In the U.K., the spoofed number is called the "presentation number". This must be either allocated to the caller, or if allocated to a third party, it is only to be used with the third party's explicit permission.
Caller ID spoofing is generally illegal in the United States if done "with the intent to defraud, cause harm, or wrongfully obtain anything of value". The relevant federal statute, the Truth in Caller ID Act of 2009, does make exceptions for certain law-enforcement purposes. Callers are also still allowed to preserve their anonymity by choosing to block all outgoing caller ID information on their phone lines.
A detailed discussion of the legislative process that gave rise to the applicable law now follows.
On April 6, 2006, Congressmen Eliot Engel (D-N.Y.) and Joe Barton (R-Tex.) introduced H.R. 5126, a bill that would have made caller ID spoofing a crime. Dubbed the "Truth in Caller ID Act of 2007", the bill would have outlawed causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement was exempted from the rule. Three weeks later, an identical bill was introduced in the Senate. On June 6, 2006, the House of Representatives passed the Truth in Caller ID Act, although no Senate action was taken on either the House or Senate bill. At the end of the 109th Congress, the bill expired (all pending legislation not voted into law at the end of the House term, a.k.a. end of a session of Congress, is dead).
On January 5, 2007, Congressman Engel introduced H.R. 251, and Senator Bill Nelson (D-Fla.) introduced a similar bill (S.704) two months later. On June 27, 2007, the United States Senate Committee on Commerce, Science and Transportation approved and submitted to the Senate calendar S.704, a bill that would have made caller ID spoofing a crime. Dubbed the "Truth in Caller ID Act of 2007", the bill would have outlawed causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement was exempted from the rule. Engel's bill passed in the House of Representatives. Nelson's bill was referred to the same Senate committee that approved S.704. The Senate again passed neither version of the legislation.
In the 111th Congress, Congressman Engel and Senator Nelson once again introduced similar versions of the Caller ID legislation, H.R. 1258. The bill was reintroduced in the Senate on January 7, 2009, as S.30, the Truth in Caller ID Act of 2009, and referred to the same committee. The Senate and the House both passed their respective versions of the legislation, but on December 15, 2010 the House passed S.30 and sent the legislation to the President for a signature. On December 22, 2010, President Obama signed the bill into law.
Under the act, which also targets VOIP services, it is illegal "to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value...." Forfeiture penalties or criminal fines of up to $10,000 per violation (not to exceed $1,000,000) could be imposed. The law maintains an exemption for blocking one's own outgoing caller ID information, and law enforcement isn't affected.
|This section possibly contains original research. (January 2014)|
Some parties have maintained that there are sometimes legitimate reasons for modifying the caller ID sent with a call, but there is little consensus about many of these. Some of the arguments offered in favor of the practice follow below.