Saturday, April 01, 2006

Caller ID Spoofing

It is supposed that any technology is designed with good intentions in mind but no matter how hard you try to impose that, some people find ways to use it for a wrong purpose.

VoIP is emerging like a very appealing replacement to traditional telephony by its low costs and offered features. Being easily implemented in software, the technology gained a big number of adepts ranging from corporate users to hobbyists. Open source server software such as Asterisk makes the technology available to an even bigger number of users. It’s easy nowadays to become your own ‘telco’ with only an old computer and a copy of Asterisk.

Unfortunately some people out there thought at implementing not so legal public services using this technology to offer a very dangerous service to anonymous users: the ability to spoof the caller ID. Any non technical person may do an account with such caller id spoofing service and have the ability to call any number and appear to the destination with any identity he chooses.

I’d consider this act of doing a phone call with a false caller id an identity theft. Imagine what’s happening if a possible attacker calls your bank disguised like you (by using your bank registered phone number as caller id). Many financial institutions use to authenticate the users based on their caller id. But not only banks are sometimes dependent on caller id, other services is using it in a very heavy way: 911, voice mail systems, business systems, etc.

While some services may not change their operation way, it’s advisable for the others to understand that the caller id doesn’t guaranty the identity of the calling person. In a short run authorities will probably shut down this kind of public spoofing services but in the long run the problem should be addressed at technology level.

No comments: