Wednesday, June 13, 2007

3 Ways To Protect Against Caller ID Spoofing

I just got off air from an interview with Bill Hemmer of America's Newsroom on Fox News.

The subject of the interview was "Caller ID Spoofing" and the ease with which hacker sites like SpoofCard enable businesses to be impersonated. Here's a screen shot of what the incoming call looks like - in reality, any name or number can be used:


Bill of course did a great job summarizing the issue in the couple of minutes we had - in fact, when the make-up person came back into the room after watching the spot from outside the studio, she said "wow, that's really scary."

And of course, she's right. Caller ID is something we've come to trust, and now the sad fact is we can't trust caller ID anymore. Like an email address, caller ID is so easily spoofed that it has no value as an authentication technology: in fact, your caller ID is more of a liability these days - if a hacker has this, they can use it to pretend to be you at financial institutions like Western Union that still believe in this technology.

Anyway, in case you missed the spot, the experts here at Authentium suggest you take the following steps to avoid having your identity, or your voice mail, compromised as the result of someone using a spoofed caller ID.

Recommendation 1: PIN or Password-Protect Your Voice Mail

Many cell phone operators, including T-Mobile and ATT, use caller ID as the authenticating mechanism for voice mail. Users of sites like SpoofTel and SpoofCard know this (including, apparently, Paris Hilton, who was blacklisted by SpoofCard for unauthorized activity related to this kind of thing) , and will use your number to call and listen to your voice mail.

The cost to them? Around $0.07 a minute. That's what FoneGanster, another site, was charging for a hundred minute card this morning when I took a look.

Recommendation 2: If You *Must* Provide Information Over the Phone, Only Provide This Information to Someone You Know

The easiest way to remove the possibility of caller ID-related crime is to *know* someone at every place you do business, and know them well enough so you can recognize their voice on the phone.

That way, if you absolutely *need* to share personal information over the phone, you will be able to do so - or at least be able to call and check if the request that has been made is legitimate.

Recommendation 3: Do Not Call Phone Numbers in Emails Claiming to be from Banks or Other Corporations, Even If The Email is Addressed to You Personally

One of the emerging phishing strategies is the combining of phishing and marketing technologies, such as mail merge, with automated voice response technologies. In these scams, a number is included in the email for you to call.

Don't call these numbers. Ever. Hackers are increasingly making use of AVR approaches ("please enter your credit card number you're calling about, followed by the phone number associated with this account") that sound real, but are designed to steal the four things they covet most - your name, your social security number, your credit card, and your phone number.

5 comments:

Expert said...

Good advice, most seem to be quite obvious - especially the last one, but it has to be said seeing as how the scammers would stop baiting and phishing if it didn't work on anyone.

Andrew said...

However, can't one use ANI for authentication as it can't be spoofed nearly as easily?

Isn't that the reason credit card numbers always use 1800 numbers - to ensure they get ANI data and not the callerID data?

Swimwatch said...

It seems ludicrous not to password-protect your voicemail, but in practice it can be tempting. The extra few minutes - or seconds, infact - that it takes to input your password seem annoying; however, the alternative is far less attractive.

As far as manipulating caller-ID goes, I had no idea this was possible. It frustrates the hell out of me to see "Blocked ID" appear when my phone rings; would you show up at my house in a mask and knock on the door, refusing to identify yourself but demanding to talk to me?

Perhaps you would. But it's rude and scary nonetheless.

Unknown said...

Seems like SpoofTel, SpoofCard et al should be shutdown by FBI. What else do these sites do but enable criminal fraud?

djpaisley said...

Caller Id never works anyways...