Caller ID Spoofing for the Masses 286
lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"
Somebody will figure it out (Score:5, Insightful)
I am not a proponent of bigger government but I think that this is something that should be made illegal. Communication is too important to our society. It's one thing to block your I.D., it's a whole 'nother thing to falsify it.
It is most likely a mistake for them to boast of their annonymity. Someone will figure out who they are and I am betting that more than intrepid hacker will take down Camophone's website repeatedly.
We should keep track of this one for a while, it should get real interesting.
Re:Somebody will figure it out (Score:5, Interesting)
Re:Somebody will figure it out (Score:2, Insightful)
It has always been pretty easy to do this from a PBX, now it's just open to the masses.
Re:Somebody will figure it out (Score:3, Insightful)
What amazes, and pleases, me is that so many of the people I don't want to answer the phone for withhold their number. If they gave the real number I might answer, but if they withhold it I don't (at least not outside office hours).
Re:Somebody will figure it out (Score:3, Insightful)
The ultimate Joe-Job (Score:3, Insightful)
Word spreads, and Big Name Legitmate Charity's contributions dry up.
Don't talk to strangers (Score:5, Interesting)
Re:Somebody will figure it out (Score:2)
Re:Until a few years ago, it pretty much WAS good (Score:5, Funny)
They're already using the email. Why, just the other day, I received a message from Citibank telling me that they needed to re-verify my identity. They even provided a really easy-to-access web site for me to enter my card number and personal information, no sweat. The really cool thing is that I don't even have a Citibank card yet. Talk about proactive!
Re:Until a few years ago, it pretty much WAS good (Score:3, Interesting)
Re:Somebody will figure it out (Score:3, Insightful)
Sure... a bank account number is a grrreat piece of evidence. They have to access the funds somehow, either electronically so it can be transfered or applied as a bill payment to something, or physically get access. Those provide all sorts of great opportunities to track down the bastards ;)
That evil DMCA thing might be a
Re:Somebody will figure it out (Score:3, Insightful)
Re:Somebody will figure it out (Score:3, Insightful)
Otherwise, I agree with your statement. Providing false information does trample on my rights.
Re:Somebody will figure it out (Score:5, Insightful)
A lot of people seem to feel that way, which is why the constitution is in tatters.
One of the prices of freedom is that other people get to have it, too.
Re:Somebody will figure it out (Score:3, Interesting)
It may be harder than you think. If I have a T1 between offices and use toll bypass, I may want 713-555-1212 coming out of 214-123-4567 so that they can reach me back properly. I may want to have different numbers for outgoing call centers from incoming call centers, and they may be in different parts of the country.
It would be technically trivial for phone companies to fix the problem, but many large companies would be very
do this for free (Score:5, Informative)
Re:do this for free (Score:5, Insightful)
Re:do this for free (Score:2)
Re:do this for free (Score:4, Interesting)
CID, yes. ANI? Are you sure?
Since ANI is used for billing purposes, including 900 numbers, I highly doubt any telco allows it to be modified.
Camophone sets CID, but the ANI is the number of the line that belongs to Camophone. (Or whomever their telco provider is)
Given that, it really really surprises me that anyone bases security on CallerID. I just successfully broke into my own t-mobile voicemail box using camophone, since I have the feature set so i don't have to dial my password if i'm calling from "my own phone."
I also have a sprint phone, and I haven't been able to get in there, yet, but I don't know their voicemail system direct number, so I can't be sure. (I had to use the direct access number for tmobile to get the hack to work on them)
I would HOPE that creditcard activation systems use ANI, not CID.
How soon before ordinary plebes will be able to get ANI on their incoming calls? Or a new service that lets you forward your calls to an ANI-detection center that then places ANI on CID and sends the call back to you!
I see some Sneetches whose bellies have stars...
Re:do this for free (Score:3, Insightful)
No, they usually don't. They usually use the CPN (Calling Party Number), which is not
Like you said, ANI is the Telco's billing number, it is just usually the same number at yours.
Re:do this for free (Score:3, Informative)
> CID, yes. ANI? Are you sure?
>
> Since ANI is used for billing purposes, including 900 numbers, I highly doubt any telco allows it to be modified.
I have a 23-channel PRI here from a local CLEC (utilizing it for inbound local DID numbers and toll-free DNIS numbers as well as outbound calls) who lets us not only stuff our own CID, but sends that as the ANI as well. Not sure if they even know they're doing this, although we have a pretty good standing business relationship with them, and we have
Re:do this for free (Score:3, Funny)
Re:do this for free (Score:5, Funny)
we were setting it up, messing around and forgot to set it to the company information after we put it online.
The Director of sales was, for some strange reason, not amused.
Re:do this for free (Score:3, Funny)
we were setting it up, messing around and forgot to set it to the company information after we put it online.
The Director of sales was, for some strange reason, not amused. "
That explains why the salesman refused to talk dirty to me. I thought it was just an agressive 976 campaign.
Re:do this for free (Score:5, Funny)
The hackers in my company were not given any test data to work with (of course) in a particular web app we were building, which had (among other features) an online events calendar.
So, the hackers would make up data themselves. Which led to some fairly off-colour events being entered into the events calendar database.
At a client acceptance meeting, the project manager demonstrated a "show all events through the web" feature and was presented with (among other things) a "baby raping festival".
We were given a policy on test data creation after that.
Cheers,
Richard
Re:do this for free (Score:4, Funny)
That's because all Monkey Touching at the corporate level is strictly reserved for sales people and other wankers.
But, if *I* had call display, I'd certainly be intrigued by such an item displayed on an incoming call.
Re:do this for free (Score:5, Informative)
Doesn't Work (Score:5, Informative)
I got to file my first Paypal dispute claim!
Seriously though, the website is just text and there's no contact info for anything.
Scam.
Re:Doesn't Work (Score:2)
Err.. I've got this bridge for sale..
Re:Doesn't Work (Score:2)
I'm not concerned about the five bucks, but if Paypal can get it back then more power to them.
Take off the tinfoil cover off your checkbook.
Re:Doesn't Work (Score:2, Funny)
Re:Doesn't Work (Score:3, Interesting)
Re:Doesn't Work (Score:2)
Re:Doesn't Work (Score:2)
Re:PayPal (Score:3, Insightful)
Oh no! (Score:5, Insightful)
It's just a web-site (Score:4, Funny)
Or /. it!
Re:It's just a web-site (Score:3, Informative)
Re:It's just a web-site (Score:2)
Not that most people don't loop over the same problem continuously, however step 5 was lost to the Slashdot 120-character limit for sigs.
Did Camophone get advance notice? (Score:5, Interesting)
I have a feeling they'll withstand the slashdotting.
Telemarketing (Score:5, Interesting)
In Soviet Russia... (Score:4, Funny)
Re:Telemarketing (Score:2)
Interesting you mention bellsouth (Score:2)
It's not that simple... (Score:2)
Let 'em try faking Caller ID -- it just raises the bar a little. The appropriate countermeasure is a challenge/response scenario where authorized callers have a PIN number and the rest go to voice mail. I can't wait to see how much the telcos enjoy losing their Caller ID revenue stream when people get annoyed wit
Re:It's not that simple... (Score:2)
I'm sure they won't mind too much as long as they can sell you, in its place, the PIN-authentication scheme you propose. You don't think they'll offer such a service for free, do you? ;)
Re:It's not that simple... (Score:2)
How long until someone puts all that in a cheap appliance (say a cordless phone base) so that the base screens calls and only rings the handsets if the caller is authorized? Or do they have that now?
GTRacer
- First patent!
Telco nightmare: Caller ID obsolete (Score:2)
The ultimate telco nightmare is when commodity hardware replaces network-based services. If the telcos don't defend the integrity of Caller ID, the problem will be solved without their participation.
Re:Telemarketing (Score:2)
Hell, even my local state senator came up as "Unknown" on the five, yes five, times I've been called in the last eight days by her campaign.
Telemarketers I can see hiding their identity because they are the scum of the Earth but isn't the purpose of campaigning to get your name before the masses?
Hell, I'm voting for her apponent anyway. Of course as a political campaign
Re:Telemarketing (Score:2)
Re:Telemarketing (Score:2)
Glad (Score:5, Insightful)
My cell phone doesn't even require a password to get to my voicemail because it uses caller id. Every credit card I've activated required me to call from my home number, verifying it with caller id. When I order pizzas, they verify I am who I say I am with caller id.
It is ridiculous and is worthless as an authentication mechanism. Its only use is a convienience, to decide if you want to answer the phone. Lesson: don't rack up bills you can't pay
Anyway, it's always nice to have another way to screw with your friends' minds.
Re:Glad (Score:5, Informative)
CallerID is spoofable, but ANI info is not. Any time you call an 800 number (or 888, or 877, or any of the other variants that are out now) your info is sent prior to the first ring. This is ANI (Automatic Number Identification? It's been a while. I'm sure someone will correct me if I've got it wrong
CallerID, on the other hand, can be enabled or disabled, and can be spoofed.
Easy way to remember -- who's paying for the call? If it's you, then it's callerID. If it's the other guy, then it's ANI.
--
So give me that... (Score:2)
So I want the ANI info in my CallerID line. Why is this hard, or why are the Baby Bells unwilling to do it? They could sell "CallerID+" for an extra $2 per month.
Interestingly enough, VOIP may be the only way to authenticate callers reliably (in some future iteration with something like Domain Keys in SIP, perhaps). I bet a VOIP provider would be more willing to provide ANI information. Heck, maybe it'll spur adoption.
Re:So give me that... (Score:3, Informative)
Because they didn't create a way to do it that was backwards-compatible.
CallerID is sent as 1200baud FSK between the first and second rings. ANI is, for E&M trunk lines, sent as DTMF codes by the phone switch, or for BRI/PRI trunks, sent digitally with the other call connection information. DTMF incurs a significant connection delay - sending ANI plus DNIS (dialed number identification service,
Re:Glad (Score:2)
You missed the point (Score:2)
He's glad because the more wide-spread CallerID spoofing is the less people will rely on it for authentication. Since it's not reliable authentication, if you desire reliable authentication this is a good thing.
It's like a social security # - we really ought to just give this out to every body freely at this point as a national ID
Re:Glad (Score:2)
Also, apparently I know nothing about how the US telephone system works, because I see people talking about ANI and SS7 elsewhere and I don't know what they're talking about.
Maybe it is more secure than I perceive.
Chris
What's there to lose? (Score:4, Funny)
Re:What's there to lose? (Score:2)
Re:What's there to lose? (Score:3, Funny)
Phone Call From: (Score:2)
Hey the caller ID says Oliver Klozoff...
Re:Phone Call From: (Score:2)
Creepy! (Score:4, Funny)
So which one of you smartasses is messing with me?
Doesn't work (Score:2)
OpenVoIP (Score:3, Insightful)
Re:haven't been monolithic for a decade (Score:3, Informative)
VoIP is
Can't wait.. (Score:4, Funny)
Re:Can't wait.. (Score:2, Interesting)
Needless to say the radio contests like "Beat Mehoff!" and "Can you jack Mehoff?" where widely considered rude until they found out that that was his real name and to get a life.
It was still nice to see "Mehoff the intern" become Jack Mehoff the DJ.
Asterisk, Nufone and PHP... (Score:4, Interesting)
A simple php script will dump a callfile [voip-info.org] into
Then all you need to do is write something to manage user accounts, and accept paypal payments and bam. You've got camophone.com.
This whole configuration could probably be whipped up in a day.
I also signed up... (Score:5, Informative)
However, even though their FAQ said it would be ready in 30 seconds, my account still shows zero minutes. Don't know if that's because PayPal takes a while to do the transfer, but I wasn't about to use a credit card with them.
For what it's worth, their "Privacy Guard" service page looks like this:
Camophone.com Home | Login to Privacy Guard | Frequently Asked Questions | Signup for Service
Logged in: das
Time Remaining in Seconds: 0
Time Remaining in Minutes: 0
Recharge Account
Enter all phone numbers without a leading "1" and with no dashes or spaces. Example: 9095551212
Caller ID must be ten digits to be passed properly through the telephone network. When the system calls you, the caller ID you set will be sent to you as well.
number to call [recipient]: (format: NPANXXXXXX)
your number [caller]: (format: NPANXXXXXX)
caller ID to send:
Service DOES NOT WORK (Score:3, Interesting)
It did indeed show my account credited with 100 minutes.
But the service did not work.
I *really* *don't care* about the $10 I've now wasted; just wanted to see if it worked or not.
Anyway, there ya go.
Re:I also signed up... (Score:2)
That PayPal don't make this clear to you is a small demonstration of how much they suck.
Doesn't say anything about Linux support.... (Score:2)
Here... (Score:2)
Spoof Caller ID From Home? (Score:4, Interesting)
Of course, there is a very cool software version of this tool: Software Orange Box, here [artofhacking.com]. You enter in the caller ID details you want to spoof, and it generates the phone tones that transmit that data, which you can then play thru your speakers and to the phone, or connect directly to the phone for better results.
Again, it's not a great spoofer, but it is pretty cool to mess around with.
this is *the* faq on orange boxing [artofhacking.com].
-------------
Rate free iPod offers: RateTheOffers.com [ratetheoffers.com]
(Flat screens and Desktop PCs too)
When this works ''for real'' CID will die (Score:3, Interesting)
You'll also see political pressure to regulate such services, mostly from the telcos who see revenue from CID drying up. Eventually, I think a compromise will be reached:
You'll be allowed to spoof your ID, provided it's from a non-existant # or a # you have permission to use. There will also be a legal requirement to keep logs so the police or civil courts can issue subpeonas.
Under such rules, people who want true anonymity will be forced to use international versions of this service which will show up as "out of area" or as an international #, or break the law.
Lack of traceability is the problem. (Score:3, Insightful)
The ISP community has long had Acceptable Use Policies which forbid certain things (such as sending out spam). This is because when I get spam, I can fairly easily identify where it came from with the help of traceroute and whois, and its in the interest of the ISP not to have problem customers.
Unfortunately there is no way for me to trace the provider behind that sales call with the caller-id of my mother's phone, short of obtaining a court order. Thus, there is no incentive whatsoever for the phone companies to enforce caller-id. If phone providers provided the ability to trace the call (hopefully voluntarily, or even by law), this would not be an issue.
Traceability is what we need, that's all. Caller-id faking should be legal. But more likely what will happen is the lawmakers will make caller-id spoofing punishable by death and declare this a non-issue.
don't like who's calling..? (Score:3)
or. ever try screening with an answering machine..? that works well too!
When fancier technology doesn't do a better job (Score:3, Interesting)
Honestly, it's much simpler and cheaper than constantly trying to "one up" the next technological doohickey.
Just my Luddite $.02
blue
A horrible idea, real experience... (Score:5, Interesting)
Folks, I'm all for cool technology, and I realize one can spoof caller id information. But caller ID can be a very good thing. I know...
Three years ago I had the very unpleasant surprise of finding out my (ex) wife was having an affair. Unfortunately, she had also decided on using tactics designed to ensure her utter victory in the divorce. She'd actually purchased books (I saw them), giving her advice on dirty divorce tactics - "Divorce War! 50 Strategies Every Woman Needs to Know to Win." Apparently, one of the recommended strategies was to call your ex and try to drive him nuts - hopefully he'll say something nasty and you'll be able to bring it up in court, etc.
Well, I realized what she was doing once I started getting anonymous calls at 2:00 - 3:00 AM. Strange, nasty stuff, weird messages. Technology was actually useful - the caller ID information allowed me to get a pretty damn good idea of who was calling. (Hint would-be-nasty-callers: remember to hit *69 before you call!). The police thought it was fun, too. Caller ID and outright stupidity saved the day.
Look, in my case I wasn't directly threatened. it was cruel, it was viscous, it was nasty. But I was never in any danger. However, what if it had been something dangerous? When one's depressed, your willing to listen to anything - and when you see the ID comes out as "Police" or "Crisis Center" - you could be lured into a bad situation. This is real folks - stalkers are out there, I've seen and heard it.
All technology can be abused, I know that. But in this case, let's try to prevent a service which provides fundamental identification information from being turned into something potentially dangerous.
Incidentally, she pretty much wiped me out. Bummer. But all in all, it was for the best...
Re:A horrible idea, real experience... (Score:5, Insightful)
#1 - never EVER meet her without a witness. period. No excuses, nada...
#2 - get a telephone recording device and install it. RECORD EVERY phone call. get in the habit of saying first thing. I am recording this.... if your state requires it, in michigan only one person in the conversation has to know it... you.
#3 - at the first sign of things going wrong, get a GOOD lawyer, one that is specific to helping men in divorce, or the best lawyer in town. This is the best thing to do. Do not give her any money, have it go through the lawyers only and only if ordered to by a judge or advise to by the lawyers.. why do you want to finance her fight against you? you need an audit trail. I went the expensive route hiring the best lawyer in town... I ran and controlled the divorce. Secondly, if you file for it first, you are in the drivers seat.... beat her to the punch.
#4 - document everything... absolutely everything. keep a logbook and write down everything that happen's and everything you notice.
Finally, if you are going to hide assets, dont. if you did not liquidate things the second you thought things were getting a little wierd and before she/you left then you are breaking the law... The judge will fry your ass hard if you try to hide assets.
Lastly you need to keep your nose clean. be perfect for the next year as things progress. act like you are being watched, (you might be) followed, (you might be) or recorded (you probably are). DO NOT be vengeful. this is the time to be the mature adult... if friends offer to do things tell them loudly "NO! are you crazy!" having them replace her taillights with burned out bulbs when she goes to the bar, let's air out of tires, puts a I hate F**king cops bumpersticker on her car and other things is a very bad idea. do not be a part of it and do NOT be connected to it.
Finally prank calls using this spoofing service is also stupid. it is not worth it to lose over something stupid.
I'll probably get modded offtopic, but if I can help a fellow guy from getting screwed hard by his soon-to-be ex.... then the points are certianly worth it.
Re:A horrible idea, real experience... (Score:2)
Re:A horrible idea, real experience... (Score:2, Informative)
And if she's really crazy, have your friend bring a video camera to any meetings. You never know...
Re:A horrible idea, real experience... (Score:3, Interesting)
#5 - Know your enemy.
Pay attention to your ex behavior towards you, towards friends, towards business entities. This goes a long way to predicting her tactics. While we were married my ex used to brag of manipulating public welfare - it was a foreshadowing to her manipulating the divorce system. She used to take joy in "getting even" with friends who stiffed her, then she predictably
It's Too Easy... (Score:5, Informative)
I have a calling card that I got through WalMart. The caller ID comes up as Denver, CO. I live in PA. This is via my cell or my land-line...
Sheesh (Score:2)
Man, I gotta get cracking on a way to soak some cash out of you paranoia wonks.
NOW FOR SALE! High tech voice masking system. Scrambles the tone of your voice so not even your own grandmother will know it's you! And you can't trust her! Oh, no! You know she's watching you with nanocameras in your colon and reporting your every move to the Library Of Congress!
The Voice Scrambler 7000 is constructed of genuine Corintian leather. Just wrap arou
Re:Sheesh (Score:2)
*67 is usually block the next caller -- though I'm seeing VoIP providers, for whatever reason, use *67 to block ALL calls, but I digress.
You may block caller-id, but there's a few problems. If you call my 800# I get your ANI information which is completely different. If you call my regular [VoIP] number and block caller-id your phone number [at a minimum] is still transmitted, but simply flagged as "P"rivate (which I have my equipment set to ignore).
$.05 per minute? (Score:2)
If you just want to hide your number... (Score:3, Informative)
I use OneSuite [onesuite.com] as my long distance service because their rates are excellent. Caller ID from OneSuite shows up as either Unknown or some random out of state number.
Login (Score:2, Interesting)
user: test
pass: test
No cash on the account, but fyi.
SS7 - ANI (Score:5, Informative)
There is actually two types of calling number identification one being the popular Caller ID which as we know can be manipulated and blocked and the other being ANI or Automatic Number Identification which the user has no (or minimal) control over. Caller ID is used for the little displays on your phone and can have a flag set to block it, as well as define what number displays usually on outbound or two way trunks for use with DID (Direct Inward Dialing).
The reason the phone companies allow you to set your outbound caller ID is so when you are using DID, you can have people reach you back directly instead of thru the companies generic number. Now a little bit of background on DID: Mid and large sized companies use DID for everything, it's how everyone has a seperate phone number or fax number on their desk. It would be uneconomical for the businesses to bring in a seperate phone line for everone in the office, so they share them. So say for example a company with 100 employees would have a block of 100 phone numbers, but only 23 incoming phone lines, any number can come in on any one of those phone lines and the company's PBX determines which desk to route the call to. Pretty simple. So when an employee wants to make a call, again he can use any phone line, and the PBX sets the outbound caller ID to his real number so it's easy for people to call him back. Some phone companies limit you to what Caller ID data you can send them, (which makes sense that you can only have outbound Caller ID on numbers that are in your block.)
ANI always knows the calling trunk, and location. It's what's used for credit card verification, 911, etc. You can't block it and usually can't set it. ANI is transmitted (amongst other things) over SS7, which is basically an out of band protcol (which actually does carry caller ID too) that is used between switches. Few companies have phone systems that speak SS7, or a link into the SS7 network for that matter, it's just not useful. Phone companies would crack down pretty hard on fake SS7 info, because they could loose money on billing.
So in summary, Caller ID - not secure, ANI - A little more secure.
How to circumvent ANI (Score:4, Interesting)
Does anyone else think this is lame? (Score:4, Interesting)
Doesn't this just seem rather weak? It's only fun for about 5 minutes and has been around forever. For me, it's like the equivilent of spoofing smtp headers. MAN, THAT WAS FUN IN 1994...
I guess I'm just getting old and bitter.
Tried the server, here's the results (Score:4, Interesting)
1) Payment by paypal only (no problem for me)
2) Service then lets you log in, but it's not secure (no encryption, wth!) so choose a temp password that you wouldn't mind someone stealing
3) You enter the "target" number, your number then 10 digit caller ID string
4) As soon as you hit submit, it does call you, calls the other number and bridge them together.
5) But!! The caller ID string does not work. I've tested this with several land line phones, cell phones, etc. I always show up as "unknown".
Conclusion:
Allows bridge calls but does not produce the caller ID string you put in. So this service is a bust in my opinion.
Case closed
Re:Legitimate use? (Score:2)
Re:Legitimate use? (Score:2)
Re:Legitimate use? (Score:2)
Gettting back at Nigerian Scammers [slashdot.org] of course!
Re:emergency services is gonna love this (Score:2, Informative)
Re:Long Distance capable??? (Score:2)
RTF article summary? It's not free, it's 5 cents a minute.