Don’t Trust Caller ID — It Can Be Easily Forged

We’re hearing several reports that phishers are starting to misuse the telephone network. Some wags are calling this vishing (voice phishing).

The reason that email phishing is such a threat is that the forged messages are so plausible. Most of us now know that email can be routinely forged, so phishing via email is starting to lose its bite.

There are two main telephony threat vectors used by criminals to empty customers’ bank accounts:

  1. Calling bank customers, pretending to be the bank, trying to steal passwords and other information.
  2. Calling the bank, pretending to be the customer, trying to change addresses, passwords, and other credentials.

In both cases, the phishers are forging Caller ID, which adds to their credibility. In one report that we heard this week, a customer discovered that his credit card billing address had been changed in order to facilitate fraudulent transactions. On investigation, the card issuer protested that the customer must have changed the address himself, as the phone call requesting the change came from his home phone number.

Unfortunately, this trust in Caller ID is badly misplaced — Caller ID is trivially easy to forge. There is no significant security preventing injection of false Caller ID into the phone network. Indeed, many legitimate businesses routinely inject "forged" Caller ID into outgoing calls — e.g., so that if customers call back, the call is routed to the correct department, not to a site operator.

Richi Jennings

One Comment

  1. Stuart McRae
    Posted August 15, 2006 at 4:25 AM | Permalink

    Interesting.

    There are articles on the web claiming that caller id cannot be faked (e.g. http://www.ainslie.org.uk/callerid/cli_faq.htm#Q_15 or http://artofhacking.com/files/BEATCID.HTM) because the ID is sent between the first and second ring but the caller’s equipment is not connected until the call is answered). So the only vulnerability was if the Caller Id unit continued to accept Caller Id details after the call is answered – which it should not. However this logic is clearly false.

    What has increased the profile around this is VoIP services. The gateway protocol is letting the calling service provide the calling telephone number as part of the protocol. Services like Vonage let you give them a land line number and show that as the caller id in case someone calls you back.

    One would think that this would be the first time when the party providing the calling number is not another telco. But that is far from the truth. For example, I believe corporate PBXs have long been able to provide the extension number instead of the PBX number if they have a suitable connection to the telco (and does anyone check that it is an extension covered by that PBX? I doubt it).

    It should be noted that faking a calling number to masquerade as someone else like that of illegal in the US (and probably other countries). However there are quite a few service providers in the US who explicitly offer this sort of service (only “to law enforcement agencies”, of course, but I cannot believe there are enough of those to sustain the size of industry these people seem to support). All these folks must connect to a carrier that allows them to do transmit this information, so there is a regulation point if the regulators wanted to enforce it.

One Trackback

  1. By IT Blogwatch on August 15, 2006 at 4:01 AM

    Sony fingered for fires, says Dell (and August’s

    Here we go again, it’s IT Blogwatch, in which we make no apology for covering the latest in the exploding Dell laptop saga — Dell is blaming Sony’s batteries. Not to mention August’s Pop-up Potpourri…

Post a comment

You must be logged in to post a comment. To comment, first join our community.