Don't Believe That Lying Telephone

By Larry Seltzer  |  Posted 2006-08-16 Print this article Print

Opinion: Through the miracle of software, telephony technology is opening up to the masses, including the unscrupulous masses.

Other than me, it seems like you can't trust anything anymore. The latest item on the official "Untrustworthy List" is Caller ID.

I've had a low opinion of it for a long time anyway. A high percentage of calls come from "Private Caller" or "Out of Area" or some such unhelpful designation, and many of these calls are from people I want to talk to.

But it turns out that Caller ID is easily spoofed using modern PBX software, principally the open-source Asterisk system. And it was never really trustworthy to begin with; it's no scandal that Asterisk allows spoofing, since spoofing is a feature, not a bug in the system.

Actually, you don't really need a PBX; you can just buy a Spoofcard. It's a pre-paid calling card with 800 service. You call the 800 number and tell it not only the number to call, but the number to display on Caller ID.

They insist that the service is perfectly legal, and Spoofcard has been around for a long time (in technology terms). Legitimate businesses do this sort of thing all the time too in cases where the number making the call isn't the one the business wants the user to call back.

The real news is that Asterisk makes this sort of spoofing, and other attacks, easy and programmable for automated attacks.

As Richi Jennings of analyst group Ferris Research puts it, there are two main telephony threat vectors used by criminals to empty customers' bank accounts:

  1. Calling bank customers, pretending to be the bank, trying to steal passwords and other information.
  2. Calling the bank, pretending to be the customer, trying to change addresses, passwords and other credentials.
The second one is particularly stunning for what it says about bank security. Jennings recounted an example of someone who found their billing address on a credit card account changed.

It turned out that an attacker had called, spoofing the customer's Caller ID, to change the address, and the bank changed it, at least in part because the Caller ID matched.

Read the full story on eWEEK.com: Don't Believe That Lying Telephone

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.