Other than me, it seems like you can’t trust anything anymore. The latest item on the official “Untrustworthy List” is Caller ID.
I’ve had a low opinion of it for a long time anyway. A high percentage of calls come from “Private Caller” or “Out of Area” or some such unhelpful designation, and many of these calls are from people I want to talk to.
But it turns out that Caller ID is easily spoofed using modern PBX software, principally the open-source Asterisk system. And it was never really trustworthy to begin with; it’s no scandal that Asterisk allows spoofing, since spoofing is a feature, not a bug in the system.
Actually, you don’t really need a PBX; you can just buy a Spoofcard. It’s a pre-paid calling card with 800 service. You call the 800 number and tell it not only the number to call, but the number to display on Caller ID.
They insist that the service is perfectly legal, and Spoofcard has been around for a long time (in technology terms). Legitimate businesses do this sort of thing all the time too in cases where the number making the call isn’t the one the business wants the user to call back.
The real news is that Asterisk makes this sort of spoofing, and other attacks, easy and programmable for automated attacks.
As Richi Jennings of analyst group Ferris Research puts it, there are two main telephony threat vectors used by criminals to empty customers’ bank accounts:
- Calling bank customers, pretending to be the bank, trying to steal passwords and other information.
- Calling the bank, pretending to be the customer, trying to change addresses, passwords and other credentials.
The second one is particularly stunning for what it says about bank security. Jennings recounted an example of someone who found their billing address on a credit card account changed.
It turned out that an attacker had called, spoofing the customer’s Caller ID, to change the address, and the bank changed it, at least in part because the Caller ID matched.
Read the full story on eWEEK.com: Don’t Believe That Lying Telephone
