What is Caller ID Spoofing? (and why Caller ID should not be trusted)

During the 2009 to 2010 time period, the rural telephone company I was working for started receiving a large volume of customer complaints for fraudulent calls and in particular incorrect caller ID. The customers were seeing a caller ID that was equal to their own phone number or a number very close to their phone number. This was not an isolated incident.

I was recently reminded the problem still exists and that the telecom industry is still working to find and implement a fix.  While at a Meta Switch symposium, a speaker mentioned the FCC is working on a proposed industry standard solution.  Then a month latter I ran across this IEEE article that suggested a different possible fix,  "End-to-End Detection of Caller ID Spoofing Attacks".  Bottom line, an industry standard solution is not available yet.

The Basics:

What is caller id?  It is caller number identification.    When you receive a call the calling party's number appears on your phone.  If you have calling name delivery, then you will see the name as well.

What is Caller ID Spoofing?: The practice of sending false or misleading information, so as to deceive the receiving party and/or hide the caller's true identity and/or call origination.

How does caller ID work and how is it spoofed?  In the traditional PSTN (Public Switched Telephone Network) the originating party's telephone number is injected between the first and second ring burst by the originating voice switch.  This message is transported to the end phone, where the phone grabs the message between the first two rings.  During my time at Nortel, I can remember actually using an oscilloscope to see this messaging between the rings.  It is very hard to spoof this type of caller ID, since it is the traditional voice carriers' voice switch that is adding the caller ID information.

In the mobile phone world, the caller ID is transmitted with the call setup messages. This is also very hard to spoof, with no reported instances of spoofing.

In the Voice over IP (VoIP) world, the end user originating the call sets the caller ID. This is where the vast majority of Caller ID spoofing originates since an end user can send any Caller ID information they want.

Time line:

1968 - Theodore George Paraskevakos started development of the Caller ID concept.

1984 - First market trial for Caller ID.

1996 - VoIP early adopters

2004 - VoIP becomes mainstream.

2005 - Caller ID becomes untrustworthy.

Why are criminals spoofing Caller ID?

1) To get the end user to pick up the phone.

2) To misrepresent themselves and to commit fraud.

Is caller ID spoofing legal:?  No, the Caller ID Act of 2009 prohibits any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value.

What can you do?  Be aware caller IDs can be spoofed; do not rely on or trust the caller ID.

Sources:

Daffan, Kait, "Caller ID Spoofing & Call Authentication", FTC (Federal Trade Commission),  12 October 2012, https://www.ftc.gov/sites/default/files/documents/public_events/robocalls-all-rage-ftc-summit/robocalls-part5-caller-id-spoofing.pdf

Mustafa, Hossen, "End-to-End Detection of Caller ID Spoofing Attacks",  Publisher IEEE,Print ISSN: 1545-5971,  14 June 2016,   http://ieeexplore.ieee.org/abstract/document/7491306/