Site icon IT World Canada

Caller ID spoofing: Juvenile? Yes. Effective? Absolutely

Recently, Paul McNamara wrote about the scourge of caller ID spoofing — which is not yet illegal — and the effect it had on one business. Now, he talks to someone who’s used the tactic as a last resort.

He spoofed the HR director’s work phone number, then the number of that guy’s boss, before moving up to a vice-president, and finally, the CEO. Says he had no choice. He also says “this thing that I did is bad and should be outlawed.”

Caller ID spoofing is perfectly legal, you may know already, although efforts have been under way to have that rectified.

Background: The major telecom equipment maker whose employee A.G. Bell had recently left owed him thousands of dollars in unpaid commissions, he says, yet the HR department stopped returning his calls, instead “hiding behind voice mail.” Spoofing the HR director’s number got his underlings to pick up the phone, at least until they wised to that ploy, at which point Bell — a fictitious name I’m affording him to protect his current job at another telecom vendor — started spoofing numbers right on up to the top of the org chart (not to mention a White House number — seriously).

“Juvenile? Yes,” Bell acknowledges. “Effective at getting past call screeners? Absolutely. Subject to horrible abuse? Totally.”

He says he always identified himself honestly once he got a live voice on the line.

We’ve been chatting via e-mail about what he did, his minor ambivalence about having done it, and his major concerns over the ease with which others with a more criminal agenda could abuse spoofing services. (Such abuse is already common, experts say.) What follows is an edited transcript:

At what point did the light go on and you thought: “Hey, I’ll use a caller-ID spoofing service so they can’t hide behind voice mail”?

In my mind I was a victim forced to use distasteful means to take care of my family. I worked in the converged voice space, so the mechanics of caller ID were not unfamiliar to me or to the crew of geeks that I call friends. The light went on over beers — I was complaining about the former employer’s call-dodging to some engineer friends and the suggestion of using a local vendor’s lab to spoof caller ID came up. Another engineer at the table said, “Don’t reinvent the wheel, just Google ‘spoof caller ID service.'” I got 32,000 hits. Spoofcard came up first.

Explain the mechanics of how Spoofcard works.

So, I gave them [US]$20 for an hour of caller ID misrepresentation. Although I hate that it seems to be legal for them to offer this service, I love their implementation. Speaking as an engineer and a salesman, they really built a sweet platform.

You call a toll-free number, enter your Spoofcard account number, enter the 10-digit number you wish to call, and then the 10-digit number you wish to be displayed on the recipient’s caller ID. . . . Prompts go like this: Press one to record the call, two to not record; press one to use your normal voice, two to use a man’s voice, three to use a woman’s voice.

The conversation would be recorded with no beeps, artifacts or notification that recording was taking place, and the recording could be downloaded at leisure from Spoofcard.com. For $20 I had a complete record and recording of every call made, of every voice mail left. Beautiful.

Did you have qualms about doing it? Any concerns about legality? Ethical? Moral?

I honestly had more concern with the way it would be perceived if my claim had gone to court (perception of the judge) than over the legality or ethics of the spoofing itself. Had my former employer not been in breach of contract, been acting immorally (in my opinion) or been refusing to take or return my calls, then there is no way that I would have been able to rationalize spoofing other people’s ID. To be clear — I always identified myself when the call was picked up; it was the calling party line ID that was misrepresented, not the caller (me).

Did it work for you? Did it get you what you wanted?

It worked great. Certainly it took a tactic (ignore calls, do not engage) away from my former employer, and I know that it directly generated internal dialogue (Why is caller ID not working right for my phone. How did he do that? Is he allowed to do that?) which was the objective of the exercise. . . . I got 100 per cent of what I was owed.

Having used the service yourself, how could you see it being abused?

Say you receive a call from your bank telling you that your card is suspected of having had fraudulent use. The caller ID says it’s your bank and the toll-free number is the real number of their fraud department. You trust the caller ID displayed and provide all the information needed for Boris in Estonia to rob you blind.

Telemarketers could use this mercilessly. Collections agencies (kind of the role I was forced into) could avoid creditor call screening. Stalkers could use this to harass their victims. . . . The truth is caller ID is near ubiquitous, it is trusted info by most people, and the abuse or fraudulent usage of such a service should be very severely punished.

Yet you went ahead and used it anyway? How can you reconcile that contradiction?

Yep, sure could appear to be hypocrisy and I’m not sure that it isn’t. I’m not convinced that we do have tough enough (or clear enough) laws to penalize misrepresentation of caller ID for criminal purposes, and there is nothing that Spoofcard did that I can see that would prevent its misuse (like announcing “Spoofcard, this call is purely for entertainment purposes” when the call connected; callback with “Spoofcard, the last call your received was a joke”, etc.). I feel like a farmer that once used fertilizer and diesel to blow up a tree stump: Sure was easy, worked great, cheap, didn’t hurt anyone. . . but what could a bad guy do with this?

Exit mobile version