[VOIPSEC] VoIP and Fraud

[natas natas]

When you say CLID are your referring to the ANI (Billing Telephone
Number) or Caller ID? Why would such an important system like E911
only rely on Caller ID information??? These commercially available
sites that offer Caller ID spoofing do not spoof any sort of ANI,
which is what I was told E911 utilized. Also, I don't believe that any
of these spoofing sites have access to E911 services as their carriers
do not have access to E911 at this time, so the only way to do
anything to E911 would be through a backdoor POTS number.

I also see this as a security problem and not a fraud problem.

-Natas

Mark Fletcher fletch at nortel.com writes:
>Take the E911 system for example, no location data is actually 'passed' from
>the origination point. The E911 Location screen is populated at the
>dispatcher console based on a ALI database dip using the CLID as the index.
>So for example in NJ, I can be in Atlantic City, hit a local PRI trunk with
>spoofed CLID, and end up at a PSAP in Newark (practically the other end of
>the State). E911 routing is based on CLID and nothing else, and
>unfortunately that is now easier to spoof.


Mark Fletcher fletch at nortel.com writes:
> There are many potential areas, but one that concerns me is the 
> ability for a user to easily spoof their Caller ID. Typically this has 
> only been available to administrators of a PBX with PRI circuits. Many 
> call this 'security via obscurity'. By spoofing CLID, a caller could 
> raise havoc with Emergency Services and the national E9-1-1 system, or 
> use a spoofed CLID to socially engineer people into giving up personal 
> information.