[VOIPSEC] Truths on "Truth in Caller ID Act"

Mpierce1 at aol.com Mpierce1 at aol.com
Sat Oct 7 02:49:32 BST 2006 

In a message dated 10/5/2006 3:47:25 PM Eastern Daylight Time, 
dtrammell at tippingpoint.com writes:


> And what if you use no "colored box" or special technology at all to do
> so?  I can confirm that as recently as 2003, it was still possible to
> spoof CLI through simple social engineering.  The way it was done was
> having your local line operator complete a call to your favorite
> long-distance operator.  Doing this seemed to nullify any CLI
> information that was passed by the local telephony system to your local
> operator, or from that operator to the long distance carrier.  The long
> distance operator then, having not received any CLI information and
> before completing your new call for you, would ASK YOU FOR YOUR NUMBER,
> which of course you could tell them anything you liked as long as it was
> not obviously false like "911".  Then, once the long distance operator
> completed the call for you, the number you told them would show up on
> the recipient's Caller-ID device.  Please don't bother trying to
> convince me that this has never worked, because I had done it myself a
> number of times back in the mid '90s, and it worked exceptionally well.
> 

Presuming that the reason that the long-distance carrrier asked for your 
number was to know who to bill the call to, I would find it hard to believe that 
any would accept your number verbally, much less let it be presented to the 
called party. Maybe some did since they lacked something better. I suspect they 
are out of business. So you did it in the mid 90's. Do you mean that you were 
able to place a call and get it charged to someone else, or do you really know 
that the spoofed CLI was delivered to the other end? I think we've advanced a 
lot in 10 years so that what you described would no longer work.

My point remains, once the telephone industry identified a method by which 
someone was committing fraud, they figured out how to stop it. Any use of VoIP 
has to do the same. The industry has to find ways to stop fraud, rather than 
continually arguing that, since it is okay in some cases, it shouldn't be 
stopped. Spoofed CLI is just one of those things that needs to be stopped by 
technical means. Meanwhile, legal means are needed to prosecute those who do it.


In a message dated 10/5/2006 3:47:25 PM Eastern Daylight Time, 
dtrammell at tippingpoint.com writes:

> Unfortunately, this should have never been accepted as an appropriate
> use of CLI.  Even using CLI to determine whether or not to answer the
> phone or allow an automated device to take the call should not be
> treated as authoritative. 
> 
You seem to argue that there are no valid uses of the CLI that exists today 
in the PSTN just because a few people figured out how to hack it sometime in 
the past. You've dissed the two main uses that I know of. It's not a question of 
whether or not it is "authoritative" (i.e., 100% accurate), but rather 
whether or not it serves the purpose. I think everyone agrees that the situation 
with VoIP means that CLI does not serve any purpose (much like the "from" address 
on e-mail). I hope that there is a growing number of people who are getting 
upset about the fact that this situation in VoIP is destroying the utility of 
this valuable feature in the PSTN.


In a message dated 10/5/2006 3:47:25 PM Eastern Daylight Time, 
dtrammell at tippingpoint.com writes:

> This is similar to the example
> mentioned of someone using a courtesy phone in a bank lobby to
> impersonate the bank.
> 
And that example was really stretching it for an anology. If you even could 
find a phone in a bank lobby (not in mine), the phone number that showed up on 
CLI would not be the number of the accounts rep or someone like that who might 
call for bank business. And if the CLI delivered to me was the name, I would 
hope that the bank was smart enough to ensure that the phone in the lobby 
showed up as "Bank lobby". Anyway, I wouldn't suggest that anyone use the CLI in 
this case to reveal information about their account.


Mike Pierce

More information about the Voipsec mailing list