[VOIPSEC] The *Rise* of Caller ID Spoofing

[Fred Posner]

On Feb 10, 2010, at 8:05 AM, J. Oquendo wrote:

> Spoofing companies blame the carriers for the security flaw. “It is not
> the service…. it’s the cell phone companies,” says Gregory Evans,
> President of Spoofem.com. “The cell phone companies have to take some
> type of responsibility.”
> http://blogs.wsj.com/digits/2010/02/05/the-rise-of-caller-id-spoofing/

Of course you can't take responsibility for a number you don't maintain coming in to you... But I do take issue with a carrier accepting an outside call from a callerid that is listed inside their network. If carriers even had this step, then there's at least a foundation to build on. Not only from a security aspect... it seems to me they would simply want to implement something like this (at least on the cellular side) to stop exploits of mobile to mobile "free" calling. This was one of the first things we put in place on our voip networks. Last I checked, it's still not blocked on ATT, Verizon, and Sprint.

> 
> With VoIP, our main concerns (at least mine) are, e-911... For example,
> I have a client in Boston with 3 teleworkers using Beantown DID's. I
> keep having to remind them: "You do know if your staff call 911 in an
> extreme emergency where they can't give their address from that phone
> the cops are going to go to the Boston office right..."

If you have true e-911, then your address should appear and your call should be routed regardless of the phone number's relationship to the local 911 center. We've tested this with numbers from out of the local exchange, county, and even state. If the e911 is set-up and routed correctly, it should go to the correct dispatch for the physical location as well as deliver the physical address to the call center.

---fred
http://qxork.com