[VOIPSEC] The *Rise* of Caller ID Spoofing

[Carlos Alvarez]

On 2/10/10 6:05 AM, J. Oquendo wrote:
>
> Spoofing companies blame the carriers for the security flaw.

I would agree.  If a screwdriver let me open a certain brand of lock 
without effort, would we blame the screwdriver or the lock?

> Lucky for me I don't work at a cell carrier. ;)

The carriers give the users the ability to enable or disable password 
protection.  Personally I prefer the convenience over the security when 
it comes to my voicemail, and I use spoofed CID on my IP phone to listen 
to the cell VM without having to use the cell phone.

> With VoIP, our main concerns (at least mine) are, e-911... For example,
> I have a client in Boston with 3 teleworkers using Beantown DID's. I
> keep having to remind them: "You do know if your staff call 911 in an
> extreme emergency where they can't give their address from that phone
> the cops are going to go to the Boston office right..."

This isn't necessarily so.  If you have a good e911 service provider 
with proper routing, the call will go to the right place.  We've tested 
this and our carriers deliver it to the right PSAP based on the address 
we enter, not the phone number.  A phone number isn't reliable even in 
the PSTN world where a city may have multiple PSAPs and LNP makes all 
numbers unreliable.  Our local area has LNP covering over 50 miles.

> Victim: "I really thought I would be getting a 2174523% return on my
> investment. The Caller ID said `This Be Is A Real Bank` and hey had a
> nice eastern european sounding advisor"
> Lawyer: "Did you lose all of your life savings?"

It's trivial for someone to just get a real phone account with that CID 
to start with.  Then it would be "real" CID as far as the system is 
concerned.  Hopefully this will prevent legislation on the issue which 
won't be effective and will just put a new burden on all of us.

-- 
Carlos Alvarez
TelEvolve
602-889-3003

Advanced phone services simplified