[VOIPSEC] The *Rise* of Caller ID Spoofing
carlos at televolve.com
Wed Feb 10 15:51:55 GMT 2010
On 2/10/10 6:05 AM, J. Oquendo wrote:
> Spoofing companies blame the carriers for the security flaw.
I would agree. If a screwdriver let me open a certain brand of lock
without effort, would we blame the screwdriver or the lock?
> Lucky for me I don't work at a cell carrier. ;)
The carriers give the users the ability to enable or disable password
protection. Personally I prefer the convenience over the security when
it comes to my voicemail, and I use spoofed CID on my IP phone to listen
to the cell VM without having to use the cell phone.
> With VoIP, our main concerns (at least mine) are, e-911... For example,
> I have a client in Boston with 3 teleworkers using Beantown DID's. I
> keep having to remind them: "You do know if your staff call 911 in an
> extreme emergency where they can't give their address from that phone
> the cops are going to go to the Boston office right..."
This isn't necessarily so. If you have a good e911 service provider
with proper routing, the call will go to the right place. We've tested
this and our carriers deliver it to the right PSAP based on the address
we enter, not the phone number. A phone number isn't reliable even in
the PSTN world where a city may have multiple PSAPs and LNP makes all
numbers unreliable. Our local area has LNP covering over 50 miles.
> Victim: "I really thought I would be getting a 2174523% return on my
> investment. The Caller ID said `This Be Is A Real Bank` and hey had a
> nice eastern european sounding advisor"
> Lawyer: "Did you lose all of your life savings?"
It's trivial for someone to just get a real phone account with that CID
to start with. Then it would be "real" CID as far as the system is
concerned. Hopefully this will prevent legislation on the issue which
won't be effective and will just put a new burden on all of us.
Advanced phone services simplified
More information about the Voipsec