58

My late brother was contacted by someone on landline number operated by a carrier in Australia and which displayed on caller ID. I traced the number to a company and though they did call him on a number of occasions from this number over a couple of days, they did not make the particular call in question which occurred in the same time frame.

This has left me asking, is it possible someone could hack in and use their telephone number to phone my brother?

The company is a financial services company and they were set up to make outbound calls using various landline numbers programmed into an auto dialler machine or possibly cloud-based phone system. They have been very cooperative and I am confident they did not make the call in question. I have also established the identity of the person who made the call to my brother, but how on earth did he get one of the company landline numbers to show in caller ID? This has me stumped.

stumped
  • 549
  • 1
  • 4
  • 4
  • 8
    "_or possibly cloud based phone system_" If this _is_ the case, then – presumably – any other company could be using the _same_ cloud-based system, and the land-line number belongs to the cloud company and not the financial services company. – TripeHound Jun 13 '19 at 09:22
  • This is something to work with the phone company on. They would know the routing of the calls. Note that all you have to go on is the caller ID and you don't really know if the landline was actually used. – schroeder Jun 13 '19 at 09:46
  • 2
    Not a full answer but an interesting listen on a piece that Reply All did about this topic https://gimletmedia.com/shows/reply-all/awhk76 – VerasVitas Jun 13 '19 at 17:07
  • 8
    Related tidbit from the [FCC's website](https://www.fcc.gov/consumers/guides/spoofing-and-caller-id): "[S]poofing is not always illegal. There are legitimate, legal uses for spoofing, like when a doctor calls a patient from her personal mobile phone and displays the office number rather than the personal phone number or a business displays its toll-free call-back number." I know you're asking about how, but their article mentions some of the why it can be faked which visitors to this question may want to know about. – Davy M Jun 13 '19 at 18:27
  • 1
    Also see [Caller ID (CID)](https://en.wikipedia.org/wiki/Caller_ID) on Wikipedia. The article provides the details, including the protocols used by the telephone company. It also discusses some of the scams, like Dip Fee Fraud. You really need access to the Automatic Number Identification (ANI) data. That's the information telcos use for billing purposes. ANI is accurate, unlike CID. When call traces are performed the ANI is recorded, not the CID. –  Jun 13 '19 at 21:52
  • Also, [*Caller ID spoofing* on Wikipedia](https://en.wikipedia.org/wiki/Caller_ID_spoofing). – Marc.2377 Jun 14 '19 at 03:14
  • 1
    Does anything of this has to do with your brothers death? Otherwise I would suggest to remove the 'late' – Kami Kaze Jun 14 '19 at 08:17
  • I usually compare the Caller ID to the return address on a post card. It's up to you to actually write it there and how accurate it is depends entirely on what you wrote there. Most people will try to put an accurate return address on a post card and most people will put the correct phone number in the Caller ID but the reality is you have no way of knowing either is correct. – Evan Steinbrenner Jun 14 '19 at 17:46
  • Also see [John Oliver's "Last Week Tonight" coverage](https://www.youtube.com/watch?v=FO0iG_P0P6M) relevant to this topic. – WBT Jun 15 '19 at 03:32

7 Answers7

103

Ars Technica did a superb piece on this a couple of years ago. A woman who is a real estate agent and publishes her cell phone, was inundated with junk calls. What was odd about these was

  • They were fully automated calls
  • They never played a message
  • They used a different number every time

They detailed her nightmare

On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.

France installed robocall blocking tools on her phone, but they didn't stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don't block calls when the Caller ID has been spoofed to hide the caller's true number.

They included this quote from a security researcher (emphasis mine)

Because it's an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don't need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.

I've had to explain this to numerous family and friends. The pinnacle there was my father-in-law, who called me up one day to ask how he got robo-dialed from his own number. I even get random calls sometimes from people saying "I'm returning your call" when I have no idea who they even are, let alone know how to call them.

Caller ID is never verified. That is hard to explain to most people, because their cell phone sends a proper ID and they can't easily spoof it. But the rise of VOIP, combined with the plummeting cost of phone calls in general and turnkey software that makes spoofing a breeze, has made this an incredibly cheap way to spam and scam people, especially from abroad. The FCC is proposing some changes to address this, but those changes are likely years off.

Machavity
  • 3,808
  • 1
  • 14
  • 31
  • 1
    I've noticed calls from my own number, which is handy, because that tells me it's bogus and should not be answered. Someday, I may set up an Asterisk system and route all calls with my number in Caller ID to [Lenny](https://www.youtube.com/results?search_query=Lenny+Asterisk). – Monty Harder Jun 13 '19 at 16:56
  • 1
    There has been a rash of scams in the UK where people modify the Caller ID information to show a bank's phone number while attempting to con account holders; the Guardian reports more [here](https://www.theguardian.com/money/2019/may/11/number-spoofing-290000-returned-to-readers-scammed-out-of-their-savings). – MadHatter Jun 13 '19 at 17:23
  • 13
    Try one of those caller-id spoofs on 911 (actually don't). They aren't fooled. The debate is now why can't everybody have that. – Joshua Jun 13 '19 at 18:21
  • 8
    @Joshua That's probably due to the fact that 911 centers tend to get more call data overall anyways (they have a legitimate need to know where you are) – Machavity Jun 13 '19 at 18:29
  • Not only is it never verified, it was never *meant* to be verified. It was designed to be a broadcast from the origin as a voluntary self-identification, no different than walking up to someone on the street and saying, "Hi, I'm John." – Draco18s no longer trusts SE Jun 13 '19 at 18:49
  • 32
    @Joshua, Caller ID is spoofable because businesses need it to be spoofable: every physical line has a different phone number. Businesses want their outgoing calls to all show as coming from their published/"official" number rather than the number of whichever wire it happened to end up on. There's a second phone number also associated with every call: the one used for billing purposes. This one is impossible to spoof, and is the one that 911 gets (because they need to know which physical location to dispatch to, not which organization is calling them). – Mark Jun 13 '19 at 19:37
  • 7
    @Mark While that's true, VOIP has made that process a lot harder to track down. [In this case here](https://www.theguardian.com/technology/2016/apr/15/swatting-law-teens-anonymous-prank-call-police) the numbers came from a VOIP server, which had been connected to a VPN. You can eventually find the people, it's just time consuming and difficult. – Machavity Jun 13 '19 at 19:46
  • 2
    @Joshua: When I worked on phone switches, I shared an office with the implementer of calling line identification presentation (CLIP) and its variations, such as CNIP (...Name...). I myself did work for Law Enforcement Agencies, so this is a first-hand recollection. CLIP can be blocked by CLIR (....Restriction), e.g. by using prefix `*67` in the US. 911 doesn't use CLIP, to avoid CLIR. They get the raw call data. – MSalters Jun 13 '19 at 20:45
  • 5
    @Mark: Not each physical line has its own number; businesses typically have a PBX (Private Branch Exchange). That PBX has far more numbers than physical lines. E.g. a common physical office connection was a T1 - 24 physical lines, which might support a block of 100 numbers, and the association was entirely dynamic. The Central Switch would route any number in the block to the PBX, using any free line. Now it is also clear why you need CLIP - the PBX needs to send which internal phone was used as the physical line is meaningless – MSalters Jun 13 '19 at 20:50
  • @Mark: This will be debated openly soon whether or not losing that is worth losing scammers. – Joshua Jun 13 '19 at 21:36
  • Thus, caller ID is very similar to what we have in e-mail: the SMTP envelope "Mail from" or the "From:" header. Except nobody charges you extra for passing these to you. – Kaz Jun 14 '19 at 04:31
  • @Machavity If you're using VoIP, it's very possible to spoof it such that you _can't_ find the caller, even eventually. A good anonymity network will make sure of that. – forest Jun 14 '19 at 07:34
  • Poor France. I've heard of similar things happening to Belgium as well. – Džuris Jun 14 '19 at 11:48
  • The spam callers have also started using "local" caller id. So, if your number is (111) 234-5678, all their junk uses caller id of the form (111) 234-xxxx. It's easy to spot, but a pain to block. – Laconic Droid Jun 14 '19 at 12:12
32

Security of the PSTN is horrifically poor. It's very easy to spoof anyone's number on Caller ID, without having to hack into any of their systems. As such, Caller ID provides no real assurance of who actually called you. There are even services available that the general public can use (for a small fee) to spoof any number they want.

  • 3
    That is supposed to change soon, at least in the US. Also see [Caller ID Authentication](https://www.fcc.gov/call-authentication) and the SHAKEN and STIR protocols. My guess is, the authentication will get stronger but carriers like Verizon will still let the viral calls pass to subscribers. Verizon has no economic disincentive to stop them, and an economic incentive to allow them (like when providing service to the spammer). I also project carriers won't provide the information to subscribers, so the subscribers will be just as ignorant to who is calling. –  Jun 15 '19 at 21:54
29

The CallerID displayed on the phone was never designed to be secure. Most VoIP (telephone over the internet) providers will allow the end user to set the outgoing number to be whatever they want. There's good reasons for this, one of which is your incoming provider doesn't have to be (and often isn't) your outgoing provider.

This is commonly seen in spam calls in the US, where robo-callers will set their callerID to be in the same local calling area, or sometimes also the first three digits after the area code, to be the same as the called party number in an attempt to fool the caller into thinking it's a neighbor, or someone they might know rather than a Long Distance caller.

Steve Sether
  • 21,530
  • 8
  • 50
  • 76
  • 23
    "There's good reasons for this." No, there really aren't. Plenty of bad ones, though. – Mason Wheeler Jun 13 '19 at 14:43
  • 8
    @MasonWheeler Not exactly. What I said about the incoming and outgoing carrier is true. How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? There is a new very recent verification framework in the works that attempts to verify the callerID, but it'll take years to implement across carriers. The problem isn't diss-similar to verifying the from: address in SMTP. – Steve Sether Jun 13 '19 at 15:34
  • 14
    "It'll take years to implement across carriers." No, it really won't. See the promoted comments in the Ars article you linked to: set up a deadline and say "if you don't have this implemented by this day, you will be cut off from the network," and I guarantee you every provider will dedicate the necessary resources to get it implemented on time. Also, this has been a known problem for a long time; there's no good reason why they shouldn't have started on this over 20 years ago! – Mason Wheeler Jun 13 '19 at 15:39
  • 7
    That's what I mean when I say all the reasons for this are bad ones: it's entirely due to bad decisions on the part of the telephone companies that things got to be the way they currently are. They chose to be lazy, they chose not to make needed upgrades in order to save money, they chose to let their customers suffer. None of it was necessary, and none of it was legitimate. – Mason Wheeler Jun 13 '19 at 15:40
  • 1
    @MasonWheeler I've actually read the legislation, and I'm somewhat familiar with the telco industry and utilities in general. They're dinosaurs, and excel at foot dragging. Whether they actually meet the deadline, or implement some kind of minimal implementation that does little/nothing is an open question. – Steve Sether Jun 13 '19 at 15:46
  • 11
    @MasonWheeler That's how all utilities are since they're regulated monopolies. They won't do anything until forced. That's why we need regulatory agencies like the FCC. The recent legislation is encouraging, but given how slowly things happen, I wouldn't hold my breath. – Steve Sether Jun 13 '19 at 15:49
  • 1
    @SteveSether: "How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to? " - the outgoing carrier knows which numbers are on its own network, since it needs to arrange inbound routing for those numbers.. Any callerID that's not on that list is automatically fake, and should result in the dropping of that call. If repeated, the dropping of that customer. – MSalters Jun 13 '19 at 20:53
  • 1
    @MSalters I'm not sure you understand how VoIP carriers work. As I said, the inbound carrier is completely disconnected from the outbound carrier. It's very similar to SMTP in that respect. In fact,it's even more complex than that, since a single call often go through multiple VoIP carriers before even getting to the PSTN. It's not as simple as you're trying to make it. – Steve Sether Jun 13 '19 at 21:15
  • 2
    "How is the outgoing carrier supposed to verify that you "own" the phone number your callerID is set to?" The same way that emails and websites are verified - each caller would have a public and private key. Their public key would be stored at a certificate authority, and each time they place a call, the callee would give them a string to encrypt with the caller's private key. The caller phone would encrypt this string with their private key and send it back, and then the callee would decrypt that string with the caller's public key and see if it matched. – kloddant Jun 13 '19 at 22:17
  • 1
    @SteveSether There's no reason for the outgoing carrier to set the caller ID to be a number that you can receive a call on. They should set the phone number to the one the call is coming from as that is the purpose of that number, whether or not that's a number that can receive an incoming call. The purpose of that number is to identify the source, not to allow a return call. (You can give your number if you want that.) – David Schwartz Jun 14 '19 at 00:54
  • 1
    @DavidSchwartz This is the misunderstanding. Calls don't come from phone numbers, they come from customer accounts. You don't need what's called a DID (direct inward dial) to place a phone call. That's why carriers allow you to set the caller ID to whatever you like. – Steve Sether Jun 14 '19 at 03:29
  • @kloddant The Shaken/Stir protocol does use encryption to authenticate caller ID, but it doesn't work like you're describing. It also literally required an act of congress to make carriers do it, otherwise they don't have a financial interest in implementing it. Things get more complicated as well, since until this legislation passed, carriers were required to complete the call through their network if given the traffic. – Steve Sether Jun 14 '19 at 03:33
  • 1
    @SteveSether There's no rule that says caller ID must be a DID number. It can be a number that identifies the source of the call, which is what it's supposed to be. When you say "Calls don't come from phone numbers" what you mean is that a number is not always assigned to the source of a call, but it *should* be -- whether or not it's a DID number. – David Schwartz Jun 14 '19 at 04:41
  • 1
    @DavidSchwartz There's many ways things could work, if given the chance to re-design the entire system and somehow make everyone use it. I'm only talking about how they actually work. – Steve Sether Jun 14 '19 at 04:45
  • 1
    @SteveSether I am also talking about the way things actually work. There is, in fact, no rule that says caller ID must be a DID number that you can call back on. Its purpose is, in fact, to identify the caller (hence the names, "caller ID" and "automatic number identification"). No redesign is needed. Originators simply must insist on populating the fields with numbers that actually identify the *source*, not callbacks. – David Schwartz Jun 14 '19 at 05:12
  • @MasonWheeler They are ALL lazy? Why not pick a provider, pay money, to have secure caller ID, if they are ALLOWED and not hindered by legislation to provide this service. Send me the IMEI. – paulj Jun 14 '19 at 15:44
  • 1
    Jeez... I think people are forgetting how much harder it was to start your own phone company back then. Caller ID security back in the day was primarily based on the fact that being a phone company required infrastructure and investment. The fact that rooms full of expensive equipment can now be replaced by a few megabytes of software has played SOME role in this. – barbecue Jun 14 '19 at 18:35
2

The simile I generally use for less technical people is that the caller ID is like the return address on a envelope sent through the post, and you shouldn't trust it any more than you trust that. Most people don't fake it because they're interested in getting back, but anybody can write anything they want in that spot.

(I provide no technical explanation here because the other answers already do a great job of that.)

cjs
  • 359
  • 1
  • 6
1

There are even Android apps (example) which allow spoofing the caller ID. You can enter pretty much anything in them, including a landline number or even a number which can't be dialed.

Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
0

Very much similar to the way that an email's from and reply-to headers can be spoofed (but worse because at least you can inspect an email's headers and see what's going on). I recently had to block my own phone number because someone was spoofing calls to my phone from my own number. Anyone with an asterisks box and an IQ -gt 90 can make calls with fake CID info.

Chev_603
  • 236
  • 1
  • 8
-1

There are three possible methods:

The least likely is that someone splices into a landline. Yes, this is extremely low probability, but the possibility remains.

Second, which is easier is to hack into the robocaller system and add an extra call. Unlikely in your brother's case if he spoke to a live person, not just received a message.

The VoIP is the simplest method and doesn't take much effort. No effort at all if the VoIP provider neglects to restrict the calling party ID. Mine did when I was initially working on VoIP programming and I had lots of fun spoofing my friends.

See: https://www.tripwire.com/state-of-security/featured/caller-id-spoofing/

and: https://www.spoofcard.com/

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 1
    Even if the VoIP provider is restricting the caller ID they let you (the VoIP account holder) set to show to a number you've demonstrated control over, it's trivial to spoof caller ID using any VoIP provider that lets you forward incoming VoIP calls to a phone number. You just setup the forwarding to target the number you want to call, and place a purely-VoIP (sip protocol) call from outside your provider's service into it, putting whatever number you want in the SIP headers (same as `From:` spoofing for email). – R.. GitHub STOP HELPING ICE Jun 14 '19 at 01:46