We've gotten two calls in the last couple days from people claiming that we called them, and quite irate about it.  What they didn't realize is that you can't really trust the caller-id values displayed on your phone - they are trivially forgeable by anyone, and I think relatively hard to trace even for phone companies and police, etc.

It is actually worse than the From: address in emails, which lots of people also think you can trust, and which is even easier to forge, though at least it is more traceable from which IP address the email came from.

Unfortunately for me, someone is making the calls, and we're getting blamed for it.  And the people don't really believe me when I say we didn't make the calls (we currently don't make outgoing calls ever using that caller id (note that I can change my caller id to whatever I want it to be), so it is actually impossible for me to pick up the phone and call them with that caller id).

When I search the internet, I see a number of articles published a couple years ago, but apparently, the general public is still under the impression that the caller-id values actually mean anything.

One person said it well when he said that caller-id wasn't ever meant to be secure, it was intended as a convenience, it is the general public who is using the value incorrectly, and so it isn't a technical problem to be solved, but a social problem.

Tell that to the lady who screamed at me late the other night...

Posted by Jon Daley on February 11, 2009, 11:32 pm | Read 2825 times
Category Reviews: [first] [previous] [next] [newest]
Comments

There was possible legislation in congress awhile ago to make caller-id spoofing illegal. Dunno whether it passed but I bet the people abusing your ID wouldn't care about breaking such a law. I further bet that you'd get in trouble for spoofing yours to avoid resulting blacklists.

Too bad people don't use keys to authenticate phone calls the way I suggest, eh? Would solve phone spam and this too.

Posted by Mike on February 12, 2009, 2:50 am

I had that happen to me once. I didn't think that my ID could have been spoofed. I just figured the lady misdialed or something. Though perhaps the idea of misdialing is as anachronistic as the word itself; she might have done a return call. But in any case, she didn't yell at me and appeared to believe me when I said I didn't call her.

Then there's always the possibility that they're spoofing you the other direction, meaning that they're harassing you by claiming that you called them, like telemarketers who claim you have a business relationship and are thus not protected by the do not call list.

Posted by SursumCorda on February 12, 2009, 6:19 am

One trouble with all of the phone laws is that they are US based, so non-US entities don't care a single whit about if any such laws exist. And since it is easy to get a phone system anywhere that can spoof any caller id it feels like; I don't know what the solution is.

Like most things, the biggest hurdle is education. I assume that people still trust the From field in email addresses - I don't know what it will take for people to stop believing that it is just a string of characters that usually contains correct information.

Maybe once the majority of people are using VOIP or otherwise easily configurable systems, more such blacklists would exist. But, just as an email blacklist that uses the From address is almost completely worthless, so would a system for phones that uses the caller-id field to blacklist.

Posted by Jon Daley on February 12, 2009, 4:07 pm

Well again, IMO phones should have key based *whitelists* because getting a phone call is so disruptive to one's home.

Posted by Mike on February 13, 2009, 10:41 am

I have enjoyed having a VOIP system, with fancier routing rules. One thing you might enjoy is that the caller-id blocking function on people's phones: *XX doesn't do exactly what you think it would. It turns out that in order for the caller-id to be correctly sent to police stations, etc. the number is *always* passed along with the request, but there is an extra "privacy" header that says: "don't look at the caller-id value".

And any consumer phone provider is supposed to see that header, and strip off the caller-id value before sending the request to the end-point. However, if you are a phone system provider, then your provider won't strip it off, since you are supposed to strip it off yourself once you figure out that the call isn't to an emergency sort of person.

I haven't really found much of a use for that (yet?) but it is kind of interesting that the system works that way.

And there are some phone companies that either never send the caller-id value, or know that once the call leaves their network, it probably isn't to an emergency person, since presumably you would be calling a local emergency person, so they strip it off then, but it works in some cases.

Posted by Jon Daley on February 13, 2009, 10:48 am

Caller ID information, I do not believe, is admissible in court. If your cranky lady friend calls back, tell her to press *57(costs a dollar per use), which will trace the call. If she gets more than 5 unwanted calls, she can pursue legal action. She won't have access to the traced records, but they can be used to investigate her complaint.

Posted by Jenn Grover on March 11, 2009, 7:38 pm

Ah, right. I forgot about that option. Thanks.

Posted by jondaley on March 11, 2009, 9:06 pm
Add Comment
Add comment
E-mail me when comments occur on this article

culpable-adaptable