Daily Archives: 9/4/2004

Caller ID Spoofing for Fun or Profit

Although the ability to spoof caller ID has been around for quite awhile, I wasn’t aware of any public services that offered that capability. On August 31, a company called *38 launched a service for spoofing caller ID. With stories quickly appearing on SlashDot and the New York Times (registration required), *38 picked up a lot of publicity very quickly.

Perhaps too quickly for founder Jason Jepson, as an article in the Houston Chronicle revealed that he received “harassing e-mail and phone messages and even a death threat taped to his front door”. Since the *38 website suggests that the service would primarily be targeted at bill collection agencies, I presumed the threats would have been from people running from the repo man. But, he contends that they are coming from hackers who are upset that a tool available only in the underground was suddenly now available to anyone, somewhat like how magicians get mad when another magician reveals how a popular trick works.

I would have thought a more likely source of the threats would be the big phone companies, since caller ID is nearly pure profit for them. If people stop trusting caller ID, there goes a fantastic source of revenue for them.

As a sheer coincidence, early last week I built a caller ID spoofing application on our speech platform at work. It was a really simple app to write, and it works like a charm. The very next day I saw the article on *38 on Slashdot.

With their service, you first register your phone number with them and agree to pay $20/month plus 7-10 cents per minute, based on calling volume. Then, you go to their website and enter a number to call and the calling number you want to spoof. An automated service calls you back, dials the first number, while spoofing the caller ID with the second number.

I like my implementation better, since it doesn’t require Internet access. I call a toll free number that connects me to my application hosted by a VoiceXML service provider. My app then asks you to enter (speech or DTMF) the number to call. Then, it asks you for the number to spoof. Seconds later, the phone at the first number is ringing, but the calling number that that person sees (assuming they have caller ID support) is the second number.

From the NY Times article:

“The developers of Star38, who say they required only 65 lines of computer code and $3,000 to create their service …”

Heh, the original version of mine was 51 lines of commented code and took me only about four hours of coding and testing time to complete. Even if I was charging 1999 dotcom era consultant wages, that would come in well under $3,000. If I had written it in static VoiceXML, it would have been about twenty-five lines of code (and that’s human readable code with no wacky obfuscations to shorten the length). I could easy rewrite it in fewer than twenty lines of clean, albeit uncommented, code on our platform, which dynamically generates VoiceXML.