This week an AP originated article appeared in the Oakland Tribune on caller ID spoofing. My previous post on caller ID spoofing generated quite a few comments, including a lot of email requests for the source code or for me to provide it as a paid service. Just to cut short further requests, I have no interest in doing that.
As I wrote long ago and the article also states, you shouldn’t absolutely trust the phone number that shows up on your Caller ID service as being the phone number of the person calling you. It’s quite easy to fake for someone with a reasonable level of technical savvy. I originally did it via a VoiceXML application on a hosted VoiceXML service, but you can also do it if you manage your own PBX, such as Asterisk. For the less technical, you can just pay a service to handle it for you.
Camophone is no longer taking new customers, but Spooftel, Telespoof, Spooftech, and Spoofcard are currently active. Interestingly enough, the star38.com domain for the earliest (at least, earliest known to me) Caller ID spoofing provider now redirects to cia.gov. Conspiracy theorists, start your engines.
One obvious concern is any service that authenticates the user based just on Caller ID. One example is credit card activation. Some companies will automatically activate credit cards if the Caller ID for the incoming call to the activation line is the same as the number used when appying for the credit card. That could allow someone to activate a large number of credit cards in a very short period of time by using fake phone numbers.
A dangerous privacy-related example for consumers is voice mail systems that don’t require a password if you call from the number associated withÂ voicemail box. Many mobile carriers use this as the default configuration. If someone knows your mobile number, they can call the main number for voicemail access and spoof your number. They can then listen to your stored messages.