Faking Caller ID Gets Easier, as Politician Learns the Hard Way
- Share via
NEW YORK — Last fall, U.S. Rep. Tim Murphy’s office started getting phone calls from constituents who complained about receiving recorded phone messages that bad-mouthed Murphy.
The constituents were especially upset that the messages appeared to come from the congressman’s office. At least, that’s what caller ID said.
“People thought we were making the calls,” Murphy said.
The calls, which the Pennsylvania Republican estimated in the thousands, were apparently placed with fake caller ID. That has been possible for a long time, but it generally required special hardware and technical savvy.
In the last few years, caller-ID spoofing has become much easier. Millions of people have Internet telephone equipment that can be set to make any number appear on a caller-ID system. And several websites have sprung up to provide caller-ID spoofing services, eliminating the need for special hardware.
Spoofcard.com sells a virtual “calling card” for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the caller-ID number to display. The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex.
Caller-ID spoofing appears to be legal, though many of its uses are not.
Lance James, chief scientist at security company Secure Science Corp., said caller-ID spoofing websites were used by people who bought stolen credit card numbers. They will call a service such as Western Union, setting caller ID to appear to originate from the card holder’s home, and use the credit card number to order cash transfers, which they then pick up.
Exposing a similar vulnerability, caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards. Some card companies maintain, however, that they use additional means to confirm new cards. And caller-ID spoofing may not work for calls to 1-800 numbers, where the hardware can identify calls using a separate technology.
Spoofcard.com did not return messages seeking comment about its business. However, some of the five or so websites in the business don’t appear to be completely unscrupulous: James said he had been hired by a few of them, which he would not identify, to help stop the Western Union scam.
Also, Spoofcard.com and SpoofTel.com say they will surrender call logs to authorities in response to subpoenas.
When originally contacted for this story, Federal Communications Commission spokeswoman Rosemary Kimball said the agency had never investigated the issue. But about a week ago the FCC issued a letter to at least one spoofing site, Telespoof.com, according to an e-mail from the site’s owner, who communicated on condition of anonymity.
The letter seeks lists of Telespoof’s customers and the phone calls they placed. The agency is investigating whether the site is violating federal laws, Telespoof’s owner said. He has not decided how to respond.
Kimball did not return messages seeking comment on the investigation.
Telephone companies can trace calls to their origin regardless of the caller-ID information they carry, but the process is laborious, especially since a call may be carried by several companies before reaching its destination. The fragmented nature of the telephone network also makes it technically difficult for the carriers to prevent spoofing.
Apart from fraud and telemarketing, caller-ID spoofing can be used for pranks and spying.
In one case, SWAT teams surrounded a building in New Brunswick, N.J., last year after police received a call from a woman who said she was being held hostage in an apartment. Caller ID was spoofed to appear to come from the apartment.
