Many in the VoIP service industry have known for years that caller ID can be spoofed (that is, misrepresented) relatively easily. In fact, one need not be an expert at using Asterix's Linux VoIP PBX software or know the other tricks of the trade - he can simply pay a few dollars for an Internet telephone caller ID spoofing service. (We're not going to provide free advertising for these services here.) While this may seem harmless, it opens up the door to a number of serious vulnerabilities.
More and more caller ID is being used to authenticate people's identity. Credit card companies have long been using caller ID in the card activation process. Financial institutions such as Citibank and American Express are now using it to authenticate identity of account holders who dial in to their telephone service. In business, caller ID is used to signal whether a caller is calling from inside or outside the firm. 911 call centers use it to determine who is calling and where to send emergency responders. Voicemail systems, particularly cell phone voicemail systems, automatically playback messages based on caller ID.
This is just a handful of potential targets for and methods of attack. To make matters worse, the list is only expanding, as companies continue to embrace the convenience of speed of using caller ID as an identification method.
To date, it appears that most caller ID attacks have been of the "prank phone call" type, and not concerted attacks, such as massive credit card fraud. However, it seems that the clock is ticking, and that it is only a matter of time before this type of fraud really takes off if the door is not shut first.
The FCC is investigating action against some of the caller ID spoofing services, but this is not really a solution - the underlying vulnerability remains, it just may be more difficult for amateurs. VoIP service providers can help matters by closing this security hole so that their customers cannot take advantage of them, as well.
But the best solution in the foreseeable future lies with businesses themselves. Though it may be painful, businesses are going to reevaluate the risk they are taking by using caller ID for identification. In some cases the risk may be low, but in many cases it will probably make sense for them to stop this practice.
It will be interesting to see where this issue goes over the next year.James C. Bradley writes articles on topics such as Caller ID and Block Caller ID. Visit VoIP Caller ID Spoofing - Still Dangerous.
0 comments:
Post a Comment