[telecom] NYS "bill" in works to outlaw phone ID spoofing

[Queens Chronicle]

Penalties for phone spoofers a possibility

Callers who attempt to defraud others may start to think twice before dialing. Legislation that would prohibit callers from hiding or falsifying their caller ID to harass or defraud recipients is making its way through the state Assembly and Senate.

In a practice known as "spoofing", telemarketers and other callers who seek to hide their identity can mask or alter the number that appears on caller ID readers in order to trick residents into answering the phone. The reasoning is that unsuspecting recipients may be more willing to answer a call with a local area code or a familiar name and phone number. .... If the bill is signed into law, phone spoofers could be fined up to $2,000 per call, subject to an aggregate amount of $100,000 for all illegal calls placed within a 72-hour period. -------- rest:

formatting link

- no copies of the bill visible yet on the various official websites.

_____________________________________________________ Knowledge may be power, but communications is the key snipped-for-privacy@panix.com [to foil spammers, my address has been double rot-13 encoded]

Reply to
danny burstein
Loading thread data ...

formatting link
Missing from that article (and every other similar one I've seen over the years) is: HOW is the phone spoofer actually identified and caught?

If the displayed number is spoofed, how can the real caller be ID'd? Is such identification (of a spoofer) even possible? I have the impression it's not [possible] since there are so many violators of the "Do Not Call" list(s).

Frankly, I wish there was a button on one's phone that one could push upon receiving a spoofed call that would send 100kV down the line along with a plague of locusts, a tornado, a hurricane, an earthquake, and GPS coords for a Predator mission missile strike. :-)

Reply to
Thad Floryan

danny burstein wrote in :

So this will stop most of those commercial "spoofing" services and maybe stop a few telemarketeers from doing the wrong thing.

But with the technical issue (the phone network trusts caller-id and there are points in which an end-user can inject a fake caller-id) still there, this will (in my opinion) not stop the real fraudsters who like to use fake caller-id because it makes them harder to trace.

But all I have to go on is the article, so I might be wrong about the technical issue not being adressed.

Koos van den Hout

Reply to
Koos van den Hout

This is a good idea and a start, but unfortunately I don't have much hope for it.

--Telecom lobbyists will fight it either defeating it entirely or watering it down to make it worthless.

--Spoofers will go ahead and spoof anyway knowing the odds of them being identified, caught, and actually prosecuted are very low. Today, it's illegal for telemarketers to call nursing homes, cell phones and people on the 'do not call' lists but they do so anyway for those reasons.

The baby bells have Call Trace (*57) but for some reason they strongly discourage its use. They don't publicize it. They charge a steep fee for each use. They do nothing unless there are a long series of calls; and even then they dump it over to the local police. They don't want it used for sales abusiveness. I wonder if the competing local phone companies and VOIP carriers even support *57 or would know what to do if a complaint came in.

Reply to
hancock4

Any guesses how they plan to enforce this?

Let's suppose this passes and I get a spoofed phone call. What's the next step? Dial 9-1-1 and get a crack team of phone spoofing detectives on the case? Something tells me it'll involve the recipient of the spoofed call to go to great lengths and expense to track down the source and because the state government in New York (and other states) is so broke they won't even think about pursuing it unless it involved fraud costing a large sum of money. And I'm sure shortly before an election the attorney general will brag about busting a phone spoofing ring and then we won't hear anything about the law again.

John

Reply to
John Mayson

formatting link

Also missing is any explanation for why it's the caller, and not the switch at the caller's CO, with the capability to determine what to send as caller-ID.

To put it another way, why should Caller-ID, ANI, and CNID not all be the same, and un-spoofable by the calling party?

Cheers, -- tlvp

Reply to
tlvp

How about answering the call, recording it, and getting them to say who they are?

Caller-ID and CNID are the same thing. ANI can legitimately be different, with the usual example being a call from a PBX with ANI of the main billing number, and CNID of the extension.

As to why they can be spoofed, it's a combination of laziness and the design not matching the way the phone system now works. The laziness part is telcos and PBXes. Telco switches can and should be programmed so they know the range of numbers assigned to a PBX and replace the CNID with its main number if it's out of range. Some telcos do that, some don't.

The design problem is that CNID was designed for a closed network in which all of the sources of CNID were trustworthy or could at least be verified. In today's wild'n'crazy world of VoIP, inbound and outbound calls are often handled directly, and there is no way to tell what number should go with what call. For example, I have a VoIP phone on my desk. It has three inbound numbers, [served from] California, Quebec, and England. Outbound calls go through a cheap VoIP service in Germany. When I make calls, the CNID is pretty random, sometimes comes through as private, somtimes as noise characters, sometimes as digits. I would be happy to give them one of my inbound numbers to use as the CNID, but the provider offers no way to do that, and they couldn't tell whether I was lying.

R's, John

Reply to
John Levine

(Moderator snip)

Well, it depends. If you file a police report then they do become quite cooperative.

But, I think (someone will surely correct me if I am wrong) Call Trace captures Caller ID, so if it's spoofed it's useless. They can set up an ANI trap, but that requires manual logging by the complainant.

Reply to
Sam Spade

And "the switch" used to be in a CO, controlled by Ma. Now, it's a PBX on someone's premises. Maybe Acme Dynamite Co. or maybe Google Inc. Or a wireless carrier, or....

The basic issue was the telco SS7 network has two piles: telcos, to be trusted without question; customers, not to be trusted at all. [After all, CCIS and SS7 came out of the bluebox era...] The idea that customers might own and control switches, and have trunk-side access to HER network, did not occur to them.

Reply to
David Lesher

formatting link

No privacy marker for ANI.

Reply to
Sam Spade

I have Vonage with my primary number in Washington, DC and a virtual number in California. Vonage always delivers my DC number.

Reply to
Sam Spade

I've not recorded [them], but [I have] asked them to identify, and for a mailing address. They either laugh or they hang up.

Reply to
T

And the SS7/ISDN screening indicator (e.g., Network provided, User- provided Not screened) which would help isn't delivered through CallerID.

Mike

Reply to
Mike Blake-Knox

Ask them where you send the money to. That is about the easiest way to identify them.

Also, of course, they do have good ANI. So the telephone company could in theory identify them, and all it takes to get the information out of the telco is a subpoena from a judge. And that subpoena is very easy to get if you're suing anyway... You just open a suit against an unknown party, get the clerk to issue a subpoena to the telco to disclose the party.

The problem is not the spoofer, the problem is really the telco.

--scott

Reply to
Scott Dorsey

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.