MSNBC/NYT: Caller ID Forging [telecom]

[Quote from MSNBC]

Caller ID has been celebrated as a defense against unwelcome phone pitches. But it is backfiring. Telemarketers increasingly are disguising their real identities and phone numbers to provoke people to pick up the phone. "Humane Soc." may not be the Humane Society. And [do you] think the I.R.S. is on the line? Think again.

Caller ID, in other words, is becoming fake ID.

For full article please see:

formatting link

Reply to
Loading thread data ...

Can someone point to technical articles/references/etc. giving details about how various methods of caller-id spoofing work? Down to the level of bits in signaling protocols, trunk interfaces, etc. If a reader has such references but is hesitant to reply publicly because of the sensitivity of this issue, you can email me privately, performing an obvious edit on my reply address.

To allay concerns, I want to understand this better to try to figure out ways to alleviate the problem. I'm an ex-big-telecom systems engineer (Bell Labs, etc.) who was in the business when Local Area Signaling Services (SS7 for local switches) was introduced, making Caller-ID possible, and it's irritating to me that a service intended to eliminate heavy breathers is now being subverted.

Reply to


The old fashioned way was to order digital trunk service such as an ISDN PRI and configure your PBX to send false numbers. The telcos accepted the numbers provided when the call was set up because that enabled the PBX to (for example) provide the DID number for the actual caller rather than the number for main reception. The obvious way to stop that abuse would be for the telco switches to verify that the number provided was associated with the trunk in question; I don't know if this isn't done because it's too much work, or the switches don't have the capability, or because the large organizations with direct digital network access also sometimes routed calls over private lines and thus might legitimately place a call, say, from an office trunk in New York using a number associated with a trunk provisioned in Los Angeles (with the additional complication that those trunks might be provided by different LECs.)

I'm not sure if the proliferation of VoIP has created new mechanisms for caller ID forging; I hope someone familiar with the topic can comment.

I view it as an arms race, with telcos as the arms dealers: they offer you caller ID (at a price), then charge companies for the capability to override it. Neither of you is any further ahead than you were before called ID was invented, but you're both paying the telco for an additional service. And, yes, that is *very* irritating.

Reply to
Geoffrey Welsh

Caller ID was sold to the public as a way to "eliminate heavy breathers", but that was a Big Lie from day one, which is why states such as California didn't have the service until the FCC forced the issue. The real purpose, of course, was to enable businesses to gather the numbers and use them to place junk calls.

Caller ID is normally inserted by the switch where each call originates, and is carried from one switch to another by SS7 (though there is still some older equipment out there which doesn't support SS7 and so can't pass it along).

While it is possible to fool some Caller ID displays by sending a phony ID signal during the call (the actual signal is sent between the first and second ring), by far the dominant way it is faked is for the call to come from a PBX which is programmed to send the fake number. The only way to prevent this would be for the next switch that handles the call to check whether the number sent by caller ID legitimately belongs to the PBX owner (and refuse to pass it along if it doesn't) -- which would be easy but which telcos have resisted because they want all the traffic they can get, including traffic the recipient doesn't want.

If the FCC were our friend it would have required this when Caller ID was first introduced.

Reply to
John David Galt

Basically as I understand it and from doing a limited google search it involves using a PRI "Primary Rate Interface" line and manipulating the outbound caller ID which you can do with that type of service.

I found this reference which explains it pretty well:

formatting link

Reply to
Joseph Singer

Without going into detail, _anyone_ who controls an SS7 node can cause any line to generate arbitrary CID information for any outgoing call. If the 'telephone company' is a 'bad actor', *ANY* call information can be forged/ corrupted/incorrect/inaccurate/untrustworthy.

The PSTN is much like the early Internet in this respect -- every node 'trusts' every other node to be 'honest' about what they're doing. And there are little-to-no provisions for either 'detecting' *OR* 'rejecting' dishonest actions. That said, the 'alternative' -- having every node 'know' what CID info was allowable from every neighbor node -- is impractical to implement.

Secondly, CPE with 'digital' interconnect (ISDN PRI or better) to the LEC have the ability to supply the CID data for every outgoing call. The LEC -can- apply 'filters' to this customer-originated data -- and only 'pass' data that is within a block assigned to that customer. *SOME* providers -do- do this. *MANY* do _not_.

The 'simple' description of "how it's done" is that the gear that -generates- the CID data is under the control of the party _making_ the call, and can be 'coerced' to do 'what the caller wants', regardless of what is 'correct'. An 'immediate upstream' telephone company -- an LEC or IXC -- *could* check, and limit the data the customer puts in those fields.

*BUT*, doing that 'costs money' -- for the database, for the software that makes the check for -every- outgoing call, for the labor of putting info _in_ the database, and for the labor of *verifying* that the customer is 'entitled' to use those numbers. And all that 'cost' does NOTHING to _benefit_ the phone company, _or_ the customer who is making the outgoing calls.

Which leaves the question hanging: "WHY -should- the phone company spend all that money for 'no return'?" If they have the legal option of _not_ doing it, why reduce profitability _by_ doing it? Viewed in -that- light, doing the filtering is a 'breach of fiduciary responsibility' to their stockholders.

The *ONLY* way the matter is going to be resolved in favor of customers is by governmental regulation.

Aggressively enforced regulation specifying two things, with stiff penalties for any violations: 1) that end users can only supply CID info that identifies -them- as the calling party. e.g. OK to use their toll-free number, or the number of their switchboard, but *not* a number that belongs to 'somebody else', or one that is 'not currently issued'. 2) That a telephone company must 'verify' customer-provided CID info on every call, and restrict the number presented to numbers that are 'confirmed' as belonging to the calling party. There are two areas of 'difficulty' with this -- trans-border calls, and domestic VoIP gateways. Disallowing 'domestic' numbers as CID on transborder calls would be one way of dealing with the first issue.

VoIP is 'solvable' by aggressive checking/tracking of 2) above, with forcible termination of PSTN connectivity for those with sub-par compliance.

Reply to
Robert Bonomi

I can configure my VoIP CID to show any arbitrary number. Interestingly, I can't configure the name, that is apparently controlled not by my VoIP vendor, but by another party (whether the original telco that had my number (Qwest), or the local company (XO) who seems to be somehow involved with the ported number, I don't know).


***** Moderator's Note *****

Good question. Of course, the "name" shown in a caller-id display is from ultimately from LIDB, but I'd like someone to review the process that populates the database from which caller-id-with-name is drawn.

Bill Horne Moderator

Reply to
Dave Garland

Most CLECs I have encounted lately do this filtering automatically. For instance, on my PRI trunks, I can not send out a CLID number that is not in my range of DIDs, whereas I could with the old ILEC trunks on the same gear. When shopping around for trunks for my customers, I couldn't find a CLEC that wouldn't not filter without going through a lot of hoops. The ILEC was clueless on the question, but since they are dinosaurs, their position may not have changed.

But that doesn't discount the bazillions of existing PRI trunks in existance without the filtering. The LECs don't go around proactively doing more filtering in fear of breaking things.

Yep, VoIP systems can pass the CLID data along to be presented in a side channel, and depending on the provider, can be pushed out and sent along in the PSTN as the normal signalling upon normal call delivery. Not all providers support such, and even less filter based on the VoIP trunk DID ranges. Some other VoIP providers even provide a webpage to set your outbound CLID data for your line.

Reply to
Doug McIntyre

What a lovely illustration of the subjunctive being used to help identify a counterfactual :-) .

Cheers, -- tlvp

Reply to

I don't agree with the last sentence. Indeed, doing _nothing_ could be seen as a breach of fiduciary responsibility

Good customer relations is an essential part of running a business. A company that angers its customers will eventually lose them. Today, consumers are upset at the flood of unwanted calls (legal and illegal) and even more upset that the Caller ID, which many pay quite a bit for, isn't working.

Over the years, many businesses, including the telephone industry, self-regulated themselves so they maintained control rather than having the government come in and dictate to them what to do. For example, Hollywood self-censored its work rather than have the government do it. The old Bell System worked hard overall to have very high service quality standards to avoid trouble from regulators.

Unfortunately, perhaps modern businesses do not think about such things or simply are too focused on the short term bottom line, and government regulation is necessary.

I hope [those] suggestions are implemented. More than stiff penalties, I want to see swift and sure enforcement so the violators know there's an excellent chance they _will_ be caught and punished before they can leave town.

Reply to

Bluntly, you either;

1) don't have any idea what 'fiduciary responsibility' means. or 2) don't have any idea *how* the modern PSTN works.


Given that the 'telephone company' of the party originating the call and the 'telephone company' of the party receiving the call are two *different* entities -- as is almost invariably the case for marketing calls. Then:

1) The telephone company of the party receiving the call CANNOT do *anything* to prevent or even detect spoofed/forged CallerID info. No amount of money spent will make one bit of difference in customer attitude/opinion about the 'value' of Caller-ID. 2) The telephone company for the party _making_ the calls =has= a financial incentive *NOT* to filter 'customer-supplied" CID data. If they _do_, and -any- competitor does _not_ then every potential customer wanting it will flock to the competition instead. This means that they spend extra money -- to do the filtering -- an the result is to drive potential customers away. This is -not- consistent with the duty to operate the business in a way to maximize shareholder values.

As long as *any* telephone company offers service that does NOT include filtering of customer-supplied CallerID data

A) -recipients- of phone calls will be 'unhappy' because they are receiving 'mislabeled' calls. And, in actual fact, the _rarer_ the mislabeled call, the -ANGRIER- customers will be about those 'errors'.

B) It is against the financial self-interest of _every_other_ telephone company to do such filtering. Customers receiving such calls have no way of knowing 'who' the caller's phone company is, so they have no way to 'assign blame' where it belongs.

Thus, the 'quality' of CallerID information is only as good as what the -worst- originating telephone company enforces.

For ALL these reasons, the -only- way that the public will get 'reliable' Caller-ID info is via government regulation that _requires_ originating telco enforcement.

Reply to
Robert Bonomi

How do you propose to find them when they are sending out invalid caller ID to prevent you from finding them?

What if they are in India? The DNC list has driven a lot of telemarketers offshore.


Reply to
Scott Dorsey

There is a great push in the Central Oklahoma area to have the number presented to the emergency service agencies from PBXs be the acutal extnesion number, which they can enter in their records with an actual location.

They are complaining that when only the main number is given from a PBX, that location may be miles away from where the actual caller is (and where the need is for fire, ambulance or police).

Wes Leatherock

Reply to
Wes Leatherock

Personally, I think Caller-ID should reflect the nature of the caller, which is why I was amused to see this call on my Caller-ID box some time back:

formatting link
(For those who don't want to click through to the photo, it reads "Phone Scam").

I was left to wonder who fixed up the database, and how we can encourage more of it. Think of the labels: "Crooked Politician," "Soul- sucking Relative," "Crazy Ex," "Scummy Co-Worker," and "Ruin your dinner hour charity call."

Reply to
Daryl Gibson

This is correct only as long as the feds require any carrier that receives Caller-ID via SS7 from an earlier carrier to pass it along unchanged.

But what I would like to see is an agreement among phone companies to be ethical, defined as follows.

1) An ethical telco does not pass along any Caller-ID from a call originating on its network (at least not without flagging it as "unreliable" in some machine readable way) unless it can authenticate that the number belongs to the originating subscriber. 2) Similarly, an ethical telco does not (uncritically) pass along Caller-ID it receives from another carrier unless that carrier is known to be ethical also. 3) If an ethical telco receives a large number of complaints that one of its subscribers placed unwanted calls, and technical records show that the calls did take place, the telco will disconnect the subscriber and share his identity with the other ethical telcos and the public in a blacklist.

Allow this type of cooperation to take place (and let telcos write contracts giving subscribers the right to demand it) and regulation on the subject would no longer be necessary.

Best of all, the marketers would still be allowed to have phone service, but the majority who don't want their calls would be effectively protected. Let the law ban any circumvention of the filters as it now (too broadly) bans the circumvention of "DRM" technology.

Reply to
John David Galt



I think the point is that a business oriented phone company may not have as customers all those upset people - so they do not have to care.

/snip/ Regards

stephen - replace xyz with ntl

Reply to
Stephen Hope

False to fact. Unfortunately.

You ... overlook several critical facts; A) there is no financial incentive for any telco to enter into any such agreement. B) spending the money to _do_ the authentication, does *not* bring in any additional revenues. Unless it is a required function, this is against the best interests of the stockholders. C) There can be no significant penalty if telco signs your 'ethical' contract, and reneges on the terms.

There is no provision in SS7 for such a flag.

This is 'theoretically' possible. But the cost is very definitely non-trivial It involves adding a database dip to the processing of every *incoming* call, (where there currently aren't _any_) and creating/maintaining the database itself.

Unfortunately, with the current state of the law. This is simply *NOT*


To -make- it possible, one would, FIRST, have to have a law that makes providing 'false' CID info a _criminal_ action, and SECOND, have a criminal _conviction_ for that violation *before* the common carrier can terminate service to that party.

One of the -fundamental- aspects of 'common carrier' law is that a common carrier is *required* to provide service to ANYONE who can pay for it, unless they are using it for criminal activities.

This _is_ something that requires *government* regulation -- along the lines I described -- to accomplish. There are no viable alternatives.

Reply to
Robert Bonomi

That may be true anyway. I have configured a branch office with no trunks but a T1 back to the PBX at the main office. Some staff at the branch office had DIDs that could have been registered at the new address but some extensions were not DIDs so the main number would have been used for CID. In retrospect that was awfully foolish of me: a 911 operator could have been forgiven for assuming that the address in question was accurate but I might have ended up in a lot of hot water if emergency services showed up to the wrong address and someone was seriously effected as a result (the offices were only a few doors apart but, in a situation like a heart attack, the extra couple of minutes to redirect the responders might have been critical.) I'm probably not the only person to have made such an oversight but hopefully this will remind us all to be mindful of the issue.

Reply to
Geoffrey Welsh

For what it's worth, the first sentence in my Business Law texbook on Common Carriers states "A common carrier has the right to make reasonable and necesarry rules for the conduct of its business."

Actually, common carriers have always had rules about what they would deal with and would reject submissions that did not comply with those rules. For example, we obviously can't shoot 120V house current out over our POTS phone line. For digital trunk customers, the signal obviously must meet specifications regarding basic electrical properties as well as format of header and data bits. To stretch the obvious, there are already edits in place--if you would submit a telephone call with an invalid NPA, that call would be rejected.

It seems to me that it would be possible, without massive legal rewrites, to tighten the edits for submitted calls to protect the network from Caller ID misuse. After all, some callers are spoofing Caller ID for fraudulent reasons.

If I am in error in these comments, a citation to a text or website where I might learn more about it would be appreciated.

[public posts, please]
Reply to

That's intriguing. Is the network-provided bit actually sent to the end user at all? If it's just a matter of processing it, maybe I'll roll my own.

Reply to
John David Galt Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.