Don’t trust that number!

Kris Constable

I’m sure you’ve received an email spam from what appears to be a legitimate email address, saying you’re entitled to millions of dollars. You know that — that email address was spoofed, which is easy for any techy to do. It was someone pretending to be someone they’re not. The same applies to phone systems, and there’s a good reason for it. There are countless phone companies, and many more companies which own hundreds to thousands of telephone numbers. When you get a phone call from your bank or utility company for example, the number (DID) on the caller ID is the main number of the institution, not the local number of the person making the call. Companies get to choose which person in their company gets which phone number, and they don’t want you calling back the person who called you, they want you to dial back to their main switchboard (PBX) and get routed to the proper place, where they know someone will be available to answer the telephone when you call back, to help you. This is one of the reasons caller ID spoofing is possible, companies need to be able to change this in real time, as employees come and go.

With the prevalence of voice-over-IP (VoIP) technology, it is very easy to spoof a caller ID, you can pretend to be calling from any phone number you want. You can pay for services online that do this, or setup a VoIP DID yourself and spoof whatever number you want, it’s quite easy. The more people that know how easy it is, the more prone to abuse it is.

Just today, CBC News is reporting an incident in Langley B.C. where it is alleged a hacker used her son’s computer accounts to call police through the family’s computer, saying he had killed several people and was holding more hostages at their home. This resulted in the SWAT team being deployed to their home, with firearms drawn. Not a situation anyone wants to go though.

Unfortunately for law enforcement, this means exercising due diligence in handling such issues, as they will only increase. The telephone companies (telcos) are not really interested in resolving this. Doing so, would mean implementing authentication (proof you are you say you are) and encryption (making it so others can’t intercept/eavesdrop), but that would prevent things like telemarketing, and telcos make a lot of money from telemarketing.

I’m not aware off hand of any hardware phone solutions for the public that use authentication or encryption, but Whisper Systems offers encrypted voice (RedPhone) and encrypted text (TextSecure) solutions for the Android operating system. TextSecure is great, if the person you’re communicating with has it also, not only are all of your texts stored encrypted on your phone, they’re also encrypted going over the wireless telephone network! This means you can use TextSecure before a telephone call as a reasonable usage of authentication. There’s also zfone for making encrypted telephone calls on the internet.

Until phone companies around the world implement authentication and encryption, remember to not ever trust the phone number you see calling you, as it could easily be fake. This means if you get a call from your bank, or utility company, or even from a friend or family member’s number, you will never know it really is them, it could easily be someone pretending to be them, to get information from you. Treat caller ID like you do emails, or even letters in the mail, after reading this you know that all three of these can easily be faked!