MPs urge action as spooky caller ID-faking services hit UK

good luck.

We have this in Canada, it is used by all sorts of scammers.

the government does nothing at all about it (probably some of their friends)

Bosses..

Phone your boss and tell him what you always wanted before it becomes illegal (might want to distort your voice).....

Evil thought could always pretend to be the bosses wifes boyfriend/girlfriend?

Customer Feedback

Have you read how some people use this system? Frankly most of the stories are disgusting abuses of trust and how anyone can call this system innocent is clearly Very misguided.

Well Matthew...

....today I'm going to be the House of Lords' tearoom.

Oh Dear

A few people are going to have to change their terms and conditions.

For example, www.bt.com/privacy

"BT Privacy at Home* registers you for the Telephone Preference Service which helps stop unwanted sales calls.

It also includes Caller Display**, which lets you see the number of the person who's calling, so you can decide whether or not you want to take the call."

All that goes down the pan if the person who's calling is not really the person who's calling at all.

Anybody know...

Does anybody know Royce Brisbane's number? ;-)

AC because when this happens, I don't want it coming back on me ;-P

applicable law

Apparently If I choose to sign up for this service their T&C's are governed by New York state law, hardly likely to worry me or anybody else in the UK.!!....

PS how does one lobby for this to be stopped without attracting more exposure to the service?

MPs beware - Spinners spun out

From what I understand in the article it should be possible to send a fax to an MP's Westminster office, with the fax appearing to come from that same MP's consituency office.

Something along the lines of "A package of £20 pound notes has arrived from your friend the property developer. Shall I do the usual?".

Then have a similar thank you fax to a real developer known to the MP, sent from the Westminster office number & Sun headlines here we come.

Just remember...

"Spookcall founder Royce Brisbane defended the service today, saying he had sought advice on whether the caller ID spoofing was legal under UK law prior to launching the service."

Any time that someone feels that they have to state that they're within the *letter* of the law, it's a tacit admission that they are in violation of the *spirit* of the law.

(Skull and crossbones because I'd not be overly upset if these schmucks were to see one of these peering up from the bottom of their latté cups some morning!)

Getting around anon call blocking

This happens already; incoming number from an 084x or 087x number simply so they can get around anonymous call blocking. And if you try and phone that number back... it's dead! (Besides, the displayed number should be the geo number that it's mapped to; anything else is spoofing anyway.)

Anon, 'cause it's like those using dirty tricks like this.

It's not a feature, it's a bug

If caller-ID can be spoofed like this, that means it's broken and needs fixing. It shouldn't be up to lawmakers to put a stop to it, it should be the telephone networks' job to verify that calls come from where they say they do. Where the lawyers may be helpful is in allowing us to beat BT with the "inaccurrate advertising" stick until they either fix it, or stop claiming that callerID is a service.

...unless I've completely misunderstood the system, and the phone networks are actually full of holes equivalent to open SMTP relays?

They won't strangle Phorm...

...so I'm not going to hold my breath waiting for this to be outlawed. I'm sure both are going to be making money for some MP or other.

Kewl

I'll dig out that autodialer and set my number to Phorms head office.

Incompetent leglislation - again.

"It should be up to the person you're calling to make sure you're who you say you are." says the guy setting this up.

Sure - we can work like that. Like we could allow people to counterfeit our currency and say that it is up to the person receiving the cash to check.

We don't allow that with money because the cost of such an approach is severe and obvious. Imagine the queues in shops and ticket offices if it was considered fair game to try and pass off dud currency and every front-line employee had to check every note and coin.

One of the roles of government is surely to prevent cases like this, where a tiny minority stand to make money at enormously greater cost to everyone else.

So, attempting to pass dud currency is an offence -and that is enough of a disincentive to reduce the risk to the point where the populace can swap money with each other quickly and simply.

How depressing to find that those framing rules for telecoms haven't been bright enough either to anticipate CLI-spoofing, or to have a catch-all provision that allows them to close down this sort of operation overnight.

Remember rogue diallers? Oftel (as they were then) couldn't see that coming either.

And the rest of us are going to work to an advanced age to help provide these comfortable fools with a gilt-edged pension.

As a telephone engineer I've come across this

As the title says

I've recently heard of people recieving calls from supposed confidential

contact lists, claiming to be from a certain company.

I've had, probably 20, "faults" this year relating to spoofed Caller ID's

They seem to be coming from overseas, as you can trace them on ISDN

well at least I thought I could!!!

I always tell the customer never to answer personal or company info, an to call the number back and verify the call.

maybe now it's going to get a whole lot worse.

When I see an 08xx number on my home phone, I tend to ignore it

but the corporate world answer every phone call.

I recently took a call from my local garage, well so I thought

It ended up being from a insurance company that were using a "LOCAL"

number to try and solicite business.

Absolutly Shocking

This should be stopped NOW

Paul

@AC

"If caller-ID can be spoofed like this, that means it's broken and needs fixing."

Hear hear! Give that man a beer. If someone does this to me then I'm straight on to Trading Standards plus Small Claims court to get back every penny extracted from me under false pretences that Caller ID was actually supposed to show me the number of the caller. FFS who amongst the ship of fools will take any responsibility for anything. I want someone to fine, right now!

Paris - because she is fine... <ahhhhh>

@AC

"If caller-ID can be spoofed like this, that means it's broken and needs fixing. It shouldn't be up to lawmakers to put a stop to it, it should be the telephone networks' job to verify that calls come from where they say they do. [snip]

...unless I've completely misunderstood the system, and the phone networks are actually full of holes equivalent to open SMTP relays?"

As I understand it, the caller ID is just passed from telco to telco until it gets to it's destination (as well as a preference flag for whether it should be delivered to the called phone). The delivering telco really has no option but to trust the originating telco. All they could do is check that it wasn't one of their own numbers as it came into their network, which would cost them to implement and which might help for big telcos but wouldn't make much difference for the smaller ones. Yep - pretty much like open relays except that at some point there is a telco accepting (or generating) the spoofed IDs and if it was made illegal to do it then it would be pretty easy to find out who was doing it by back tracing through call records.

50p a minute you say, hmm now then, where's that price list for PC based switches.

I for one...

Caller ID is the useless intrusive thing that's bothering me in the first place. It's already spoofable btw, so the threat is not new. Go ahead spookCall.

Electronic Tagging

CLI is used as part of the UK monitoring of electronically tagged offenders. Another nail in its coffin I fear.

Nothing New

Companies have been able to use it for years - most switchboards allow the CLI number to be set to whatever the operator decides.

Ban what exactly?

Bearing in mind that caller ID spoofing is used as standard by a wide range of users and businesses already there may be some difficulty in banning it. It is now quite a normal feature in a PABX to be able define the caller ID rather than leaving it to the network provider. The is the standard way of having all calls from a range of phones appear to come from one number. So waht exactly is it that everyone wants to ban.

Do we make it illegal to issue a caller ID which does not match the network number for calling the exact phone line making the call?

Do we make it illegal to issue caller ID which does not allow reliable call back to the business that was making the call (allows current generally used spoofing)

Or what?

For those of you that care caller-ID has always been broken since it is fed through the network from the originating exchange as a completely seperate signal from the originating caller signalling. It is simply a field that the network passes through without caring what is in it. All you needed was to be an "originating exchange" which has been widely and economically available to business for sometime and for a little while now available to anyone that wants via Internet telephony.

Anyone who wants to ban it, can we have some proposed wording for this law so we can have fun pointing out the consequences.

(p.s. Yes, I would like to ban it too but I'm not sure how. I already give call centres a lot of stick over this issue since they claim it clearly indicates who they are)

AC

i thought you just can cut off carriers that do not follow standards?

in the SS7 specs, the CI element may be set to untrustet, or network-provided...

if they _can_ set it to network provided, then the telco who allows this should be kicked sky-high....

Spookcall: either crooks or clowns.

Their T's and C's are full of clauses referring to "Federal law" and the requirements imposed on them FCC. FFS, take a look at this:

" 9. Call Free Surcharges There is a £0.50 surcharge assessed on calls made from the following locations: (1) Payphones, (2) Hotels, (3)Dormitories, (4) Hospitals, and (5) Other commercial phone lines. This surcharge covers charges imposed by the Federal Communications Commission [ ... ] "

(http://www.spookcall.com/terms)

And they claim to be an English company? They are lying or incompetent. Any agreement with them purportedly governed by these terms and conditions would be ripped to shreds and thrown out of court in microseconds.

They are clearly any/and/or/all of ignorant, incompetent, dishonest and crooked. Either way, you don't want to do business with them. No way on earth would I trust them with my credit card details.

Now, off to check the DPR and Companies house...

No discussion, just ban it!

I can't see any legit reason to use this CID-faking "service", and having already received a couple of international calls using it (number 0000-0000 was a dead giveaway) I would refuse point blank to even talk to any a**hole using this piece of crap, other than to deliver a nice slice of invective.

Surely it's a pretty clear case of misrepresentation, and since we're talking about commercial companies (for the most case) then I would have thought that even using it would be some way to "attempting to obtain monies by deception".

As an aside, if the CID system *is* that broken then why hasn't some expert sued the pants off of BT for providing a "service" that doesn't do what it claims? This'd be my best hope for a solution, seeing as our current crop of politco's have proven pretty useless! >-(

I figure what I need now is an answer phone that's smart enough to be programmable with a "white list" of known good numbers, (that get put through if I'm in), and all others get automatically sent straight to the answer service. Okay I realise that this won't protect against a determined a-hole, but it'll certainly reduce it to manageable proportions, no?

Is it just me, or is comms in the UK looking more and more busted by the day? Capped broadband, traffic shaping, Phorm, and now this... :(

skype anyone?

If you buy a number from Skype can't you get London 0207 or 0208 area codes?

Isn't this a form of spoofing?

Also re: Sean. Absolutely, anyone who RELIES on caller ID should really be more versatile.... i often answer the phone to some poor sales person from the far east who only wants to sell me something, its great fun to see how much you can wind them up and mis hear or pass the phone to your mates, then hang up, long before any personal or payment info.

Old Tricks, New Implementation, That's All

Hey, personally I am not too worried about this. You can do everything this service offers with the right voip account (cheaper too) and some inexpensive or even free (Asterisk PBX) software. Any criminal intent on this kind of deception is already doing it and has probably been doing it for at least 4 years.

The service is too expensive for any tom, dick or harry using it as a serious money making tool. As stated, you can do this much cheaper with a wee bit of googling and a couple of hours on your hands.

All I see this service being used for is the "Hey, i've just murdered your family and stolen their house! Only Joking!!!" kind of gag!

Don't worry people. Anybody who reads Reg has at least enough common sense to know when they are probably being duped. If anyone rings asking for your credit card details, regardless of what number it comes from tell them to bog off! Caller ID is no proof that the call is genuine and never should be used that way!

One thing I will warn though is: PINS on your mobile phone voicemail systems as some do use caller ID to verify the subscriber, but we all have PINS set already! Right??

Dz

"It's no spoof ......

..... Honest Mario, 50 Pizza's to the usual address. You have my caller ID, who else could it be"

Credit Card at the ready, Dialing finger at the ready, Camera pointing at the neighbours very shocked face as he receives his fifty meatfeasts!

@MPs beware - Spinners spun out

"From what I understand in the article it should be possible to send a fax to an MP's Westminster office, with the fax appearing to come from that same MP's consituency office.

Something along the lines of "A package of £20 pound notes has arrived from your friend the property developer. Shall I do the usual?".

Then have a similar thank you fax to a real developer known to the MP, sent from the Westminster office number & Sun headlines here we come."

Whilst I agree with the comments re fraud etc, your perspective sounds like a rather useful way of subverting the system. Posted AC for obvious reasons...

Skype

@jeremy

"If you buy a number from Skype can't you get London 0207 or 0208 area codes?"

No because London has only one area code, which is 020.

</pedant>

Don't worry! Be happy!

These things will all be sorted out when the UK introduces, by stealth, the Biometric ID Cards which will:

Stop all terrorism*

End illegal immigration*

Make all telephone calls transparent*

Make the sun shine whenever you want*

Reduce petrol prices to 10p per litre*

Make all politicians tell the truth*

(* subject to New Labour being re-elected and Treasury approval)

Mine's the one with the target on the back

About CLI for companies with PBXs

Most CLIs for PBXs are set by BT at the local exchange and in ISDN in the information that goes along with CLI is the reliability of the CLI some of the options are "User, Verified and Passed" or "User, Verified and Fail" "Network provided" the upshot of this is the Telco has control over the CLI.

However the inter-exchange protocol called SS7 (BT use a variant called IUP and upgrading to UKISUP as well as 21CN) companies running this equipment are able to spoof any CLI. But for a company to be able to operate equipment they have to pass tests, which has a part dedicated to CLI and IIRC spoofing CLIs would fail the tests, so unless its changed recently I don't know how they've managed to be allowed to interconnect to the BT network.

<Disengage geek mode>

I can spoof caller-ID ...

... but I'm not supposed to...

As a reseller of a wholesale VoIP/PSTN interconnect service, I have the ability to present any number I choose over the network, but I've signed a paper, part of the T&Cs, that says I won't present numbers that don't belong to me (or my customers)

I don't think there's any law involved here, just agreements between telcos.

But this is just extracting the urine. I'm convinced their upstream will pull the plug on them PDQ, especially if they've got the same sort of T&Cs I signed up to.

Reg Lexicon

I'd like to request a preemptive ban on "vishing" because it's such a toss, contrived word and nominate "Phuckers" for inclusion in the Reg Lexicon next to mobe and lappy.

Phucker - abj. a company, person or (more likely) government agency who allows possible revenue to overrule common sense decency.

Awful, but there should be a simple solution

I'm not sure what exactly the law says, but spoofing should be illegal unless the spoofer owns the number it pretends to be calling from.

In other words, a company that owns a certain number may pretend that it calls are coming from it (which covers the desire of a company to have calls from a range of their phones appear to be coming from the same number or call center workers working from home), but some abusive type would not be allowed to call someone else pretending that he's calling from my number.

PukeCall: Identity Theft

From PukeCall's FAQs:

"What number will show up on the phone bill of the person whom I call?

"Whatever number you enter as the Spook number will show up on the bill of the person you called. They won't ever see your actual phone number!

"Can any number be used to show up on the Caller ID?

"Any 11 digit number can be used. Not only will the number show up but also the Name registered for that number would automatically appear."

Well, PukeCall couldn't make it any clearer: the "service" exists as a facility to perpetuate a fraud by dint of ID theft, because the PukeCall subscriber is stealing the identity of the person registered to that number.

PukeCall isn't stupid. It knows it has a stricty time-limited life-span in the UK. It's invested nowt in its website (well, allright, maybe 50p then) and is taking a punt on how much money it can rake in before it's closed down.

By comparison, UK legislators / UK Parliament are stupid.

By the time anyone / any agency actually gets around to doing anything at all, PukeCall will have made its fast buck.

In the UK nowadays, it isn't a case of knowing right from wrong.

It's a case of figuring out how long you can stay in the wrong until something's done about it.

So I can call....

So I can call my wife on her mobile whilst she is at her work from anywhere, but spoof my number so she thinks I am at work or home?

Or phone into work sick from my mobile on a beach in the South of France and they will think it is from my home line!

Marvelous!

SpookCall trading details

SpookCall address:

22, Harlesden Walk, Harold Hill, Romford, Essex RM3 9HS:

http://www.spookcall.com/distribute

Romford area trading standards department link:

http://www.havering.gov.uk/index.aspx?articleid=304&contactid=2394

Trading Standards works with law enforcement agencies to ensure that trading activity in the UK is lawful. Identity theft in the UK is unlawful.

As SpookCall's "business model" centres upon the commission of an illegal act (by conspiring with others in the passing-off of identities for the purpose of deliberate deception) the Romford trading activity would appear to be unlawful.

Reg readers can email the London Borough of Havering Trading Standards department via the above link.

Caller ID not working

I think this is absolutely terrible. Phone providers have a caller ID system which no longer works.

And probably nothing will happen, till someone big gets put out by it.

Who has the number for 10 Downing Street?

And I don't mean the one everyone knows.

1471 RIP?

Presumably all UK telcos will now be informing all their customers that their 1471 service is now useless, and hence will be withdrawn forthwith?

Bank Phishing

I've had two calls in the last two days, claiming to be from my bank.

The call appears to originate from a number which is *almost* the same as one of the banks actual numbers, and the caller claims to have an enquiry 'on my account'.

Fortunately I have refused to answer the security questions the say to have to ask before telling me anything about the enquiry - I have since verified through two separate departments of the bank that there are no notes on my account and the enquiry must be bogus.

The caller offers an alternative 0870 number I can call back on. I have had the bank call it and test them with internal security questions - no suprise they were not able to answer the questions.

<OUT OF AREA>

The indians already mastered this one, hello hello answer the telephone.......

Nope as its <OUT OF AREA> another marketing call by someone over there selling someone over here something they know nothing about.

RE: Actually...

"I had exactly the same thing a few months ago, and told the guy I wouldn't answer questions on an incoming call. The bloke offered me what he said was his DDI to call. How helpful. I declined and looked the number up on their website instead.

You do know that web sites can be spoofed as well? I would look it up on a paper statement. Or don't banks in the UK mail out statements?

I kept getting calls about a new credit card account. I kept ignoring them because the calling company was not the one I opened the account with (they contract with the other company), and I had no reason to believe I owed them (it was supposed to be 0% for a year). As it turned out, it was 0%, but they still wanted a payment every month (not the usual practice over here), and I hadn't sent them the first one.

Finally they sent me a letter. I called the number they left, but didn't give them any financial details. I told them I'd call back to the customer service number on my statement. He didn't understand my concern. "But you'll just get forwarded to us at collections again, until you pay the arrears."

-Chris

Verifying incoming calls

There's actually a simple way of verifying if an incoming call is from your bank's call centre, or indeed any company's call centre. Sadly, I don't know if I'd be able to get it patented.

@Information Commissioner informed and very interested !!!

The ICO!!! interested?

That would make a change.

Why would they be interested in this but totally ignore the greater issue of Phorm/Webwise doing deep packet analysis on all our personal data while web browsing and illegally profiling copyrighted website data.

What about the illegal BT trials which injected javascript into our http data?

The ICO is a joke in my opinion.

Paris, because she loves a deep packet inspection.