Ofcom, about as much use as a chocolate teapot..
Ofcom said today it has responded to the launch of a new service enabling scammers to spoof their caller ID by, erm, writing a letter to the firm responsible. Yesterday we reported on how members of parliament have asked regulators to examine Spookcall, a new company that has brought the US practice of caller ID-spoofing to …
Given the currently 'frosty' state of El Reg's 'relationship' with BT, do you think they ever will?
Or at least some time prior to the next Ice Age in Hell!
I cannot think of a legitimate use for this service outside of MI5 or 6, even then it's dodgy.
Pull your finger out Ofcom
A lot of telecom systems use CLI as a security check (voicemail being an example), this service may now allow unauthorized access to many private services.
Yeah apparently Spookcall tried to ring Ofcom but Ofcom couldn't verify their caller ID and refused to believe it was them.
"Stop or ... we'll say stop again"
...That this came up several years ago. At the time all the same issues as today were raised. However, I seem to recall that there may have been an option to specify on a line that only true caller ID was to be used, rather than fake Caller ID.
Can anyone confirm/deny this ?
ofcom were watching this with interest....
I bet they were thinking... "eh, phones... that is technical stuff that is, number changing... eeehhhh by 'eck, bet that could be used t' cause mischielf, 'n 'appen it will.... ehhh cock..."
*imagine some slack jawed yokels in an office*
Ofcom are a joke and having reg phone them up probably woke them up.
Can we have an icon that is something akin to cleetus from the simpsons to represent all Quango's that are inept, be it the energy regulator that lets the german owned power companies hoard our supplies and hold us to ransom, ICO that is siding with the bad guys because people are too thick or ofcom that just lets the industry win by merely turning up.
But that doesn't mean we need to accept it... Eg. right now BT rejects incoming caller ID from abroad because "it can't trust the data presented", so all BT has to do is reject caller ID when someone originates a call from the spook network. Other operators need to follow suit too, so with a bit of luck it could very well be self-regulated and be stamped out literally overnight.
However if (say) an operator were making money out of it - in the same way that ISPs were going to make money out of Phorm, then it might not be in their best interests to block them...
I wonder who Spooks carrier is ...
I note that Ofcom are currently investigating an ITV broadcaster (Martin Brundle). Apparenty, he used a word (pikeys) in the broadcast before the start of the Canadian Grand Prix that 7 people found offensive and wrote to complain about.
Yet they don't seem to be too concerned about issues that relate to the potential massive loss of privacy of th entire population, despite a very large number of complaints and calls by MPs to do something. Why is this?
Helicopter icon because I expect that having used the offensive word in this comment, I will soon ........
“We've contacted BT for a view on Spookcall, but it hasn't gotten back to us.”
Given that BT have already spoofed website communications to tens of thousands of their customers and plan to do similar to millions, I think BT would be (web)wise to make no comment.
"Ofcom, about as much use as a chocolate teapot.. "
Sadly that is not the case, a chocolate teapot has a use, ... you can eat it. Yummmm
Ofcom, who have no use what so ever.
An old schoolfriend of mine use to run a company called Komtel, and whenever anyone at the company called anyone else it gave the company 0800 number, Apparently BT has offered this service for years and calls it "Presentation Numbers"
So you can have an 0207 number that has a presentation number of 0800 123456.
This service is available already, now there is a company offering it to joe public and not businesses so the world is up in arms, I suppose that as long as the company records the incoming and outgoing numbers so in the event of a query by ofcom they can say customer with number 01234567890 called 01432 123456 pretending to use number 0870 123456 at this time and date for x minutes there can be no problems (obviously provided only with appropriate legal requests for information as per the dpr rules)
Jordan because the world has been as simple as her in ignoring the technology
CLI has been trivially forged for years - especially now we have better passing of international CLI data. Anyone who thinks they can use CLI as a security measure is kidding themselves and should stop it immediately.
You want ofcom to shut them down immediately, because people say they should? 2 minutes after that they'd be in the courts.
If that firm claim to have taken legal opinion then there's at least an arguable case that they aren't breaking the law, so as regulator I'd AT LEAST send a letter asking for their point of view before laying the smackdown, and no email would not be appropriate.
Assuming they were alerted first thing on Monday (doubtful) they've had two and a bit working days. From being given information to following it up, looking at the website, deciding what to do about it, and writing and sending a letter. Even if they sent the letter by the end of Monday (doubtful) and the firm replied immediately (VERY doubtful) they still wouldn't have anything to say yet.
Note I'm not saying Ofcom WILL be useful, I'm just saying we can't possibly know yet. And if you're arguing "they've never done any good before" then I don't see how it warrants a new article. An update with their response in the original, maybe
If the US is any indication, it's not as much of a big deal as people are making it out to be. It's not commonly used for more than joke calls by teens. It'll be used occasionally for identity theft and fraud, but I'd guess that the majority of their business is prank calls by highschoolers...
But then, a lot of people who have CLID services in the US don't use them (landline-wise anyway). I know quite a few people who don't even know they're subscribed to it or have a compatible phone.
The biggest malicious use I've seen for it yet is calling someone from their own phone number to get into their voicemail without being prompted for a PIN. You'd think the telco's might've considered that one...
I noticed that BT's 'Choose to Refuse' service is not fooled by the CLI masking. If you dial the usual 14258, then use the ** method to block the last number which called you, BT's system will block the caller based on the actual telephone number used, not the CLI sent.
I found this out when blocking a company who were pestering me back in January 2008.
You can sort of understand why regulators are captured by incumbents: they spend a lot of time in the same room, the incumbents employ competent lobbyists with large expense accounts, etc. Regrettable, but human nature being what it is you can understand it.
But why on earth does Ofcom feel the need to pander to slime like this? It's not about courting popularity, it's not about market influence. I suspect it's just cowardice: Ofcom have got so used to saying ``whatever you say, Sir'' to large companies, it's become the default position.
Paris. Because one day we'll get a video of Ofcom negotiating with sleazebags.
Bought some credit. Dialed my mobile and also presented it as the calling number. Straight into my messages. Nice, not!!
Yup the watchdog responsible for protecting my consumer rights, preventing monopolies from abusing their power and from people using telecoms for scam's where possible.
This kind of technology is YEARS old and ofcom are only just becoming aware of it, why do I get the distinct impression that I shouldn't hold my breath on them actually doing anything useful on this.
0870, 0845 and 0800 are not real numbers (obviously) - they are just pointers to a real number which is normally tied to a ISDN30 circuit at customers premises.
The PBX or sometimes BT will use CLID to present the known number on outbound calls. The reason for this is that the caller return number will be correct as the real non-geographic number may not handle inbound calls.
An example is a call centre in Norwich may be setup just for outbound dialling on a automated dialler system. You call any of the numbers that are really on the attached ISDN30 circuits and you'll get nowhere. Instead we used CLID to present the 0800 numbered call centre in Manchester which deals with our inbound customers.
This way we didn't need to spend thousands on inbound call monitoring equipment and didn't have to spend ages training agents on inbound call handling as well.
There is a legitimate for CLID "spoofing" - but obviously this example isn't one of them. OFCOM should do something - but banning it outright just isn't really a posibility.
BT has been providing this service as a legitimate offering for some time.
It's called Presentation Number and enables you to contact people using Anonymous Call Reject [ACR] and it's very cost effective.
Spookcall has obviously found a way of reprogramming the outgoing number for itself. This means that if you have ACR you are no longer protected from the "we're not selling anything" brigade [terminology used to get round the fact that you've signed up to the telephone preference service]
There are lots of nefarious uses for this functionality but OFCOM probably won't do anything until 020 7981 3040 or 0300 123 3333 is used on outbound scam calls.
If you want to get revenge on annoying cold callers have a look at this short film at http://www.bbc.co.uk/dna/filmnetwork/A23448819 Cold Calling
Now where did I put my black hat and shades
I'm not pushing for a kneejerk response here, but do I think taxpayers have a right to expect Ofcom to be open about how it plans to address public concerns (i.e. what information has it asked for), to communicate what its powers are in respect of a situation such as this, and generally be a bit more on the ball about an issue that it claims to have been monitoring for three years. ATB,
- Chris Williams
Since Martin Brundle made the comment in Canada, and is thus subject to Canadian law on the event, the only beef that Ofcom can have is with the broadcaster in the UK
When I received a credit card, I had to activate the card by calling from my land line to prove I had received the call. Could this system be used by bastards stealing credit cards to activate as if they were calling from the scam-ee's house?
Paris because SpookCall is about as honest as the shape of her nose..
I've dealt with Ofcom once - BT were making a mess of connecting my phone line, with delays, mysterious cancelations of my order and no one in customer services able (or willing) to do anything about it. I phoned Ofcom who listened, agreed that the service from BT was inexcusable and go involved with my case. A few days later everything had been sorted out, BT apologised and gave me a fair amount of compensation. I think Ofcom are great.
Not sure about other networks, but the voicemail on virgin mobile can be setup to require a PIN, even when called from ones own phone.
2 for Mailbox features, 1 to set a pin, 9 to goto the pin prompt menu, and 2 to enable.
As always, RTFM...
I'm shocked...callerid spoofing has been around in this country for years now - I've even received calls from BT which have presented as 01234 567890 in the past. The sales droid struggled to justify why I was so pissed off - didn't really understand the concept of callerid, which shows how many years ago it must have been!
I really thought the public had realised by now that callerid could not be trusted, and that it could be spoofed.
From memory, all you need to do this is an Asterisk or similar system, hooked up to an ISDN line. You can then choose which number to present. Been a while since I looked into this though, so could be wrong on the line type required - might even have been a straightforward business POTS line.
And £5 for 10 minutes - seems absurdly expensive to me...must be to pay for the lawyer fees they're probably going to occur when people start to use the service in a fraudulent way (I can think of a couple of legitimate uses, but most are fraudulant).
And there is an icon on this post, the only worthwhile one, marked 'None'....
...new celebrity scandal stories in the tabloids as the less scrupulous journalists cotton onto the idea of listening into other people's voicemails effortlessly.
Come to think of it, all that needs to happen for this service to get put on ice is for someone with the mobile numbers of a few high-profile politicians to get dialing... then again... maybe being able to pick up cabinet ministers' voicemails would lead to a new era of open government!
"From memory, all you need to do this is an Asterisk or similar system, hooked up to an ISDN line. You can then choose which number to present."
I always thought that BT validated the number you were sending out against your DDI number range. If the number you tried to present didn't match, BT would re-set the presentation number.
To do this, suspect you need some form of carrier connection to the telecoms network, not a boring ISDN. (but I could be wrong...)
So, you expected something else ?
Like action ?
Why change the habit of its lifetime ?
"Bought some credit. Dialed my mobile and also presented it as the calling number. Straight into my messages. Nice, not!!"
Like others have said, this has been around for ages- and if "is it the correct phone number" is the only security your voicemail has I'd either not use it or expect it to be nicked and check/sort/delete it frequently.
If it's some sort of corporate system or even a company phone, then you should consult your boss (or IT staff if they're any good) about what to do. Perhaps get their phone number and use their deskphone/your mobile on speakerphone/etc to listen in to their voicemail (with them in the room, of course) to show just how dangerous it is.
This could lead to a lot of embarassment... anyone got a list of Tory MP's phone numbers to crosscheck with their friendly local dominatrices?
Paris because she knows what happens when phone details go public...
They're MPs and they're supposedly the people who MAKE the laws.
Surely, an emergency motion along the lines of "This house hereby declare it unlawful to use any Caller ID not allocated to the caller when making calls to, from or via the United Kingdom" and a majority vote in favour ought to put paid to the problem once and for all?
OK, it can't be quite as simple as that -- it has to be written in goggledygook otherwise the lawyers won't be able to make money arguing about what it means.
But that is precisely what is needed -- along with perhaps a further law preventing all future laws from being written in gobbledygook.
Where it will duly sit until the next time some journo calls when ofcom will still be 'monitoring the situation'. I still can't help visualising ofcom collectively as a pontificating middle aged man in a comfy armchair, wearing a green cardigan and sucking reflectively on a pipe.
Odd Fetish for Compulsive Overuse of Monitoring?
Mines the smoking jacket...
Seeing as the Government can sit on its fat backside and be too lazy to stop immediately something as illegal as BT/Phorm/Webwise it is hardly surprising that spoofing like this could get through the system. Another disgrace.
I can imagine it now.
ring ring, ring ring .. answer,
"Hello Gordon Brown here. I want to ask you a few questions. This is my normal weekly dial the electorate session. Check the caller ID if you don't believe its me, ... You see it is me from number 10! .... Now what shall we talk about".
Paris, because she always can tell when your faking it!
Except....it costs a lot more and would be less enjoyable to eat.
...phone the Cult of $cientology in London, presenting caller id for the City of London Police... "We've run out of free cinema tickets and doughnuts"
It was mentioned earlier on this page about a function to present the real caller ID (can't remember who said it, sorry). Perhaps this should be a feature that BT implements PDQ!
And perhaps they should also enable the new setting on all outgoing international calls, and perhaps on all calls to mobile networks too, by default.
And lets face it, even Ofcom wouldn't have any use for a chocolate teapot, since that's probably all their staff do all day... sit around drinking tea!! Geddit... coz the chocolate teapots wouldn't be any good for really making tea!
Mine's the one pretending to be a different colour!
Just nationalise the telecoms industry again.
Get rid of all this rubbish!
Actually, that may be the fastest way to get this service killed. The attack-dog lawyers of COS will have this sorted within the day. They know people.
What's worth doing now is to set up a company that offers a "CLI DE-spoofing" service. When you subscribe to this service, anyone ringing your phone goes through its ID verification system, which is set up to detect calls with CLIs sourced from a known list of intermediary spoofing companies like Spookcall. If so detected, the CLI displays "Number Spoofed!" instead of the fake number being transmitted, so you know that whoever's calling you is fraudulently masking their identity.
And you can then start a profitable arms-race with the phone-spoofing companies, much as the antivirus companies have done with the VXers!
Thanks to El Reg, I contacted London Borough of Havering Trading Standards department yesterday to complain about the trading activities of SpookCall (its registered address is in Romford, within Havering TS's area.)
Basis of the complaint was SpookCall's admission -- well, SpookCall's boast -- on its website that in spoofing a number, the SpookCall subscriber was also spoofing the name of the person registered to that number. In other words: identity theft.
All credit to Havering TS, then, for getting back to me so quickly:
"My investigations revealed that The Office of Communications (OFCOM)
are aware of this company and are in the process of investigating this
company. Ofcom are the independent regulator for the UK communications
This service will continue to monitor the case and carry out further
investigations where necessary. If you have further queries on this case please do not hesitate to contact me,"
For the time being, I'm happy to let things progress, and though I do appreciate El Reg's sentiments re Ofcom letter-writing, that's actually the lesser of two evils -- t'other being the existence of some bureaucratic Gestapo which moves in, shuts down, and asks questions afterwards.
Similarly, I can't agree with an earlier post about "Why Ofcom? Why don't our MPs act NOW?" because that attributes to MPs a collective intelligence that doesn't exist: allow that lot the power to "act" without recourse to due process and this country will be in an even bigger mess than it is now.
Best thing, it seems to me, is for El Reg and the rest of us to watch the watchers, to make a note of the date when confirmation of "an investigation" into SpookCall was given and see how long it takes before the issue is resolved one way or another.
As I said (above), I for one -- though I suspect many other regulars here are of similar view -- don't mind waiting "for the time being". By mid-July, OFCOM should have been able to determine what is, in fact, a straightforward issue: is SpookCall facilitating identity theft in the UK or not?
SpookCall's lawyers will obviously want "for the time being" to run on as long as possible in order that the company can harvest as much revenue as possible. Time is of the essence, then. And it's the passage of that time which will show whether OFCOM is a watchdog with teeth or a watchdog without a spine.
On a BT ISDN line you CANNOT send an arbitrary number and have it presented to the callee - it must either be a number allocated to that line, or another one that has been validated. So you can't do this stuff just by hooking up an Asterisk box to an ISDN line.
When calls are passed around the network, the caller id number is accompanied by flags to show if it's 'trustworthy' (or withheld, a separate flag) - and if it's not from a trustworthy source or is withheld then it is not to be presented to the callee. "not trustworthy" should include any unvalidated number supplied by customer equipment - but it also is used wher ethe call traverses any carrier network that can't guarantee the integrity of the caller id data (don't forget that it took many years after introduction of caller id before all networks were properly equipped to handle it). The general rule is that any point in the chain can set to the flag to say the number is not trusted, but once set this way then it cannot be reversed.
For this service to work, they must have a carrier level connection into the network and be lying by setting the "trustworthy" flag. The simple answer is that any carrier they connect to is conspiring to support any criminal activity performed with it's assistance - so any competent carrier would immediately flag any call from them as untrusted. Oh, I see where that falls down !
But from a legal viewpoint, we don't actually need any new laws - just prosecute a carrier for conspiracy should this service be used for anything illegal AND the carrier carried their spoofed caller id flagged as trusted.
I know companies spoof their IDs, but they do it to numbers they own. And its all regulated.
This 'service' allows anyone to spoof any number.
Can anyone come up with a legitimate reason for the public to do this which does not include an illegal activity or crank calling?
Someone attempted to verify the utility of a chocolate teapot once, seeing as we use it as a measure of uselessness...
If Ofcom doesn't get excited for any broader reason, they ought to be very troubled by the impact on indirect telecoms operators - the ones where a BT customer dials a prefix before the call (or opts for CPS - Carrier Pre-Selection) and then pays the rival operator rather than BT.
As I understand it, these operators use CLI to identify which account to debit for the cost of each call - which becomes useless if CLI spoofing becomes widespread.
OK, at the current 50p per minute to Spookcall, CLI impersonation would only be cost-effective for calls to a few high-cost destinations, but it doesn't take a genius to see that if Spookcall get away with it, there will be others piling in at much lower charges.
Ofcom seem very good at turning a blind eye to abuses that aren't specifically covered by their terms of reference, but surely they have a pretty specific need to make sure that rival telecom operators can continue in business?
Perhaps someone holding diplomatic immunity could do us the favour of hacking someone's voice mail (ideally an MP's) using a spoofed ID then publicise what he finds to the national press. He could even turn himself in at the local Police Station and say 'it was SpookCall wot made me do it!'. Would anyone then finally act?
...in general seem all but useless. I'd really like to know a bit more about them. For example, who they are accountable to?
Who do you go to if you aren't happy with a regulatory body's performance for example?
Attempting to get Ofcom to look into a reasonable complaint against BT over billing or administrative issues is a complete waste of time, I know, I've tried both. And there doesn't seem to be any procedure to complain about their (Ofcom) indifference.
Recently someone I know, by some odd coincidence, received bills from two different energy suppliers (gas and electricity) in the same month, one claiming that no payments had been received for 12 months, the other for 10 YEARS...
Now we all know what happens if you don't pay for 12 months, never mind 10 years!
At this point it's worth mentioning that energy companies are not 'permitted' to bill for outstanding balances more than two years old - a rule that doesn't appear to apply to EDF...
I'm assisting this person in attempting to sort this shambles out, because they are recovering from a life threatening illness and don't need this, on top of everything else.
The gas supplier (British Gas), faced with the existence of receipts can only parrot 'Well they aren't showing on my screen'...
The electricity supplier (EDF) hasn't yet responded - though their likely response, bearing in mind their record of billing an average of £90 a quarter customer £130,000+ last year, then billing them £84,000+ less than a year later (yes, I know, but some people just don't learn, do they?) and the recent revelation about their dishonest sales practices doesn't raise one's hopes.
I looked into the 'Industry Regulator' there - which has a record like Ofcom - but in Ofgem's case, they won't even talk to a member of the public...
If you feel you have an issue with an energy supplier you have to contact an outfit called Energy Watch, and, if THEY think there's a case, THEY will forward it to Ofgem - and to give you an idea of how 'trigger happy they' aren't, they didn't forward a complaint against EDF over the £130/84k+ billing fiasco until the SECOND incident!
So, yes, Ofcom is rubbish, but 'regulators' generally seem completely ineffectual and not really interested in doing their job. Though one wonders what they actually percieve their job to be? Other than dodging responsibility for the antics of the industery in question, empire building (which is what I'm pretty sure Energy Watch is all about), and drawing a nice salary.
This latest report about Ofcom's apparent inaction comes as little surprise under the circumstances.
The situation with 'Industry Regulators' seems to be that the successive governments have adopted the concept as a convenient method of distancing themselves from the consequences of the longstanding policy of privatisation.
The industries concerned are free to exploit the market relatively freely, secure in the knowledge that the 'Regulator' isn't going to take any meaningful action when they abuse their position, the government of the day can hide behind the 'Industry Regulator' concept and effectively wash their hands of the situation, and the customer has to put up with the result.
And don't hope for a 'shake-up of the Industry Regulators' promise by any aspiring government any time soon either! Any political party, or individual politician going that route in an attempt to sway the electorate would promptly find itself facing the opposition, covert and overt, of ALL the industries in question.
In fact it might be interesting to see a list of contributors to the two major political parties with reference to the 'regulated' industries...
Biting the hand that feeds IT © 1998–2017