FCC demands customer records of Caller-ID Spoofing companies
- By: John Andrews [privmsg] On 3rd Mar 2006
Wired News is reporting that the FCC has opened an investigation into caller-ID spoofing. Several companies provide services for setting the caller-ID string to whatever you desire before making a call. I used the first public one of those back in 2004 (Camophone) and it worked very well. Of course, I am not a hacker, prankster, nor fraudster, but I may end up on the list...
The FCC wants to know who I am (or at least who has used TeleSpoof, according to Wired, and possible the other companies like Camophone and SpoofCard and Spoofcom and SpoofTel and NuPhone, if he investigation continues).
The FCC is demanding business records from both companies [Telespoof and NuPhone - Ed.], as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.
Wired suggests the investigation may be politically motivated, noting an AP report that a Republican congressman mentioned a telephone flood attack on his office phone system was cloaked by a spoofing service. There also seems to be a connection to the pretexting used by scammers to get access to cell phone records. I note that the FCC request as described by Wired did not include calls made, but does include suficient cirumstantial information (number of calls made, time of calls) to deduce same. I am not a lawyer so I can't guess how that might fly in court, where political speech (especially speaking out against an active politician) has historically been well protected in this country.
What irks me is the assumption of evil-doing, and the projection of irresponsibility onto the users and vendors of caller-ID spoofing systems. Why would you want to hide? What are you doing wrong that you want to spoof your caller-ID? Why was this allowed to exist for 2 years already? And since Wired reports that
...Congress heard testimony that criminals have used the services while making pretext phone calls to wheedle private consumer information out of companies. The services have also reportedly been used to target businesses that rely on Caller ID for authentication -- Western Union wire transfers service have been particularly vulnerable, as are T-Mobile voice mailboxes in their default configuration.
Surely this caller-ID spoofing should be illegal, right?
Wrong. Caller-ID spoofing has been available to commercial entities for a long time. It is only now available to you (should you want to use it) because of these innovative entrepreneurs building small businesses like Nuphone and Camophone. Collections agencies and private detectives have been able to spoof caller-ID, and have successfully used it against you the consumer or private individual without much oversight.
So who is to blame for the problems currently noted? Well, for starters, how about Western Union. If you were a bank and you knew that caller-ID could be spoofed, would you build a system that trusted caller-ID for authentication purposes when wiring cash money across the globe? Of course not. You are not stupid.
Or how about that T-mobile. We all heard about the Paris Hilton t-Mobile Sidekick Affair. She was a t-mobile subscriber, and it seems t-mobile trusted caller-ID as a user authentication for access to "secure" user voice mail. Excuse me for questioning the smarts of a major US corporation, but if you actually own the networks and switches and the software running on them, isn't it way-stupid to trust incoming caller-ID for secure authentication? You, ahem, own and control the network, and it's your own customer. Can you say "Duh"?
Same deal for the "excuses" being offered by phone companies whose customer cell phone records have been sold on the Internet. They claim fraudsters used pre-texting (what we used to call [url=http://en.wikipedia.org/wiki/Social_engineering_(computer_security)]social engineering[/url]) to "fool" customer service reps into giving up online account passwords. Will the public buy that excuse and blame the evil hackers and shut down the caller-ID spoofers with new redundant legislation? (fraud is already illegal, in case you didn't know). Sure they will. It's an easy way out.
The public doesn't want to acknowledge that in reality, these big corporations are getting rich off us by selling systems that don't work as advertised, while willingly sacrificing customer data and privacy in the name of profits every day. Just ask any field technician how hard it is to get access to a client's username and password at the time of a system installation or Internet connection troubleshooting project. It's easy...because it has to be easy. The system is not really "self-install". It doesn't really "work right out of the box". If the customer had to do it alone, it would never get done and the big telco could not reap the amazing monthly payments they currently get for cable, DSL, and cellular phone service.
Where there is trust there is an exploit waiting to happen. Where there are excessively easy profits to be made, there will be laziness and greed which should create opportunity for entrepreneurs to introduce better/cheaper/faster systems that benefit you, the consumer. But if that greed and laziness is protected by legislation that simply blocks innovative competitors from challenging the default, we all lose.
Foolish trust like using caller-ID as authentication is the product of laziness and irresponsibility to the consumer. We need to start blaming the profiteers for their greed, and ackowledging that their laziness at our expense is an abuse of the public trust. It should not be tolerated. Do we really need more laws protecting the irresponsible?
Man that's pretty scary. Now
Man that's pretty scary.
Now watch Anonymizer get subpoenad by the DOJ (although I think they wipe their records continuously)
From a post by Danny in
From a post by Danny in Jan 2006
not so easy
That may all be true and Anonymizer may be the best out there on the consumer front, but it cannot prevent tracking of where you go while using the service. *if* someone watches the in and out of the Anonymizer servers, and has access to ISP traffic/routing information on the Internet, then your surfing can very likely be identified. It is widely believed the US government has that "watching" technology in place already, and has not had any difficulty due to Anonymizers like that one. of course your average IT administrator or corporate boss or even private investigator may be stymied.
Onion Routing is a method of routing traffic through a series of anonymizers, and even it can be tracked by monitoring router traffic (and tracked more easily by inserted undercover servers into the route). Peer-to-peer onion routing uses peer-to-peer technolgy to practically vary the servers used for any given traffic, but it, too can be tracked if the ISP-level watching technology is comprehensive enough (and it is widely believed that it is, here in the US). It is also pretty easy to insert many undercover peers into the network to make the peer-to-peer part not quite as anonymous as it might seem.
The tor network is probably the most advanced onion router network available today, and it relies on the fact that a limited number of servers are involved and they are known to be trusted to maintain confidentiality. The US Navy paid to develop Tor as a truly secure means of anonymizing traffic. If you use the Tor network and it is not compromised by undercover servers pretending to be privacy protectors, then still your DNS lookups can give you away (the routing network works by IP, so the machines in your network route still hit DNS servers to translate domains into IP numbers). For that, you can use a lookup proxy like Privoxy.
So if you are really paranoid, install Privoxy and make it work on your machine to proxy your DNS lookups. Then install Tor and surf through a Tor node, trusting that the tor people have been careful enough to keep the spooks out.
I, to am not an expert at privacy and security nor anonymizers nor Tor. I also haven't studied up on this for almost a year, so things may be different. Since the EFF started supporting tor a year of so ago, some better documentation can be found on EFF.org. If I have time I'll come back in here and add some links.
But this caller-id spoofing involved the telephone systems, which used to be governed by a different set of laws than the Internet. For example, it is illegal for ATT to listen in on your phone calls, yet do you think it is illegal for Comcast to listen to your IP phone calls? Check it out... the telephone system laws were pretty good for us, compared to what we have today.
So if the DOJ wanted Anonymizer info I doubt they would ask anyone other than the CIA or Secret Service or perhaps their own DOJ staff (I have no idea who runs those carnivore-like things). They are not restricted by the same laws.