Who can tell? Does your enterprise use caller ID to identify customers? Does your Presence technology use caller ID? How about your voice mail access? What if you cannot depend on caller ID accuracy?
I have been receiving several calls a week that provide false caller IDs. The calling system does not leave a voice mail. Sometimes I answer and there is no sound on the call. I have tried to track down the calling phone numbers, only to find the number does not exist, the number has been disconnected or the call cannot be completed.
I found one caller was an Internet directory service for sale from India using a false caller ID. The agent had no idea his company was faking the caller ID.
Caller ID is not the same as ANI (Automatic Number Identification). ANI is a technology used by telephone companies to identify the directory number of a caller. ANI is similar to Caller-ID, but utilizes different underlying technology. ANI is one of the technologies that are part of the 911 emergency services. Scientific American magazine posted an article, "How Do You Hack Into Someone's Voicemail?" prompted by the scandals with the UK tabloid News of the World, discussing the ability to hack mobile phones and voice mail systems. The author of the article, Larry Greenemeier, states: "Voice mail prompts can also be accessed via caller ID spoofing. With the advent of caller ID, many voice mail systems have been created that simply check the number calling in and base authentication on that match.... Caller ID spoofing services like Spoofcard.com allow people to make it appear that their phone number is the same as the digits they are dialing. When the receiving phone recognizes its own phone number, it will often dump the caller directly into voice mail." This is how my AT&T mobile phone voice mail works. However, my Verizon FiOS voice mail requires a password for access, not caller ID.
One example is setting the outbound calls from the enterprise to the main number, not the actual phone number used to make the call. If the enterprise is using different providers for inbound and outbound calls, one provider does not know the number being used by the other provider. Therefore the enterprise has to arrange for the caller ID with both providers to match.
VoIP services, by virtue of the technology, have to spoof caller ID to produce phone numbers. Other possible users of spoofing may be doctors who do not want give out their home phone numbers. Online dating services may use spoofing to protect their customers. Lawyers may want to protect domestic abuse clients by spoofing caller ID.
A posting at the Telecom Law Monitor, "Rules Against Caller ID Spoofing to Tighten" discusses two developments that occurred in December 2010 that will make it more difficult for entities to spoof caller ID information. President Obama signed into law the Truth in Caller ID Act of 2009. This act makes it unlawful for anyone to transmit misleading or inaccurate caller ID information with the intent to defraud. In addition, the Federal Trade Commission is seeking comments on rule changes to strengthen the caller ID provisions of its Telemarketing Sales Rule (TSR).
The FCC prohibition applies to telecommunications and IP-enabled services (VoIP). The FCC must submit a recommendation if it feels that additional legislation is necessary to prohibit the provision of inaccurate caller ID information if and when new technologies will warrant further legislation on spoofing ID. The FCC adopted rules on June 23, 2011 implementing the Truth in Caller ID Act and has issued a report to Congress regarding the issue.
The article "FCC Releases Rules Implementing the Truth in Caller ID Act" describes the major actions that the FCC can take under the rules:
* Violators are subject to up to $10,000 for each violation, or three times that amount for each day of continuing violation, to a maximum of $1 million for any continuing violation.
* The FCC may assess fines against entities it does not traditionally regulate without first issuing a citation.
* The FCC can impose penalties more readily than it can under other provisions of the Communications Act.
* The FCC may assess fines against entities it does not traditionally regulate without first issuing a citation.
* The FCC can impose penalties more readily than it can under other provisions of the Communications Act.
Besides these penalties from the FCC, it is possible for individuals and organizations to file a civil suit over the use of fake or incorrect caller ID.
There are services where you can block calls by caller ID. First however, you need to determine that you are receiving calls from fake ID users. You can use reverse-number tools on the Internet that will provide some free information on the calling phone number. You may also find sites that list the fake caller ID and that post comments from others who have dealt with that caller ID, that help to determine the calling source legitimacy. I checked the Spoofcard site and it is still selling their service. Besides the caller ID spoofing, Spoofcard can disguise your voice. They have a U.S. patent notice # 7,664,242 on their technology. It will be interesting to see how Spoofcard and other like services deal with the new FCC regulations.
Matt Brunk has blogged on this at Nojitter:
Caller ID Spoofing: Prop the Screen Door
SIP Trunks: Preserving Caller ID
Caller-ID Spoofing: Legislation
There are several useful short articles at Fake Caller ID.
