President Obama signed the Caller ID Act of 2009 into public law 111-331 on December 22, 2010. In 2008, Spoofing Caller-ID, I wrote about the ease of spoofing and that I was puzzled over the agonizing delay in the US Senate acting.
A recent event of Caller ID spoofing is the arrest of a woman charged with impersonating a federal agent. The California woman allegedly used a website service to spoof and mask her voice. She spoofed the Miami FBI division and Washington, D.C. headquarters numbers to discourage clients from complaining about her operations.
In Caller-ID Spoofing: Legislation, I wrote:
To fully understand Caller-ID, I think those attempting to write and pass new laws need to understand that having another law on the books, as one reader commented, could become "trivial law." In that vein the reader is correct because without understanding the needs of business and consumers the new law may become just that [trivial]. Our current systems (networks) have flaws and these are the gaping holes in security that violate a basic trust once established by an old and still imperfect system. We expect privacy, want safety and security and still expect to know who's calling us. As crazy as it sounds, this is one heck of an opportunity and I hope we can get it right.
In another incident, alleged scammers from a company calling itself Montana Mutual attempted to sell a Philadelphia man a loan. They required upfront payments. Luckily he was savvy enough to call the Better Business Bureau and Montana Department of Financial Institutions only to find that the company wasn’t licensed and didn’t exist. The article states that,
Zan Deery, a fraud investigator with the Better Business Bureau in Spokane, said, "We cannot stress how crucial it is for people not to rely on Caller ID anymore. What they're doing is trying to fake you out."
In SIP Trunking: WARNING Caller ID, I wrote:
Anonymous calls that are harassing, threatening, or annoying, including SPIT, should be a concern and will prove to be more challenging. Added into the problem, Caller-ID is not a trusted source. This doesn't mean that solving this problem is going solve or eliminate the criminal problems, but what it does mean is that the holes in the system (network) need plugging. Otherwise, just prop the screen door open. The threat is simple: with vendors offering web services to "spoof Caller-ID," the legitimacy of Caller-ID is destroyed.
In Eric’s post, Security in Communications: Report to the Industry, the graphic "Communications Security Threat-Risk Model" shows Productivity Loss, Harassing Calls and Social Engineering as three of the threats ranging from low to high risks. All three of these may occur from Caller ID spoofing. Intellectual Property Rights (IPR) issues, Computer Intrusions (hacking), Economic Espionage (Theft of Trade Secrets), Online Extortion, International Money Laundering, Identity Theft and a growing list of cyber crimes are inter-related. When I recently spoke with the FBI regional office in Los Angeles about the California woman impersonating FBI agents, they reiterated that the technology--and even using Caller ID spoofing--is not illegal. The new law states that those who defraud, cause harm or wrongfully obtain anything of value by using Caller ID spoofing are in violation and face civil penalties as much as $10,000 for each violation and as much as $1 million for any single act. I’ve always heard the word "opportunity" associated with crime and I can’t help but think that our technology has given incredible opportunity to those that would do others harm through illicit means. The California woman allegedly took it one step further by also impersonating an FBI agent, and that is another crime.
Enterprise may find itself faced with defensive moves. Jessica McIntosh of Atlas Supply did and told me previously that when it comes to enforcement, "the carriers don't care." Jessica spends time explaining to callers that her company, the legitimate Atlas Supply, did not call them soliciting tools and supplies. Protecting a brand or company name against Caller ID spoofing can become time consuming, costly and frustrating for businesses. Where should businesses start when they suspect their company and telephone numbers are being spoofed?
I called the Seattle, Washington FBI field office and spoke with Special Agent Fred Gutt. He explained the overlapping nature of these crimes and directed me to the Internet Crime Complaint Center (IC3). The FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance (BJA) formed a partnership and created the Internet Crime Complaint Center (IC3). The IC3's role to serve as a means to receive Internet related criminal complaints and to further research, develop, and refer the criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies for any investigation they deem to be appropriate. The IC3 was intended for, and continues to emphasize, serving the broader law enforcement community to include federal, as well as state, local, and international agencies, which are combating Internet crime and, in many cases, participating in Cyber Crime Task Forces. The exceptionally good news is that today, there’s now legislation behind Caller ID spoofing to put the hammer down on those unscrupulous individuals that try to gain access through the screen door to valuable information or something of value.
I've pondered over this issue a long time and the politicians did get it right. They didn't jeopardize any of our liberties or infringe upon our needs to use Caller ID spoofing legitimately. Even still, prevention and preventive measures by carriers wouldn't hurt. Recently, an Illinois man that used a Caller ID spoofing system faced charges in a federal court for leading police on bogus emergencies that resulted in SWAT team responses.
