6

To be specific the main problem is that I want to detect if the caller ID of the incoming cal I get is real or spoofed? Most VoIP servers now allow their clients to use any caller ID they want. Also, before the caller hears the ring no authentication is made by the operator (for example, Vodafone or O2) to check if the caller ID is valid or spoofed.

I found something an Android app called CallerDec that has ability to check if the caller ID is valid only if the caller (not attacker) has also installed CallerDec by a verification call.

But it is not enough and it won't work if the real caller hasn't installed that app. Many banks now allow full access to someone's account by just verifying the caller ID of the caller and the debit or credit card number associated with that caller ID. I am sure they must be aware of caller ID spoofing and have some special process for identifying spoofing.

There is a proprietary service TrustID available for business users that guarantee to detect if a caller ID is spoofed or real but as it is closed source we can't know how it works.

200_success
  • 2,144
  • 2
  • 15
  • 20
Ashish
  • 71
  • 1
  • 1
  • 4
  • 3
    There are not much countermeasures against caller ID spoofing. Best countermeasure is not to rely on it and consider it an "untrusted data". – user1164108 Feb 08 '15 at 18:08
  • Can you mention some of the countermeasures? – Ashish Feb 08 '15 at 18:14
  • Are you sure than banks verify caller ID and not simply the phone number itself? – schroeder Feb 08 '15 at 22:13
  • @schroeder I didnt say all banks verify that. Some banks verify AccountNumber+call in PIN, some verify CardNumbe+ATM PIN+ExpiryDate. But there are some banks (eg. BOA) that only verifies **caller ID** of the user & card number. If the card no.entered by caller on the IVR is associated with the phone no. of the caller (means the caller ID) then the caller is given access to that account. But they must be using some technique/system to verify spoofed call cuz no bank would ever setup this kind of verification.. – Ashish Feb 09 '15 at 00:38
  • 1
    CallerID and phone number are completely different things. Spoofing a phone number is going to be difficult because it is used to route the calls. CallerID is what is easily spoofed. – schroeder Feb 09 '15 at 00:45
  • I think you ain't getting me. In my question i'm asking if there is anyway to detect caller ID spoofing. that bank thing was just for an example :) Services like trustid.com guarantees to identify such spoofed calls. okay so its possible. next thing we also dont know how exactly TrustID works as it is closed source... so now i know that it is possible to detect, but how? We can detect fake sms (sender id) by checking smsc. is there something like that for calls too that can be used to detect spoofing? that's what i am asking. – Ashish Feb 09 '15 at 00:56
  • Although I have no firsthand experience, I've read of this being done by forwarding calls to a toll-free number, which then (by virtue of being toll-free) receives the true calling number through ANI (which is distinct from Caller ID and which supposedly cannot be spoofed) and finally forwards back to the original number. The TrapCall service mentioned here appears still to be in operation: http://www.nytimes.com/2009/03/15/us/15call.html – Scott Dudley Feb 09 '15 at 02:47

1 Answers1

4

Although I have no firsthand experience, I've read of this being done by forwarding calls to a toll-free number, which then (by virtue of being toll-free) receives the true calling number through ANI (which is distinct from Caller ID and which supposedly cannot be spoofed) and finally forwards back to the original number.

For example, the TrapCall service mentioned here appears still to be in operation: http://www.nytimes.com/2009/03/15/us/15call.html

Scott Dudley
  • 301
  • 1
  • 3
  • This won't work if is a call from VoIP – Freedo Feb 09 '15 at 06:31
  • @freedom, is that true as a blanket statement, or might it depend on the VoIP provider's implementation? I've seen [anecdotal evidence](http://www.oldskoolphreak.com/tfiles/voip/voipani.txt) that it will not work with callers from some VoIP providers, but it seems like a clever provider might be able to look at the Caller ID supplied by a client for an outbound call. If the caller ID matches a DID associated with the same account, couldn't it send it out as the ANI? (I admit that I don't know anything about SS7.) – Scott Dudley Feb 09 '15 at 14:35