Alarmed

Truth, Lies and Caller ID

Do you rely on caller ID for identification? If so, you're taking a big risk

By Sarah D. Scalet

Page 2

Legislators have taken notice. In June, the U.S. House of Representatives passed H.R. 5126, "the Truth in Caller ID Act of 2006," which would make it illegal "to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm." It's already illegal for telemarkers to mask their telephone numbers.

Privacy advocates find themselves somewhat torn on the matter. Marc Rotenberg, executive director of the Electronic Privacy Information Center, testified before a House committee last May both on the need for consumers to be able to make anonymous calls—say, from a shelter for abused women—and for consumers to be protected from fraudsters who would glean sensitive information by pretending to be someone else. (The House added the phrase, "with the intent to defraud or cause harm," at Rotenberg's suggestion.)

But for executives who are struggling to reduce fraud, the ease of caller ID spoofing cant be good news. When I called the company offering the spoofing service—and it's just one of many—the person in charge of sales told me that the company blocked calls to toll-free numbers and was always adding phone numbers to its black list, based on requests from government agencies or corporate America.

"The card is not meant to harass law enforcement or to cause chaos, which some the users have done with the card," he said, noting that he supported the legislation passed by the House because he felt that it added legitimacy to the service. "There are illegitimate uses that you may be held liable for, and we're all for that."

Maybe I have a maniacal mind, though, because for every legitimate use I can think of for caller ID spoofing, I can think of a half-dozen nefarious ones. I could have called Scott pretending to be his travel agent, or the local branch of his bank or his doctor's office, and tried to get information that I could use for fraud. If I were really evil, I could have scared the bejeezus out of him by saying that I had broken into his house.

Or, lets turn the tables a bit. I could have called Scotts travel agent, or bank or doctors office, pretending to be Scott. I could have tried to access his cell phones voice mail. As I was writing this column, I took a break to call my health-care provider's office for some test results, and she didnt even ask for my name—she just pulled it off her caller ID and started reading from my chart.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors