Truth, Lies and Caller ID

Do you rely on caller ID for identification? If so, you're taking a big risk

This week, I, Sarah Scalet, just a hardworking, honest journalist born and raised in the heartland, pretexted for the first time.

I placed a call from my office phone to my colleague Scott Berinato, manipulating the caller ID in such a way that the call appeared to be coming from Scott's cell phone. I also disguised my voice. And, just because I could, I recorded the call as well.

When Scott answered, I made up a lame story about how I was calling from his cell phone company to inquire about problems with his service. Scott demanded to know, in an increasingly stern voice, exactly who I was and what I wanted. And when I tried to fess up and tell him that it was actually me, Sarah, he hung up.

You might think that all this required incredible technical savvy on my part. Maybe I did some elaborate hack of a VoIP system, or built a fancy-schmancy gadget with parts from Radio Shack. Alas, no. In fact, all I did was call a toll-free phone number and punch in a few codes. First I entered the PIN, which was on a free calling card I got on the trade show floor at ISC East in New York. (The card was specifically designed to allow spoofing; it's all built in. It operates just like a calling card and costs 17c per minute.) Next I entered the number I wanted to call and the number I wanted to spoof. Then I punched a button to disguise my voice as a man, and another to record the call. All told, it was easier and took less time than it would have to get a customer service rep from my credit card company on the line.

And it worked. Who knew it was so easy to spoof a call?

Apparently, a lot more people than I suspected. As it turns out, there have already been isolated problems reported with caller ID spoofing, ranging from mildly amusing to truly alarming. In September, a Memphis newspaper reported that a retiree had received two calls from a neighbor or neighbors who disguised their voice and phone number to complain about his mowing the lawn early in the morning. In May 2005, a Newark newspaper reported on a hoax call to 911 that resulted in a swat team surrounding the apartment house from where the call seemed to originate. (The call-spoofing service I used now blocks calls made to 911.)

Legislators have taken notice. In June, the U.S. House of Representatives passed H.R. 5126, "the Truth in Caller ID Act of 2006," which would make it illegal "to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm." It's already illegal for telemarkers to mask their telephone numbers.

Privacy advocates find themselves somewhat torn on the matter. Marc Rotenberg, executive director of the Electronic Privacy Information Center, testified before a House committee last May both on the need for consumers to be able to make anonymous calls—say, from a shelter for abused women—and for consumers to be protected from fraudsters who would glean sensitive information by pretending to be someone else. (The House added the phrase, "with the intent to defraud or cause harm," at Rotenberg's suggestion.)

But for executives who are struggling to reduce fraud, the ease of caller ID spoofing cant be good news. When I called the company offering the spoofing service—and it's just one of many—the person in charge of sales told me that the company blocked calls to toll-free numbers and was always adding phone numbers to its black list, based on requests from government agencies or corporate America.

"The card is not meant to harass law enforcement or to cause chaos, which some the users have done with the card," he said, noting that he supported the legislation passed by the House because he felt that it added legitimacy to the service. "There are illegitimate uses that you may be held liable for, and we're all for that."

Maybe I have a maniacal mind, though, because for every legitimate use I can think of for caller ID spoofing, I can think of a half-dozen nefarious ones. I could have called Scott pretending to be his travel agent, or the local branch of his bank or his doctor's office, and tried to get information that I could use for fraud. If I were really evil, I could have scared the bejeezus out of him by saying that I had broken into his house.

Or, lets turn the tables a bit. I could have called Scotts travel agent, or bank or doctors office, pretending to be Scott. I could have tried to access his cell phones voice mail. As I was writing this column, I took a break to call my health-care provider's office for some test results, and she didnt even ask for my name—she just pulled it off her caller ID and started reading from my chart.

The technology isnt to blame for any of this. We are. We've grown far too reliant on caller ID as a form of identification. Both individuals and corporate America use caller ID to decide who to trust. It just takes a gimmicky calling card to force us to notice that that's a decidedly bad idea.

Columnist Sarah D. Scalet can be reached at

Copyright © 2006 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)