Caller ID has been compromised. No longer do you have the assurance that the number displayed on your ringing telephone actually represents the person on the other end of the line.
With the advent of so-called Caller ID spoofing services, anyone with a credit card can initiate outbound calls with the Caller ID of their choice. Aside from the fact that these services easily allow anyone to compromise the integrity of the Caller ID service, they also open up a number of critical security concerns across different voice-based systems.
Logging into my cellphone website account today, I noticed a security alert for the voicemail system. My provider’s voicemail system has an option to bypass the requirement to enter your PIN if you’re calling from your own cellphone. Hackers have been able to access the voicemail accounts of others through exploiting this ‘feature’. If you have a cellphone voicemail account, you really should consider enabling PIN-based authentication.
Think about the other types of systems today that use Caller ID for authentication. Caller ID spoofing will have a big impact on all of these if it is the sole authentication token. Here’s another example: Recently I received a replacement debit card, and, when I made the call to enable the card, it confirmed that it had matched my telephone number to the number on file and would not require any further confirmation. This is scary – banking institutions should seriously reconsider the authentication model used for new card enablement.
I’m not completely familiar with the intricacies of the switching network (SS7 et. al.), however I do hope that some steps are taken to restore integrity to the network. Caller ID is a useful feature, but, with the advent of spoofing services, its value has diminished.