How to prevent CallerID Spoofing and CallerID Abuse?

How to prevent CallerID Spoofing and CallerID Abuse?

The CallerID has always been and still is, for many people the proof of the identity of a calling party. That works for a person, but also for a company or institute. If you receive a call with the CallerID from someone you know, you trust it is him or her, even if the voice sounds a little bit different (maybe your friend has a cold?). And if you receive a call from your bank, you recognize the number and assume that you are indeed talking to an employee of the bank.

It is for this reason that phone scammers are very keen on using a realistic CallerID. Whatever phone fraud scheme they try to deploy, a trustworthy CallerID is often an essential part of it. Not so long ago, this implied a major hurdle for criminals. It was possible to alter one’s CallerID, but it was technically complex and required special skills. Today, that’s a bit different.

CallerID Spoofing

The solution that is most often used by fraudsters is CallerID spoofing. As said, not so long ago CallerID spoofing required at least some technical skills to be organized. Today, however, it is a feature you can order as part of legitimate cloud-based VoIP services like Bitphone.net. You can have an anonymous subscription for this service, pay with bitcoins and use it to call around the world. If you pay a small premium per call, you can choose any CallerID you want, from any country. You can make calls all over the world using any CallerID. A fraudster in Asia can make calls to a citizen in the US as if he is calling from a company a few blocks away.

How to prevent CallerID Spoofing

Despite how easy it can be organized, CallerID spoofing has some drawbacks from the fraudster point of view. Specifically in the case of cloud-based internet solutions, the quality of the call may often not match with the expectations of the potential victim when he or she receives a call from a company, the bank, the school or just a friend. A voice call over an internet connection from the other side of the world most often ‘sounds’ different compared to an enterprise VoIP call within the same network node.

Security companies use the differences in call characteristics all over the world to build preventive mechanisms against CallerID spoofing. Pindrop Security, for example, developed a technology called Phoneprinting. To alert call center staff and others in real time about potential malicious calls, the software takes an audio call and breaks it down into 147 unique call features to create a distinctive identifier for each caller. It checks for example if the location indicated by the call audio (!) match the phone number as reported by CallerID. So, CallerID spoofing certainly won’t work in business environments where this type of security software has been deployed.

CallerID Hijacking

As a result, for corporate fraud, for corporate espionage and other types of ‘white collar crime’, only real access to a corporate telephone with a usable CallerID may do the job. But is that a feasible scenario? Is it possible to simply get access to a company telephone?

Unfortunately, it is. Many companies have become very flexible. Flexible in terms of staff, flexible in terms of working hours and working locations. Employees work in their own time at a location of their choice. Sometimes at home and sometimes at one of the companies flex-offices. So, desks are occupied by different people from different departments at different times. In order to use the telephone on that desk with their number and own settings, they have to register themselves on that telephone. This is a good security method, but it is often a very cumbersome procedure with long usernames and passwords which are difficult to remember. As a consequence, people keep their phones logged in as long as possible. They won’t log out if they think they will return soon to the same desk. And they don’t care since they think it is ‘just’ a telephone.

The result is a flex office with flexible opening hours, limited social control and many ‘open telephones’. In that situation, it is relatively easy for any ‘uninvited guest’ to ‘hijack’ a desk and the phone line and start making fraud calls, social engineering calls or whatever type of call he needs for his plans.

Example: a Pinkerton client case

Is the above all theory and it won’t happen at your office? Perhaps, and I most certainly hope so. However, look at an example of the well-known corporate investigators of Pinkerton. They published a case study in which their client was concerned about the security of sensitive business information. The Security Risk Assessment of Pinkerton showed that in the 6-floor company building the most critical information was housed on the 6th floor. However, there virtually was no protection on that floor and the deployment of security staff was not aligned with this security priority. The parking garage seemed to be better protected than the servers on the 6th floor and the actual advice from Pinkerton was to re-allocate security staff from that parking to the 6th floor.

So, unauthorized people who enter your facilities and make illegal phone calls from your network, it could be less theory than you think…

CallerID protection

The best way to prevent unauthorized guests from using your company telephones is to make sure that staff comply with the security rules for the use of the company telephony network. Log out every time they leave the office and log in again when they come back next time. However, people tend to be human and they often simply forget to log out, even if they want to.

What would be more convenient than a Single Sign On procedure which integrates the login procedure for the VoIP telephones with the login procedure for the computer network and applications? So, as soon as someone logs in with his laptop into the computer network, the telephone on his desk is automatically associated with him, and he activates his personal profile and telephone extension number.

Protect phones from unauthorized access

This is exactly the functionality RSconnect offers via our Active Login Manager (ALM). It helps companies to secure their business VoIP phones from unauthorized access. ALM is a Single Sign On solution that automatically activates the desktop IP telephone as soon as a user logs into the corporate network via his computer, laptop or tablet. So, wherever in the office a user opens his laptop, the telephone beside him will automatically have his extension number, his features, and his profile. And as soon as the user leaves the office or doesn’t use his computer for some time, the telephone is logged out again.

Try ALM single sign-on

Download ALM Pro