Don't Trust Your Caller ID |
by Oscar Sodani | |
February 28, 2004 | |
Oscar Sodani is a founder of Help2Go and owner of Help2Go Networks, an IT consulting firm in the Washington D.C. area. Oscar holds the CISSP certification as well as industry certifications from Microsoft, Cisco and Novell. On television this morning, I saw a segment in which famous hacker Kevin Mitnick demonstrated the potential faultiness of Caller ID (where the number that is calling you shows up on your telephone or cell phone screen). This is called "Caller ID Spoofing", and is something you should be aware of. This was an interview on TechTV's The Screen Savers show (which I recommend by the way). He first asked trhe host of the show who he would like a call from. The host mentioned the White House, and of course since this was all planned Mr. Mitnick knew that number off the top of his head. Mitnick then picked up his cell phone, dialed a bunch of numbers and punched in the cell phone number of the host. Within a second or two, the host's cell phone rang, and displayed on the Caller ID of the cell phone was the aforementioned phone number of the White House. Some research online indicates that this is a "hack" that can be done with only a few different models of cell phone, although noone seemed willing to publish details on how it was done (and Mr. Mitnick certainly wasn't going to give the trick away on TV). We got the Caller ID service because it's a convenient way to screen calls, and because it's nice to know who you are about to speak to. The mere idea that this can be done is a cause for concern. When my Caller ID identifies that my credit card company is calling, or my bank, I never thought twice about the validity of that claim. Now that validity can be called into question. This further reinforces why you should NEVER EVER divulge any personal information via the telephone. With a simple Social Security number, a con artist can easily commit fraud against a US citizen. Similar ID numbers are used in other countries as well. Dates of birth can be looked up online easily, as can mother's maiden names (thanks to genealogy sites). At the very least, you should ask a number at which you can call the person back, and then verify that the number indicated is actually part of that company's system. But if you want to be truly safe, conduct such business in person. Even a secure Internet site can be more secure than the telephone! I've had friends and family who were victims of identity theft and credit fraud. The police won't even look at it unless the fraud was of a sizable sum (>$10000). However, the time you will spend correcting mistakes on your credit reports can take months or years. Have a question? Need help? Get free, friendly person-to-person help with your computer questions or spyware questions in our help forums! |