According to FoxNews and "Internet Security Systems
" you can no longer trust your caller ID. They suggest that the new "Voice over IP
" (VoIP) or internet phones make it easier for unscrupulous people to fake or "spoof" the caller id name and number. This is a very scary development because unsuspecting people who receive a call from XYZ Bank will look at the caller ID and believe it is their bank and answer the questions asked.
What's the big deal? Well identity theft is the key concern in this case but it could be much worse. Now, when someone steals your identity, they can even make phone calls "as you" and get more information.
Here is the report from Internet Security Systems (2003):
Vonage's Voice over IP network (VoIP) systems could allow a remote attacker to spoof a Vonage user's caller ID. By using Session Initiation Protocol (SIP) enabled VoIP hardware and calling a vulnerable Vonage user, a remote attacker can spoof the victim's caller ID by placing the victim on hold, once the victim answers the phone, and calls a third party, allowing the attacker to see the victim's caller ID information and assume that the attacker is the Vonage user.
Personally, I think Vonage is taking the brunt of this report because there are actually services out there that you can sign up for and create your own spoofed caller id. Spooftel.com and Telespoof.com are two I quickly found from Google.
Telespoof.com offers the first domestic and international Caller ID spoofing service, allowing business professionals to remain anonymous when calling from anywhere in the world, to anywhere in the world. We like to think of it as "mobile invisibility", the highest quality Caller ID spoofing service available anywhere in the world.
It was also suggested during the interview that attackers could use a combination of email, postal mail and spoofed caller id to earn your confidence so you will give up your personal information. It's really concerning to me because there are so many people who don't understand the technology and will simply trust MaBell.
So what are we to do? Trust no one. Okay, that's a little harsh but at a minimum, suspect any email, phone call and even postal mail as a potential threat, then use some common sense in confirming its legitimacy.
Just like the spam phishing scheme to get you to give up your passwords, start having the same rules for people who call you.
Simple suggestion. When I get an email with a link to my bank or other service, I never click the link.
I open my browser and type it in. I do this because I know that while the link might say "mybank.com" it could easily send me to imstealingyouridentity.com. Just like the phishing, a caller calls in from mybank and says, "We need to confirm your account security setting and we need you to give us your information."
I say that I'm too busy right now and would like to call back. Ask for a number, but don't use it, instead use the number listed in the phone book or the back of your credit card.
Odds are, when you ask for the number they will offer to call back or simply hang up. If they do give the number, keep it! If it turns out that it is a scam, law enforcement would be very eager to receive that information.
Anyway, hats off to "Chris" of Internet Security Systems. You did a great job on the air and your website doesn't suck either. (grin)
Like this article? Digg it at Digg.com