FCC Probes Caller-ID Fakers
Wired News | March, 02, 2006
By Kevin Poulsen
If you've ever used one of the half-dozen websites that allow you to control the phone number that appears on someone's caller ID display when you phone them, the U.S. government would like to know who you are.
Last week the FCC opened an investigation into the caller-ID spoofing sites -- services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.
A seven-page demand from the FCC's enforcement bureau sent to one such service, called TeleSpoof, says the commission is investigating whether the site is violating the federal Communications Act by failing to send accurate "originating calling party telephone number information" on interstate calls. A copy was also sent to VoIP service provider NuFone
The FCC is demanding business records from both companies, as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.
Dated February 24th, the FCC letter gives TeleSpoof 20 business days to respond.
The operator of the site, a 21-year-old hacker who spoke on condition of anonymity, says he's looking for an attorney, and has not yet released any information to the FCC. "If a customer sees this, they're going to be kind of bummed," he says. "They wouldn't want their info released, and I may have to give it up."
Caller ID spoofing was once the exclusive province of shady boiler rooms that could afford bulk-rate phone connections and expensive equipment. But in 2004 hackers found a way to spoof their caller ID by taking advantage of permissive VoIP service providers that offer connections to the conventional phone network while allowing customers to send anything they want as their caller ID.
In August 2004, a southern California entrepreneur tried to capitalize on the hack by launching an internet-based spoofing service, Star38.com. The service was initially offered exclusively to collection agencies, and quickly faced a host of copycat services that would sign up anyone for a nominal per-minute fee. Star38 has since gone out of business, while the more egalitarian offerings have flourished.
To use a spoofing service, a customer pre-purchases minutes with a credit card or PayPal account. Then to make a call they simply visit the website and fill in three fields: their phone number, the number they want to call and the number they want to appear to be calling from.
The service dials them back automatically and connects them. At the receiving end, the caller sees only the spoofed number, which could be anything from the White House to Paris Hilton's private line.
TeleSpoof's operator says he has about 600 users. Private investigators were his earliest customers, but ordinary consumers have found uses for his service as well, he says. In one case, a divorced father was able to talk to his child on Christmas by spoofing his caller ID to slip the call past his estranged ex-wife, he says.
But last month Congress heard testimony that criminals have used the services while making pretext phone calls to wheedle private consumer information out of companies. The services have also reportedly been used to target businesses that rely on caller ID for authentication -- Western Union wire transfers service have been particularly vulnerable, as are T-Mobile voice mailboxes in their default configuration.
It's unclear why the FCC wants to identify users of the service, or what prompted the commission to launch an investigation at this time, after permitting the sites to operate unchecked for so long. But politics may have played a role. In an Associated Press story Wednesday, Republican congressman Tim Murphy complained that a critic flooded his office last fall with recorded phone calls, and used caller ID spoofing to cover his tracks. A representative for Murphy didn't immediately return a phone call Thursday.
The FCC says it doesn't comment on pending investigations.
TeleSpoof would have a difficult time resisting the FCC's demand in court, says Orin Kerr, a law professor at the George Washington University.
"Basic subscriber information gets a very low protection," he says. "The primary limits on the government's ability are overly burdensome requests. But it's hard to see how a request like that would be overly burdensome."
But Kerr says TeleSpoof or its customers could ask a federal court to quash the FCC demand on First Amendment grounds. "They would have to say it interferes with their right to anonymous speech."
In response to the investigation, TeleSpoof has stopped accepting new customers. The service's operator says he started the site anonymously because Star38's founder claimed in press reports to have received death threats because of the site. But he remained anonymous in the hopes of avoiding regulatory entanglement. "I kind of did it anonymously to protect myself if something like this ever happened. I can't ignore it though."
A competing service, SpoofCom, said in an e-mail that it had not received anything from the FCC. Two others, SpoofCard and the Canadian firm SpoofTel did not answer e-mail inquiries. Camophone, the earliest site to offer spoofing to the masses, recently stopped accepting new customers and is bouncing e-mail.
Last modified March 3, 2006