Why caller ID spoofing is not easy to prevent

A loyal blog reader asked:

What prevents the U.S. telephone carriers from ending the use of spoofed caller-IDs? It would seem possible to put an authenticated (tokenized) caller-ID system in place for in-country calls that maintains the originating number, or at least flags the displayed number with some symbol if it cannot be authenticated.

This is a very good question.  The answer might surprise him.

Yes spoofed caller ID is a big problem.

The problem is that you are assuming a fact not in evidence. There is no such thing as “the originating number”. Decades ago I guess there was such a thing. Not for at least a decade, however, has there been such a thing as “the originating number”.

In the old days, the only way you could place outgoing telephone calls was by getting a physical landline telephone line from the monopoly telephone company in your local area. This dial tone was delivered on a pair of copper wires. That telephone company knew perfectly well what your telephone number is, because that telephone company made it possible for you to receive telephone calls at some particular telephone number. To the extent that someone might say that it was necessary to “enforce” what the caller ID was on your outbound telephone calls, the telephone company was able to “enforce” this because necessarily that company handled both your incoming and your outgoing telephone calls. There was a monopoly situation where by definition the two kinds of calling (inbound and outbound) were automatically linked in a way that the customer had no control over.

But for at least a decade, now, the technological situation is quite different, because of SIP and VOIP.  Using SIP and VOIP, it would be very easy to set up a business in which you simply never receive an incoming telephone call, not by means of any telephone number. The business might only place outgoing calls.

If you run a business that only places outgoing calls, then what can we say about what your “originating” telephone number is? Nothing. We cannot say anything. The caller does not really have an “originating” telephone number.

In our office we have several inbound telephone numbers. But there’s nothing that requires us to have inbound telephone numbers, other than perhaps the convenience of being able to receive inbound telephone calls.  There is no technological linkage, not in the past ten years, between “the number people use to call you” and “the number that shows up on the caller ID if you call somebody”. One of the reasons that there is no linkage between the two is that one might exist and not the other. You could have a business that receives incoming calls but that does not place any outgoing calls. You could have a business that places outgoing calls but does not receive any incoming calls.

The reason for all of this is SIP and VOIP. The technologies of SIP and VOIP make it so that there is no linkage between the two things.

Oh and even if for some reason you were to choose to set up a business that can do both things — receiving incoming calls and placing outgoing calls — there is nothing about this that requires any linkage between the carrier that you use for the one direction and the carrier that you use for the other direction. In our case for example we receive incoming telephone calls through several carriers (including “Callcentric” and “Localphone”) and we send outgoing calls through another carrier (“Voip.ms”). The carrier that we use for the outgoing calls has no way to know what telephone numbers we use to receive inbound telephone calls on the other carriers.

If for some reason we were to feel the need to switch to a different carrier to handle outgoing telephone calls, we could switch at a moment’s notice. We would simply change a line of configuration data in our PBX to direct outgoing calls by means of the new carrier instead of the previous carrier.  (The outgoing calls would pass over something called a “SIP trunk” which is merely an Internet connection.)  In such a case we have the ability to tell the new carrier what we want our caller ID to be. We could say whatever we want about the caller ID telephone number, and the new carrier would not have any way to know whether we do or do not receive telephone calls at that telephone number.

Suppose for example that some state or federal body were to pass a law (or promulgate a regulation) that purports to require a carrier that handles outgoing telephone calls to “enforce” that the caller ID matches some trusted source (like, maybe, a telephone number upon which the caller can also receive calls).  Or suppose (as our reader suggests) that some state or federal body were to pass a law that purports to require a carrier that handles outgoing telephone calls to “flag” the caller ID with a special symbol under certain circumstances.  In such an event the carrier would be able to say, without it being untrue, that the carrier simply lacks any technical way to do what the law purports to require.  Saying this in a different way, technological changes would have to happen to make such “enforcement” possible.  It would not be enough simply for some state or federal body to pass a law or promulgate a regulation.

So in the near term, spoofed caller ID is just part of life.  Pretty substantial technological changes would be needed in the Public Switched Telephone Network for things to happen such as were suggested by my blog reader.

3 Replies to “Why caller ID spoofing is not easy to prevent”

  1. The service provider must know where the outgoing calls are going out from, so that it can bill the caller. It must have, for that and other management purposes, a unique identifier for the source. All it needs to do is append that identifier, or some other unique code uniquely matched to that unique identifier, as the “caller ID” number on outgoing calls. It doesn’t have to be an actual telephone number.

    1. Thank you for posting.

      Actually you might be surprised how little a service provider may know about the customer who is placing calls via a SIP trunk. The customer may have paid with Bitcoin, for example. The service provider may know little more than the IP address for the “register” end of the SIP trunk.

  2. Thanks for the explanation. You’re certainly right that laws won’t happen, particularly in our current deregulation era. But, I see a potential future product offering for incoming calls, one I’d pay for, that would work something like HTTPS: Verizon (say) would allow me the option to filter (block or not answer based on a caller-ID prefix) all incoming calls that did not carry a traceable signature from some recognized authority. Callers’ outgoing providers, to comply with this scheme, would offer their customers a signature as part of the outgoing call service, giving them legitimacy. Better than a whitelist, since I wouldn’t need to approve in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *