Skype for Business, Security, Caller ID spoofing

Security information from Technology Services Privacy and Information Security team.

Caller ID spoofing - A tough, and as-of-right-now, un-fixable problem

Scenario:

You get a call. You look at your phone and it reports that the incoming call is coming from on-campus. If you're on a university-owned computer, your phone or computer might even helpfully look up and display from the directory the caller's name. But when you answer, your sixth sense rings out as a fraudster lays into your with their agenda- "Take our survey" or, "This is the FBI, Western Union us some money or we'll arrest you!" or, "Your dear relative has been in an accident overseas, send I-tunes gift cards, stat!"or, "Wire us money and we'll make you rich!". etc. etc. etc.

You're confused! Why would our colleague take such a sleazy path, you may think. Alternatively, you may think that person has been "hacked. In reality it's not that person. In fact, whomever has just rung you is extremely unlikely to be anywhere near the university. The reason is simply that while digital telephony is the way of the future, it's not capable of enabling end users to detect fraud in this way yet.

THE ISSUE:
Caller-ID spoofing is possible, systemic, untraceable, and not fixable at our level unfortunately.

WHY?
  • SIP trunking for digital telephony cannot do what old-school copper/switches used to give us: reliable origin reporting/tracing capability.
  • The SIP protocol relies on all of the endpoints to report their phone numbers honestly, but with some fun SIP-spoofing software, anyone can change what phone number is reported to the caller-id of the call receiver.
  • Customers, including large universities, cannot detect or prevent inbound calls from outside lines from reporting fraudulently that they came from the inside.
  • This is why the telephone system has been afire with fraudsters for at least the last 4-5 years, and why a growing number of congresspeople and AGs* are laying into the chairman of the FCC for a fix.
NOW WHAT?
  • As always, be vigilant when answering unexpected calls, especially when the caller suddenly asks you to wire money, giftcards,, bitcoin, or anything of value.
  • Do not assume that when a call reports that it is "local", that it is in any way "trustable".
  • Report all fraudulent phone calls to the FTC. (https://www.ftccomplaintassistant.gov/)
  • Never send anything of value based on an unverified incoming call.
  • Never divulge any valuable, sensitive, or identifying information to the caller on an unverified incoming call.

Ref:
SIP spoofing with Asterisk:
https://blog.rapid7.com/2018/05/24/how-to-build-your-own-caller-id-spoofer-part-1/
https://allanfeid.com/content/caller-id-spoofing-w-asterisk

*The AGs have had it
https://www.insidearm.com/news/00044409-35-state-attorneys-general-request-fcc-im/






Keywords:skype phone spoof sip fraud caller-id callerid scam security telephone cellphone sfb lync   Doc ID:62646
Owner:Security S.Group:University of Illinois Technology Services
Created:2016-04-11 11:14 CDTUpdated:2019-08-14 10:19 CDT
Sites:University of Illinois Technology Services
Feedback:  1   0