Detecting Caller ID Spoofing Attacks
Aman Donald Ram
Department of Computer Science and Engineering
Lovely Professional University, Punjab
Abstract—Caller ID (caller identification) is a service pro-
vided by telephone carriers to transmit the phone number
and/or the name of a caller to a callee. Today, most people
trust the caller ID information, and it is increasingly used to
authenticate customers (e.g., by banks or credit card
companies). However, with the proliferation of smartphones
and VoIP, it is easy to spoof caller ID by installing
corresponding Apps on smartphones or by using fake ID
providers. As telephone networks are fragmented between
enterprises and countries, no mechanism is available today to
easily detect such spoofing attacks. This vulnerability has
already been exploited with crucial consequences such as
faking caller IDs to emergency services (e.g., 9-1-1) or to
commit fraud.
In this paper, we propose an end-to-end caller ID verification
mechanism CallerDec that works with existing combinations
of landlines, cellular and VoIP networks. CallerDec can be
deployed at the liberty of users, without any modification to the
existing infrastructures. We implemented our scheme as an App
for Android-based phones and validated the effectiveness of our
solution in detecting spoofing attacks in various scenarios.
Keywords-End-user Security; Caller ID Spoofing;
I. I NTRODUCTION
“What’s worse than a bad authentication system?
A bad authentication system that people have
learned to trust”.
Caller ID services transmit the phone number and/or
the name of a caller to the recipient (callee) as caller ID
intending to provide informed consent to the callee before
answering calls. However, Caller ID has been increasingly
used to authenticate the identities of callers, or to verify their
physical locations in several systems, ranging from 9-1-1
emergency services, automatic telephone banking systems,
credit card activation systems, to voicemail services. Un-
fortunately, existing caller ID protocols do not provide real
authentication and hence are untrustworthy for authenticat-
ing callers’ locations or identities, because caller IDs are
vulnerable to spoofing attacks; i.e., an attacker can easily
send a fake caller ID to a callee. This vulnerability has
already been exploited in a variety of misuse and fraud
incidents: In the US, thousands of people were victimized
by credit card fraud with the help of caller ID spoofing,
* This author is the corresponding author.
causing a loss of more than $15 million dollars annually;
caller ID spoofing is also a common technique used for
swatting, which is an attempt to trick an emergency service
with false reporting of an incident — for instance, police
officers were tied-up in responding to a non-existent robbery
reported by pranksters; drugs were misused as a result of
spoofed pharmacists’ phone number, other incidents include
identity theft, purchase scams, etc. Due to the proliferation
of detrimental incidents caused by caller ID spoofing, the
US government passed the legislation Truth in Caller ID
Act of 2009 making it illegal to transmit misleading or
inaccurate caller ID information with the intent to defraud.
However, the legislation does not stop the misuse or
fraud, and today spoofing caller IDs has become much
easier, because many VoIP providers allow anyone to claim
arbitrary caller IDs through VoIP client software (e.g., x-
lite), and fake ID providers allow their customers to claim
any caller ID by simply dialing a special phone number or by
utilizing readily available Apps on smartphones (e.g., Caller
ID Faker). Thus, in this paper, we focus on detecting caller
ID spoofing attacks.
Caller ID spoofing is possible because caller IDs are
transmitted in plaintext with no authentication mechanisms
in place. When a call is routed between different carriers,
the callee’s carrier will simply accept the caller ID claimed
by a caller’s carrier. Given the lack of authentication be-
tween carriers, caller IDs could be trustworthy if (a) the
telephone service providers do not manipulate caller IDs,
(b) The telephone infrastructure is tightly controlled, and no
intruders could tap into the infrastructure to create an
arbitrary caller ID. These conditions were true in the early
days as the telephone network used dedicated lines operated
by a monopoly. Today, with current converging phone/data
networks and diversity of telephone service carriers, neither
holds any more. Moreover, telephone carriers may not be
able to solve the problem even if they can redesign the
protocols. This is because the entire telephone infrastructure
comprises several telephone carriers with their own trusteds
domains, and a carrier can at most verify calls originated in
its own network but not from other networks. To the best of
our knowledge, no mechanism is currently available to users
for detecting caller ID spoofing without answering the call
first or without a special interface (and agreement) provided
by the carrier, as used by commercial solution TrustID.
Challenges and contributions. We propose to design an
end-to-end solution to detect caller ID spoofing. Designing
such a practical mechanism is challenging: First, only lim-
ited information and resources are available at end users. The
route of call signalling is unknown. Second, compatibility
to different protocols (GSM, VoIP, PSTN) limits the design
space. Third, a large deviation from the regular calling
procedure is unlikely to be accepted by most people. Thus,
naive solutions such as rejecting an incoming call and then
calling back, are not an option. The detection mechanisms
should be mostly automated and require little user input.
Fourth, a few legitimate services provided by telephone
companies allow the caller IDs to be different from the
calling numbers, making those caller IDs appear to be
spoofed. However, those scenarios should not be classified as
caller ID spoofing attacks. We address all these requirements
and design an end-to-end caller ID verification scheme that
we call CallerDec. Essentially, CallerDec utilizes a
covert timing channel between end users to verify the caller.
The timing channel in telephone networks is feasible because
delays in circuit-switched telephone networks are stable due
to their quality of service (QoS) requirements, unlike the
ones in Internet. We summarize our contributions as
follows:
• We propose CallerDec, an end-to-end caller ID
verification scheme that requires no modification to
the existing telephone infrastructure and is applica-
ble to calling parties using any telephone services.
CallerDec can detect spoofing even if a caller ID
is not in the contact list or is unreachable.
• We present two use cases of CallerDec, one for an
emergency call scenario (e.g., 9-1-1 call) and the other
for a regular call scenario. In both cases, the end users,
(e.g., a 9-1-1 service or an individual customer) can
utilize CallerDec to verify caller IDs.
• We implement CallerDec as an App for Android-based
smartphones where we tackle several technical chal-
lenges caused by the limited API support for controlling
calls. We examine the CallerDec performance in
various scenarios, and show that it can detect spoofed
caller ID effectively and efficiently (i.e. incurring al-
most no extra energy overhead).
We stress that, while we implemented CallerDec on
Android smartphones as a case study, our solution can also
be integrated in any other telephone devices.
II. C ALLER ID S POOFING ATTACKS
Caller ID spoofing is defined in the US legislation act as:
A caller ID spoofing attack is a malicious action that
SS7/VoIP
€aller's €allee's
€arrier €arrier
Fake ID
Provider
Eve Bob
Figure 1. An illustration of how a fake ID provider spoofs a caller ID
leveraging the loophole in network interconnection protocols.
causes any caller identification service to knowingly transmit
misleading or inaccurate caller identification information
with the intent to defraud, cause harm, or wrongfully obtain
anything of value. This definition makes it difficult to detect
caller ID spoofing, since there are a few standard, non-
malicious telecommunication services that result in a
mismatch of the displayed number and should not be
classified as caller ID spoofing. In this section, we first
discuss spoofing attacks that can be carried out in different
telephone setups, and then discuss scenarios that should not
be identified as spoofing attacks.
A. Spoofing via Fake ID Providers
Fake ID providers offer caller ID spoofing services. They
establish SS7/VoIP connections with various telephone car-
riers (e.g., AVOICS), and act as intermediary between
attackers and victims to relay caller IDs specified by its cus-
tomers (attackers in this case). Fig. 1 illustrates an example,
where an attacker (Eve) tries to call the victim (Bob) faking
Alice’s caller ID. First, Eve calls the fake ID provider, and
supplies Bob’s phone number as the destination number and
Alice’s phone number as the desired spoofed caller ID. Then,
the fake ID provider establishes a call to Bob with Alice’s
caller ID, and finally connects Eve with Bob once the call
is answered. Eve can subscribe to a fake ID provider and
carry out spoofing attacks towards any victim from any type
of phone, provided that the fake ID provider is connected to
the victim’s network.
B. Spoofing via VoIP Services
Many VoIP carriers allow their customers to specify their
own caller ID, and will forward the caller ID to the callee’s
carrier without modifications. An adversary can subscribe
to a VoIP carrier that allows caller ID manipulation and can
either use VoIP client software or a VoIP phone to claim
arbitrary caller IDs.
C. Spoofing via Automated Phone Systems
Automated phone systems provide Interactive Voice Re-
sponse (IVR) services for purposes of marketing, survey
collection, etc. Some service providers (e.g., Voxeo, Nuance
Cafe) allow their subscribers to select their own caller IDs
and will deliver the selected caller IDs for their subscribers
regardless of their intention. Because these
 providers connect to major telephone carriers via SS7 or reject voicemail
VoIP protocols, the downstream telephone carriers will new verification call answer
simply accept any caller IDs, including the spoofed ones.
verification straight to
reject after ıv pressed “1”
D. A Mismatched Caller ID but not Spoofing call after ısv voicemail
no no yes yes
no no
The caller ID blocking services and Primary Rate In- yes
terface (PRI) lines generate a mismatched caller ID, but
should not be classified as caller ID spoofing. For caller ID original no yes pressed “2”
no
blocking service, a carrier will transmit the text BLOCKED call active?
yes
or UNAVAILABLE instead of the real caller ID to the callee. yes
PRI lines are designed for business organizations that want VALID SPOOFED NOTSUPPORTED
to support multiple simultaneous calls (i.e., 32 channels for
an E1 line ) while sharing one single caller ID for all their
phone lines. In a PRI system, each phone line inside an end
organization is connected to the PRI line through a Private
Branch Exchange (PBX), which assigns the same caller ID
to all outgoing calls. The mismatched caller IDs in PRI lines
are different from caller ID spoofing because the caller ID confirming the caller ID or to press “2#” to reject
associated with a PRI line is officially owned by the business the verification. To proof her Caller ID, Alice
organization and once assigned, and the caller ID cannot be presses the proper keys, and Bob will conclude
changed without the permission from telephone carriers. Our that the caller ID is VALID. Alternatively, Alice
CallerDec will recognize both blocking services and PRI may press a random key, and then Bob will
lines as non-spoofing cases. conclude that CallerDec is NOTSUPPORTED at
Alice’s end. In addition, Alice may ignore the call
III. C ALLER D EC : V ERIFYING C ALLER IDS or may reject the call. For both responses, Bob will
conclude NOTSUPPORTED.
A. Overview i. Spoof a Reachable User. Similarly,
The basic idea of CallerDec is to create a trusted Alice may answer
covert channel between Alice and Bob, i.e., the the verification call. After Alice enters the
channel allows Alice and Bob to perform a challenge- proper input (i.e., “2#”), Bob will conclude that the
response but it is inaccessible to Eve. Forming such caller ID is SPOOFED. For all other key-press
an end-to-end covert channel is tricky as CallerDec (except “1#”), Bob will conclude
considers a telephone network as a black box and NOTSUPPORTED. In cases that Alice rejects the
the covert channel has to be compatible with all verification call, Bob will use the classifier to
types of telephone networks. Thus, we utilize the end- verify whether Alice has waited for an interval τv
to-end service —traditional phone call service— to before rejecting the call. Since the value of τv is
form an end-to-end covert channel between Alice and chosen before- hand to ensure that it is unlikely for
Bob. a human to reject calls after τv interval (e.g., τv =
Essentially, the covert channel is built on top of the 0), Bob’s CallerDec concludes
control channel that is used for call signaling in a NOTSUPPORTED. In cases that Alice ignores the
traditional telephone network where no users can call and the verification call goes to a voicemail
manipulate control channels directly. Nevertheless, after timeout on ringing, Bob will conservatively
the calling parties can ac- quire the status of the conclude that CallerDec is NOTSUPPORTED.
phone call (e.g., answered/rejected). Since Eve cannot ii. Spoof an Unreachable User. The
control or access the calls between Alice and Bob, verification call will go to a voicemail directly, and
they form a trusted covert channel by initializing, Bob can identify the situation utilizing the classifier
answering, or rejecting phone calls between them. and will conclude that CallerDec is SPOOFED.
 REFERENCES
IV. C ONCLUSION [1] B. Schneier, http://www.schneier.com/blog/archives/2006/03/-
caller_id_spoof.html.
In this paper, we investigated caller ID spoofing attacks
[2] ABCNews, Caller ID Scam Solicits Personal Info, Money.
and identified that it is the network interconnection proto-
abcnews.go.com/GMA/Consumer/story?id=3305916, 2007.
cols that make caller ID spoofing possible. We designed
[3] D. Cuellar, Pranksters Terrorize Delco Family in “swatting”
an end-to-end solution, which we call CallerDec, to Call. WPVI-TV, Philadelphia, PA, 2010.
detect a spoofed caller ID. CallerDec verifies the caller [4] Rep. Engel Anti-Spoofing Bill Passes House,
ID using a covert channel, which is built on top of the http://engel.house.gov/latest-news1/rep-engel-anti-spoofing-
verification call from the callee to the claimed caller, and bill-passes-house.
CallerDec uses timing estimation together with the call [5] https://en.wikipedia.org/wiki/Caller_ID_spoofing
status for verification. We implemented CallerDec in
Android-based phones and validated that CallerDec can
effectively verify caller ID. Although the end-to-end delay
for completing a verification takes a few seconds, such delay
can be hidden when the verification is performed in parallel
to the voice call.
We studied CallerDec on Android-based phones as
a case study, but CallerDec can be integrated to other
types of phone terminals to protect end users from caller
ID spoofing attacks. In addition, the current CallerDec
will conclude NOTSUPPORTED when CallerDec is
not implemented by a phone terminal. We envision that
NOTSUPPORTED can be eliminated once the CallerDec
is supported on all telephone terminals.

View publication stats