Professional Documents
Culture Documents
4 Cid
4 Cid
Abstract—Caller ID (caller identification) is a service pro- causing a loss of more than $15 million dollars annually;
vided by telephone carriers to transmit the phone number caller ID spoofing is also a common technique used for
and/or the name of a caller to a callee. Today, most people swatting, which is an attempt to trick an emergency service
trust the caller ID information, and it is increasingly used to
authenticate customers (e.g., by banks or credit card with false reporting of an incident — for instance, police
companies). However, with the proliferation of smartphones officers were tied-up in responding to a non-existent robbery
and VoIP, it is easy to spoof caller ID by installing reported by pranksters; drugs were misused as a result of
corresponding Apps on smartphones or by using fake ID spoofed pharmacists’ phone number, other incidents include
providers. As telephone networks are fragmented between identity theft, purchase scams, etc. Due to the proliferation
enterprises and countries, no mechanism is available today to
easily detect such spoofing attacks. This vulnerability has of detrimental incidents caused by caller ID spoofing, the
already been exploited with crucial consequences such as US government passed the legislation Truth in Caller ID
faking caller IDs to emergency services (e.g., 9-1-1) or to Act of 2009 making it illegal to transmit misleading or
commit fraud. inaccurate caller ID information with the intent to defraud.
In this paper, we propose an end-to-end caller ID verification However, the legislation does not stop the misuse or
mechanism CallerDec that works with existing combinations
of landlines, cellular and VoIP networks. CallerDec can be fraud, and today spoofing caller IDs has become much
deployed at the liberty of users, without any modification to the easier, because many VoIP providers allow anyone to claim
existing infrastructures. We implemented our scheme as an App arbitrary caller IDs through VoIP client software (e.g., x-
for Android-based phones and validated the effectiveness of our lite), and fake ID providers allow their customers to claim
solution in detecting spoofing attacks in various scenarios. any caller ID by simply dialing a special phone number or by
Keywords-End-user Security; Caller ID Spoofing; utilizing readily available Apps on smartphones (e.g., Caller
ID Faker). Thus, in this paper, we focus on detecting caller
I. I NTRODUCTION ID spoofing attacks.
“What’s worse than a bad authentication system? Caller ID spoofing is possible because caller IDs are
A bad authentication system that people have transmitted in plaintext with no authentication mechanisms
learned to trust”. in place. When a call is routed between different carriers,
Caller ID services transmit the phone number and/or the callee’s carrier will simply accept the caller ID claimed
the name of a caller to the recipient (callee) as caller ID by a caller’s carrier. Given the lack of authentication be-
intending to provide informed consent to the callee before tween carriers, caller IDs could be trustworthy if (a) the
answering calls. However, Caller ID has been increasingly telephone service providers do not manipulate caller IDs,
used to authenticate the identities of callers, or to verify their (b) The telephone infrastructure is tightly controlled, and no
physical locations in several systems, ranging from 9-1-1 intruders could tap into the infrastructure to create an
emergency services, automatic telephone banking systems, arbitrary caller ID. These conditions were true in the early
credit card activation systems, to voicemail services. Un- days as the telephone network used dedicated lines operated
fortunately, existing caller ID protocols do not provide real by a monopoly. Today, with current converging phone/data
authentication and hence are untrustworthy for authenticat- networks and diversity of telephone service carriers, neither
ing callers’ locations or identities, because caller IDs are holds any more. Moreover, telephone carriers may not be
vulnerable to spoofing attacks; i.e., an attacker can easily able to solve the problem even if they can redesign the
send a fake caller ID to a callee. This vulnerability has protocols. This is because the entire telephone infrastructure
already been exploited in a variety of misuse and fraud comprises several telephone carriers with their own trusteds
incidents: In the US, thousands of people were victimized domains, and a carrier can at most verify calls originated in
by credit card fraud with the help of caller ID spoofing, its own network but not from other networks. To the best of