In defense of Caller-ID spoofing

Turns out that Caller-ID spoofing has fans...

It's not me mounting the defense, mind you. However, I thought it worth noting that a recent column -- "Confessions of a Caller-ID spoofer" -- generated significant reader reaction, not all of it in lockstep condemnation of the practice.

Turns out that Caller-ID spoofing has fans ... and not only among the criminal, unscrupulous and desperate: For example, you're about to read pleas for understanding from an engineer who works for an IP PBX manufacturer, as well as a dutiful father (his is priceless).

For those who missed the initial items, the first post concerned the tale of a telecom industry veteran who used a Caller-ID spoofing service -- over and over and over again -- to break through the voice-mail of a former employer he says owed him thousands in unpaid commissions, while the second involved a small company that was put out of business for more than 24 hours by a spoofing-enabled credit con.

First we'll hear from Jeff Rowley, an engineer at ShoreTel:

Two beneficial uses of Caller-ID spoofing that we implement in the ShoreTel IP-PBX include being able to send a remote-based soft-phone user's home telephone number when they call 911out a corporate trunk and, second, sending the Caller ID of the original caller when using our "Find Me/Follow Me" feature.

The first feature allows a home-based IP call-center agent to place normal outbound calls from their PC-based IP soft-phone and the IP-PBX system sends their corporate caller ID out the corporate PRI. But when they call emergency services we can send their home telephone number instead, directing the emergency response team to the correct (home) address.

The second feature enhances our Find Me/Follow Me feature. This feature allows a caller to "press 1 to have the system find me." While the caller is waiting the system places outbound calls to the user's cell phone (or home phone, etc.) but sends the original caller's Caller-ID so the recipient knows who the call is really from, rather than just another call from the corporate office.

These beneficial features are not possible if the carrier filters out Caller-IDs that are outside of the "proper range" of DIDs.

I asked Rowley a few questions:

What about end-user control in the examples cited? Is there any and could it be abused?

In our system all three of the examples I mentioned are set by the administrator - not by the end user. Still could be abused but it would have to be a company-wide plot.

How does society allow the good while eliminating the abuses of Caller-ID spoofing?

Tough one, as is all choices between security, privacy, freedom, convenience and the like. I would equate it to allowing a consumer to being able to host their own SMTP mail server. The ISP allows this unless there is abuse (the server turns into a SPAM-monger) and then port 25 gets turned off for that connection. ... Similarly CID spoofing shouldn't be "automatically" assumed to be bad or abusive but looked at more in an "abuse it and you lose it" fashion.

Now we get to that dutiful Dad, Mitch Crane, who writes:

"I have to confess, I, too, am a Caller-ID spoofer. You see, I have two teen-age daughters who have uncanny luck with their phone service: It goes out when they don't want to hear from a parent. I just randomly pick one of their friends' numbers, spoof it and I miraculously get through. ... I'm sure they too think the practice is evil and should be outlawed."

Wonder how many times you'd have to do that before the kids would just give up and answer when Mum or Dad calls.

Join the newsletter!

Error: Please check your email address.

More about Shoretel

Show Comments

Market Place