Outlaw Caller ID!

In another misguided attempt to stop some dubious behavior, the House of Representatives is trying to outlaw caller ID spoofing. This is another example of legislation that will not achieve the desired outcome (i.e. getting the baddies to stop using spoofing techniques in their social engineering games), and could possibly hurt unsuspecting companies.

Why? It is a trivial task to change your caller id these days to be any arbitrary value that you want. With the advent of widespread VOIP providers that actually let you do this explicitly, even the script kiddies can do this. Those savvier folks can either reprogram their phone switch (with VOIP switches like the NBX 3000 from 3com at less than $2k these days), or program their Asterisk switch (open source -- free) to present any caller ID you want to.

Caller ID should never be used as a form of security. For example, there is a HUGE security loophole for most people's cell phone voicemail. I've tested both Cingular and T-Mobile -- both of these providers at least in southern California use caller ID as an authentication mechanism for voicemail. What does this mean? If you set your call ID to be somebody's cell number, then dial that cell number, you get thrown into voicemail without any authentication. Wow. What a security problem. The easy work-around is to put a password on your cell phone voice mail (how many of us do that?)

My point is that the easier the work-around/hack to let you do something, the more silly/infeasible/stupid a legal remedy becomes. It's reminds me of the issues with copyright and shared music -- if the workaround is trivial, then the legal remedy is foolish and irrelevant (but more on that for a later entry).

The danger here is that certain company practices might fall afoul of this new law. Say, for example, that I am selling products to people in San Diego. I might want the caller ID presentation to my company's outbound calls to be a local San Diego number (that forwards to the main company number). Is this spoofing? Who knows? With telephony advances (and commoditzation of 800 numbers and local number call forwarding), these types of practices will become more common. They are beneficial to the consumer/customer (they get to call a local number), as well as the business (you have a local presence).

So stop using caller id for any form of security authentication, and put a password on your cell voicemail. And merely use caller ID as a suggested number that you might call back on. You've been warned.