Several friends and family members of mine received a call from a North American (+1) phone number which played a pre-recorded message informing them of a supposed court summons. I happened to receive a call from a +1 number too. I had also missed a domestic call shortly before the international one. While these automated calls are part of a well-known scam, looking at the phone numbers, I noticed that the Indian and North American phone numbers were identical to each other, save for their country codes. The Indian number was +91 98199 69857, and the American number was +1 (981) 996-9857.
What is caller ID spoofing?
Caller ID spoofing is a technique with which the phone number that a call appears to originate from can be falsified. On a technical level, caller ID spoofing is not difficult to perform. Spoofing techniques have been honed by enthusiasts, telemarketers, and fraudsters alike, over the years. Malicious individuals use caller ID spoofing primarily to shield their identity when engaging in illicit activity. At times, caller ID spoofing is used by these individuals to carry out social engineering attacks, where the spoofed caller ID is abused for the implicit trust that the receiving party associates with it. Caller ID spoofing can also be used to circumvent standard call blocking systems, and even for exploiting vulnerabilities in insecure Interactive Voice Response (IVR) systems.
Caller ID spoofing in itself is perfectly legal in many jurisdictions, and as a result of this several companies offering caller ID spoofing services to customers around the world have popped up over the years, with the first commercial caller ID spoofing service launching in 2004.
Tackling scam calls
Caller ID spoofing is a costly affair for everyone involved. Telecommunication service providers lose revenue, users that are defrauded due to a scam call abusing a spoofed caller ID lose money, and law enforcement has a harder time investigating crimes where spoofed caller IDs are used. Caller ID spoofing is not a new phenomenon, and there have been several earnest technical efforts made for fixing the problem.
The International Telecommunications Union (ITU) is a special UN agency focused on improving and standardising global information and communication technologies. The ITU was originally established as the International Telegraph Union in 1865, much before the UN existed, and of which India has been a member since 1869 onward. In 2021, the ITU published a technical report on countering caller ID spoofing. While this report does not have any mandatory provisions, it does provide a reference using Public Key Infrastructure (PKI) based authentication which could be implemented by Indian telecom operators to fix caller ID spoofing for good.
The Telecom Regulatory Authority of India (TRAI) had earlier recommended to telecom operators to integrate a system known as Calling Name Presentation (CNAP), with the idea of allowing consumers to know who is calling them in a way similar to how applications such as TrueCaller do it, except CNAP would be mandatory, and caller names would appear as per KYC documents. A 2022 consultation paper on the project makes only a few mentions of caller ID spoofing, and does not provide a plan or technical measures for tackling the issue. It merely acknowledges in one sentence that caller ID spoofing is a problem that exists. The Department of Telecommunications (DoT) is reportedly in the process of launching a pilot of the CNAP project. Though it is not known whether CNAP will (or should) be implemented, it can be said that introducing such a system without first implementing a technical fix for caller ID spoofing will be a mistake.
According to news reports from May 2024, the DoT has devised a system to “identify and block” international calls with a manipulated Calling Line Identity (CLI) and has issued directions to telecom operators to prevent such calls from reaching subscribers.
However, considering that the problem has still not been fixed, it is unclear whether the system (technical details of which have not been furnished) is effective, or if it has even been implemented.
Government inaction
The Telecommunications Act, 2023 which was partially notified on June 26 of this year allows the Union Government to take over control and operation of any telecommunication service or network during times of “emergency.” Section 20 of the Act empowers the Government to take “temporary possession of any telecommunication service or telecommunication network from an authorised entity” for “any public emergency, including disaster management, or in the interest of public safety.” The Act has received criticism for being invasive and potentially increasing surveillance powers. That aside, it can be said that fixing caller ID spoofing would be “in the interest of public safety”; why then has the Government not taken action?
Fixing the technical and implementation problem of caller ID spoofing will have an outweighed impact for all stakeholders. For consumers, fixing caller ID spoofing will reduce spam and fraud calls, and will completely eliminate fraud that relies on false representation of one’s identity via phone number. For telecommunications providers, it will save revenue that would otherwise be lost, and for the Government and therefore the public, it would result in revenue that would contribute to the Indian economy.
Karan Saini is a security engineer and researcher based in New Delhi, India
Disclaimer: The copyright of this article belongs to the original author. Reposting this article is solely for the purpose of information dissemination and does not constitute any investment advice. If there is any infringement, please contact us immediately. We will make corrections or deletions as necessary. Thank you.
