[VOIPSEC] Truths on "Truth in Caller ID Act"

Mpierce1 at aol.com Mpierce1 at aol.com
Thu Oct 5 09:24:30 CDT 2006 

In a message dated 10/4/2006 8:04:16 PM Eastern Daylight Time, 
zmolek at avaya.com writes:


> Satyam is correct, there was *NEVER* any system in place within or
> between PSTN carriers that prevented ANI spoofing since from its
> original introduction within ISDN to the present, except in a few very
> limited (almost trivial) cases. If you google "ANI spoofing" you will
> notice that many of the 1,400 results are not recent at all (though
> newer items tend to be overrepresented at the top).

Interesting. I Googled "ANI Spoofing" and got 1330 hits. I then excluded 
anything with "VoIP" and only got 647 hits. I suspect that many of the hits are 
just repetitions of the common "urban legends" concerning this issue and are not 
based on fact, or are old problems that have already been corrected.

Sure, as one says, the PBX can send "any number on God's green earth." and 
relates a problem with Sprint switches in Las Vegas (in 2000) that apparently 
didn't verify these numbers. I hope Sprint has learned and stopped doing this, 
and is now following the American National Standard concerning screening of 
User Provided numbers.

The search also seems to be full of descriptions of cases that were 
discovered using round-about means to cause a call to be billed to someone else, but 
that, once identified, were stopped by the relevent carriers (e.g., ATT).

First of all, the subject at hand is CLI, not ANI. They are two different 
things. ANI was the way to send the originating number over analog trunks from 
the originating PBX or end office to a toll switch that handled the billing. 
Spoofing resulted in billing long-distant calls to someone else. ANI was defined 
long before there was any Calling Line ID being sent to the called party. 
Because it was analog, in-band, it was highly suseptible to spoofing. That was one 
reason for inventing better signaling systems like SS#7 and ISDN as well as 
out-of-band ways to send the same information from the originating switch.

CLI, the subject here, is the sending of the calling line ID (telephone 
number or name) to the called party, and the original comment and my response 
pertains specifically to the ISDN PRI interface often used from a PBX to the 
service provider switch and someone's claim that CLI from this interface can be 
spoofed. It can not be, if used as defined in American National Standard T1.625 
and several equivalent ITU-T Recommendations.

The point is, the PSTN is based on a set of standards that provides the 
technical means for carriers to determine the validity of the CLI. It is always a 
fact of life that the crooks (and hobbyists) might find ways to circumvent the 
intended operation. When discovered (no matter what color you call the box 
used to do it), the industry finds ways to stop the abuse, so that the telephone 
system continues to be a fairly secure, protected way for people to 
communicate. The use of CLI for identification is appropriate for certain purposes. Just 
yesterday, I called American Express (from my home phone) to activate a new 
card. They didn't just use the CLI provided them to identify me, but asked for 
entry of my account number. If the two did not match their data base, they 
would have asked other security questions to ensure that someone did not steal my 
new card from my mailbox. That use of CLI is completely appropriate and 
provides the level of security required for that application. Unfortunately, the 
lack of even that much assurance in VoIP will kill this type of use.

Check out American National Standard T1.625 (yes, you'll find my name in the 
front as one of the people who was active in its writing). It, along with the 
supporting signaling system, provides all the technical means to prevent "CLI 
spoofing" from a PRI from a PBX. It defines that a "Validated Number" is 
passed to the called party, not simply the "User Provided Number", so, "any number 
on God's green earth" can not be passed as the Validated Number to be 
displayed at the called end. If some carrier chooses to not do this verification, 
shame on them. Operational procedures between carriers also allow one to refuse to 
use the CLI provided by another if they do not believe it is accurate. I 
believe it is this issue, along with laws, that will allow traditional PSTN 
carriers to refuse to accept CLI info coming from a VoIP system it can't trust.

Unfortunately, when it comes to the Internet in general, and VoIP in 
specific, there seems to be a lot of denial concerning the problems and possible 
solutions. There are those who insist that this is not a problem ("Let the Internet 
continue to be unregulated and a free-for-all."). It seems that part of the 
original comment was based on a belief that there are perfectly good, 
legitimate reaons for spoofing CLI. Others admit it is a problem, but argue that "the 
philosophy of the Internet" does not allow one to even think about discussing 
certain solutions. And it results in things like the ridicule of a proposed US 
law (which began this string) which tries to deal with this emerging scourge 
on our communication system.

When is a group like this going to admit that there is a problem that needs 
to be solved and then try to solve it?

Well, just my 2 cents worth. I welcome any well-reasoned, sane responses that 
directly address the comments above. Others will go in the bit-bucket.

Mike Pierce

More information about the Voipsec mailing list