Here’s why caller ID is easy to spoof
Last week, telecom companies signed an agreement with states aimed at combating the problem of robocalls.
Industry groups estimate half of all calls to mobile phones will be scam calls this year. The most annoying ones are spoofed calls — calls that seem to be from a trusted number, whether that’s the IRS or someone in your neighborhood. (For advice on how to protect yourself and your loved ones from financial scams, check out “Marketplace’s” “Brains and Losses” series.)
As a producer here at Marketplace received her third call with a spoofed number in one day, we got to wondering: How did it get this way? Our phone numbers feel so personal, and they are almost as important as our Social Security numbers to identify us when we call our banks or just want to collect points at the supermarket. Why are they so easy to fake?
Searching for an answer took me first into the history of caller ID. It was rolled out in the late ’80s and early ’90s by phone companies as an add-on to your landline. Back then, phones didn’t have screens, so you’d have to plug in an extra box.
This was pre-internet, pre-email spam, pre-mass financial scam. The engineers building the caller ID system didn’t foresee a need to make it secure.
But in the 1990s, as the internet became more widely available, callers were able to make telephone calls through their computers using Voice over Internet Protocol technology. This meant anyone, anywhere in the world, could make phone calls en masse for very little cost. And they could change the number that call appeared to be coming from. The scourge of spoof-spam calls began.
To see just how simple it is to spoof a phone number, I tried it. I spent $9.95 on 45 calling minutes through an easy-to-find website. It gave me two boxes, the destination number and the caller ID to display. I called my co-workers pretending to be our boss. I called friends pretending to be their family members. And then I ran out of pranks. But the point is, it’s ridiculously easy.
If you’ve reached the point where you no longer answer your phone, there is a solution in sight. Part of the deal that phone companies have signed up to is to implement a technology called STIR/SHAKEN (or sometimes SHAKEN/STIR). It’s a contrived acronym for Secure Telephone Identity Revisited and Signature Based Handling of Asserted Information using toKENs.
It may not block spoofed calls entirely, but it will give us a visual, on-screen, cue that calls really are coming from the number they claim to be, which may finally make caller ID the useful system it was designed to be.
There’s a lot happening in the world. Through it all, Marketplace is here for you.
You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible.
Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.