Learn all about Caller ID spoofing and STIR / SHAKEN protocol
Lately I chanced upon a scam story that instantly caught my attention. A PhD scholar (no less) was tricked by a bunch of crooks on Instagram. She had had a break up with her boyfriend 6 months back. The scammers promise her that by performing a black magic ritual she could win him back. The black magic gang asks her for her number and of course the boyfriend’s number. She hands them out. She performs the ritual. Same evening, she receives a call from his number. Note – she was instructed not to answer the call. Now that black magic gang has her where they want her, they go on to collect Rs. 6 lac from her. She never hears back from the callers. Nor from the boyfriend.
Moral of the story. Caller ID spoofing is here. There are apps on Android that one can download. Obviously, I won’t advertise the names of such apps, but they are straight forward to use. Really curious? There are tutorials online on how to use various versions of these. Some let you call from unlimited different numbers and buy credits etc. By the way, this can easily beat caller ID services.
ANI spoofing (ANI is just jargon we used to use for Automated number identification) has been fairly common in the US and other markets. It’s like ATO Lesson 101 for fraudsters to spoof a customer’s phone number while calling the bank to ‘authenticate’ themselves. The other use case, I remember while reviewing cases where hapless victims would swear that the caller’s number exactly matched the number on back of her debit card. The not-so-smooth fraudsters would especially point their victims to it like, “You can check that the number is the same as on the back of your card ma’am.” Now show me one real bank that would have that on the script
But what surprised me is how this technology is now available to the rural heartland of India.
Along similar lines we have also started to see a trickle of spoofed SMS texts. A friend in cyber security tells me that the one case he ran into was because the bulk SMS vendor’s credentials were compromised. But regardless of creds, I found that its quite straight forward to execute even with noob python skills. One could easily pull it off, with the right APIs to at least one programmable communication tool. And I’m no star hacker.
For caller ID spoofing, the FCC has mandated the STIR / SHAKEN protocol. (What a cool acronym – it stands for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards.) Note, STIR/SHAKEN does not protect from SMS spoofing though. In India, TRAI / DoT and all of us are shaken but not yet stirred by what could quickly escalate into a much larger problem in a country our size. The DMLT registrations and SMS header querying etc. currently do not address this issue. Any new ideas that James Bond might approve of?