13 February 2008 @ 11:12Caller-ID spoofing
This article on Digg caught my attention, but in the end turned out to be less interesting than I had expected. To cut to the chase — Don’t trust the information in your caller-ID. The interesting part came from a commenter:
I was a victim of this caller id spoofing just last week. Bank of America VISA called me to ask if I used my card at an ATM machine across the country to get $880 in cash about 6 or 7 times that morning, for a total of over $5,000 cash with-drawl. Apparently someone made a fake VISA card using my number. Here’s the spoof part: VISA lets you change your pin over the phone, and does not ask any security questions. Their computer “sees” that you are calling from your home phone (which these spoofers can do somehow), and then they let you just change your card pin number right over the phone. The thief then went to the nearest cash machine and had fun. I wasn’t liable, but I did ask the head of their fraud unit why in the world they don’t require “live security questions” if they knew that this phone spoofing technology is out there. They said they are “working on it”. I wonder how we can ensure that they change this policy quickly. In the meantime, I was told never to use your home phone number – use your cell as the contact number. Think about how many times you order things online, using your credit card and phone number. This stuff is really frightening.
I have activated many new credit/debit cards in this way, and never thought twice about the fact that the banks are using caller-ID to “verify” the identity of the person calling. The banks need to get a clue! This is not a secure and reliable method of checking the caller’s identity! As far as changing PIN, there are probably more questions or verifications than the commenter above would have us believe, but as for activating a card, I don’t remember any such questions.
[UPDATE: Apparently, using "ANI Skip Tracing", the true number of a blocked or spoofed caller-ID can still be retrieved.]