Caller ID information is not to be trusted. Judging by the reactions I've gotten from colleagues and friends recently after they've been the victims of spoofed-ID demonstrations, it's not common knowledge that caller ID information, primarily the phone number that often appears on the recipient's telephone display, can be easily faked. Best of all for the mysterious caller, it's not illegal in the U.S. (except in cases where fraud occurs). Calls for the purpose of amusement or revenge are perfectly legal.
With the help of easy-to-use Internet calling card services, it's possible to call up your friends, and have the originating caller number be something completely different, say, the White House switchboard (202-456-1414). For many of the services, it's as simple as punching in three phone numbers: your own number, your pal's number, and the number you want to show up on their phone's display when you call.
The calling card companies providing these services charge a fair bit--approximately 60 minutes of calls for $10. One of the major firms, SpoofCard, is nice enough to let users try their service out for free--two minute calls can be initiated for free from the company's Web site. For those of you doing the home-brew VOIP thing using an Asterisk server at home, faking your Caller ID information is as simple as editing a configuration file.
Being able to change the originating call number can actually be really useful--for the bad guys.
Many voice mail systems do not prompt you for a PIN or password when you appear to be calling from the number associated with that voice mail account. Some credit card companies require that new cards be activated upon receipt by calling up an automated phone system from the cardholder's home phone number. Many people screen their calls, looking first at the display before deciding if they will pick up the phone. Such people can be tricked into picking up the phone by someone who would ordinarily get ignored. Caller ID spoofing is a priceless technique when conducting social engineering or industrial espionage. Being able to call someone else in a company and have the number come up as as an internal office phone number can make it much easier to pretend to be "Bob from accounting."
Using a fake caller ID service, it should be possible for a motivated criminal to stalk someone, listen to their voice mail and then activate a credit card stolen from the victim's mailbox. Creepy stuff
So what about the law? Caller ID spoofing services do not appear to violate any federal criminal law, according to an interview published with Orin Kerr, a law professor at the George Washington University Law School, and a former Justice Department computer crime lawyer. "It doesn't violate the Wiretap Act or the Computer Fraud and Abuse Act or anything like that," said Kerr.
Congress attempted to pass legislation earlier in 2007 making it illegal to spoof caller ID. The bill, The Truth in Caller ID Act of 2007, sailed through the House of Representatives but has yet to make it through the Senate. The law would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement is exempt from the rule.
With the legislation apparently stalled at the federal level, some states have begun to pas their own laws. According to USA Today: "Florida Gov. Jeb Bush signed a law banning commercial telemarketers from using ID spoofing. Violators can be fined up to $10,000 per incident. Alaska and New York have considered anti-spoofing legislation. Delaware has no law that specifically bars people from misrepresenting their name and number on the recipient's caller ID. If done for commercial purposes, however, the practice could be treated as a violation of the state's Deceptive Trade Practices Act or the Consumer Fraud Act, says Barbara Gadbois, who directs the Consumer Protection Unit of the Delaware Attorney General's Office. Extracting personal information that is then used to steal money or commit another crime is a felony punishable by up to eight years in prison, Gadbois says."
Even the state laws that have been proposed only ban the commercial use of caller ID spoofing and cases of fraud. The use of such services by individuals for amusement or revenge is still perfectly legal. Thus, until the feds can agree upon and pass stronger legislation, fake caller ID is here to stay.