FCC Probes Caller-ID Fakers

If you've ever used one of the half-dozen websites that allow you to control the phone number that appears on someone's Caller ID display when you phone them, the U.S. government would like to know who you are.

Last week the FCC opened an investigation into the caller-ID spoofing sites -- services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

A seven-page demand from the FCC's enforcement bureau sent to one such service, called TeleSpoof, says the commission is investigating whether the site is violating the federal Communications Act by failing to send accurate "originating calling party telephone number information" on interstate calls. A copy was also sent to VoIP service provider NuFone

The FCC is demanding business records from both companies, as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.

Dated February 24th, the FCC letter gives TeleSpoof 20 calendar days to respond.

The operator of the site, a 21-year-old hacker who spoke on condition of anonymity, says he's looking for an attorney, and has not yet released any information to the FCC. "If a customer sees this, they're going to be kind of bummed," he says. "They wouldn't want their info released, and I may have to give it up."

Caller ID spoofing was once the exclusive province of shady boiler rooms that could afford bulk-rate phone connections and expensive equipment. But in 2004 hackers found a way to spoof their Caller ID by taking advantage of permissive VoIP service providers that offer connections to the conventional phone network while allowing customers to send anything they want as their Caller ID.

In August 2004, a southern California entrepreneur tried to capitalize on the hack by launching an internet-based spoofing service, Star38.com. The service was initially offered exclusively to collection agencies, and quickly faced a host of copycat services that would sign up anyone for a nominal per-minute fee. Star38 has since gone out of business, while the more egalitarian offerings have flourished.

To use a spoofing service, a customer pre-purchases minutes with a credit card or PayPal account. Then to make a call they simply visit the website and fill in three fields: their phone number, the number they want to call and the number they want to appear to be calling from.

The service dials them back automatically and connects them. At the receiving end, the caller sees only the spoofed number, which could be anything from the White House to Paris Hilton's private line.

TeleSpoof's operator says he has about 600 users. Private investigators were his earliest customers, but ordinary consumers have found uses for his service as well, he says. In one case, a divorced father was able to talk to his child on Christmas by spoofing his Caller ID to slip the call past his estranged ex-wife, he says.

But last month Congress heard testimony that criminals have used the services while making pretext phone calls to wheedle private consumer information out of companies. The services have also reportedly been used to target businesses that rely on Caller ID for authentication -- Western Union wire transfers service have been particularly vulnerable, as are T-Mobile voice mailboxes in their default configuration.

It's unclear why the FCC wants to identify users of the service, or what prompted the commission to launch an investigation at this time, after permitting the sites to operate unchecked for so long. But politics may have played a role. In an Associated Press story Wednesday, Republican congressman Tim Murphy complained that a critic flooded his office last fall with recorded phone calls, and used Caller ID spoofing to cover his tracks. A representative for Murphy didn't immediately return a phone call Thursday.

The FCC says it doesn't comment on pending invest