Nobody likes you when you’re 23 /
And are still more amused by prank phone calls /
What the hell is caller ID?
Blink-182, “What’s My Age Again?”, 1992
You probably already know that Caller ID is useful, and that it can be faked. If you want to know how it works and how it fails, read on.
Once upon a time (prior to 1980-2, when AT&T was broken up), everything was simple. All calls in the United States, to a first approximation, were handled by AT&T or one of its daughter companies. They kept track of who called whom by number, date, time started and time stopped. Your bill would arrive in the middle of the month after the calls were made, and everything would have a cost assigned. Costs for long distance were quite high, and costs for cross-oceanic calls were sky-high.
The 1980 MCI v Illinois Bell decision started the breakup of AT&T, which was finalized in United States v AT&T 1974-1982. After that, each of the possible local telephone companies had to come to arrangements to bill each of the possible long distance companies and vice versa.
Prior to 1987, there were no Caller ID systems, either. You picked up the phone when it rang or let your answering machine or fancy voice-mail service handle it. If people told you who they were and what their number was, you now knew it. Otherwise, you wouldn’t find out until the bill arrived – assuming you could find the particular call in the haystack.
That led to the problem of “cramming”. Cramming emerged when the FCC decided to stop enforcing rules on billing and collection in 1986. Overnight, companies sprang up to supply services that could be billed to your telephone number. The obvious ones were 1-900 numbers, where the mere fact of calling enables a high pass-through charge. Not so obvious, but even more harmful: anyone who knew your telephone number could pass it to a telco and claim that you had signed up for a service at $Z per month. The GAO reported that some vendors had simply copied chunks of telephone directories and started billing for nonexistent and unordered services.
The good news, such as it is, is that cramming requires an identifiable endpoint to receive the money. You can track them down, eventually.
That’s not the case for random telephone calls, and has led to the spam problem that we have today. Here’s why:
There is no central database of names and numbers.
What’s missing? Names. Every receiving telco is responsible for deciding what name, if any, goes with the number that is sent.
When a call originates, the first switch in the path sets up the calling record, and sends along the number that will be billed, the number that is calling and the number to be called. That first switch used to always belong to a telco. It could cost an awful lot of money, require an expert to program it, and be fed only from expensive fixed circuits.
Now it can belong to anybody, including a person sitting at home with a consumer Internet connection and a $10 Raspberry Pi running Asterisk PBX software. The interconnection to the PBX can happen at tens of thousands of VOIP service providers all across the world. It doesn’t cost more to ship your voice call over the Internet to another country and then use a local VOIP provide – it costs less. Much less.
As a result, it become economically feasible to hire lots of English- speaking people in a call center in an economically disadvantaged part of the world and have them talk to random phone numbers in the US in the hopes of convincing some poor grandmother to give up her credit-card number or access to her computer. The Caller ID information is simply forged. The billing number is established with the VOIP account, and as soon as the VOIP company kills the account for fraud, it is all set up again with another one - or the same one, under a new name. It’s not like physical lines need to be installed. Data can be bounced through relays in several data centers, defeating an IP lookup to blacklist bad actors.