You Can Call but You Can´t Hide: Detecting Caller ID Spoofing Attacks

Caller ID (caller identification) is a service provided by telephone carriers to transmit the phone number and/or the name of a caller to a callee. Today, most people trust the caller ID information, and it is increasingly used to authenticate customers (e.g., by banks or credit card companies). However, with the proliferation of smartphones and VoIP, it is easy to spoof caller ID by installing corresponding Apps on smartphones or by using fake ID providers. As telephone networks are fragmented between enterprises and countries, no mechanism is available today to easily detect such spoofing attacks. This vulnerability has already been exploited with crucial consequences such as faking caller IDs to emergency services (e.g., 9-1-1) or to commit fraud. In this paper, we propose an end-to-end caller ID verification mechanism CallerDec that works with existing combinations of landlines, cellular and VoIP networks. CallerDec can be deployed at the liberty of users, without any modification to the existing infrastructures. We implemented our scheme as an App for Android-based phones and validated the effectiveness of our solution in detecting spoofing attacks in various scenarios.