|
Yesterday, a fellow customer of one of the big US wireless telecom carriers received a spoofed call from my mobile number. He called me up thinking I had called him, and we started talking, and turns out he’s a Data Broker from the East Coast (I’m on the West Coast). He was very friendly and discussed specifics for how the mobile phone anonymous token works and how it’s supposedly a secure, anonymous arrangement. I discussed with this gentleman the concerns from this article and he wasn’t too happy, naturally, given my disagreement with the practice of sharing such data due to such deanonymization concerns. As I’m a bit of an activist regarding E2EE and voyeuristically supportive of certain disliked politicians, and against the described data sharing, I have to wonder if someone chose my number to play a prank. Of course, it could simply be an odd coincidence, which is the most reasonable base assumption. Still, I wonder why my number specifically was chosen to target this individual, who said he was the victim of substantial identity theft and yet has refused to change his phone number, likely due to the complexities in doing so. I have a habit of consistently following up on such matters, and so perhaps someone was knowingly demonstrating to me that this wireless carrier can’t even stop in-network spoofed calls, aware that I would investigate it. Of course that’s a bit far fetched but who knows? If the offending party was able to cover their tracks then that says something about the absurd age we are in. At the least, and unrelated to the original article, it’s clear that this major wireless carrier doesn’t even have the ability to prevent spoofed calls from within their own nationwide network from numbers associated with their own customers. I called their support and pointed out that, at least conceptually, it should be trivial to build a security feature to prevent this. And presumably shaken/stirred ss7 cert authentication for did’s should already cover in-network did authentication and prevent in-network spoofing. Is this a reasonable assumption? Have all the major carriers built these protocol upgrades to prevent spoofed calls? There’s the outside possibility this gentleman lied to me about his carrier, dialed back the wrong number, or lied to me about the spoofed call but I gained the sense that he was being truthful to me. Overall it seems that the cyber world is really quite a mess, whether with data sharing malfeasance per the article, insecure wireless networks, globally enabled ransomware, and ever-increasing data in the hands of private global entities that will exist beyond our lifetimes. |
Anyone with a prepaid credit card can spoof numbers, make calls for < $0.005/minute, just by running apt-get install asterisk with a minimal configuration.