Comparable to ‘email spoofing’, when it appears that an email originated from a specific person, the culprits involved in caller ID spoofing use certain software programs or technology, such as PRI lines, VoIP or caller ID apps like the South African Telespoof.com. In this case, a telemarketer could spoof the number of a mobile user’s primary bank while posing as the bank’s agent.
As many people are unaware of the practice, unsuspecting customers of financial institutions or mobile money services could easily become victims and supply their personal information to the deceptive individual or the entity calling.
With the world expecting more than 8 billion mobile subscribers this year, and over 60 billion telephone calls, mobile users will become more vulnerable to spoofing, a budding US$50 billion industry for criminals, especially when laws are not into place to inhibit the practice.
Phone phreaking (phone hacking) is commonplace in Africa, even though much of the security breaches reported are computer- or Internet-related.
In Kenya, a country renowned for its revolutionary mobile money platforms such as Safaricom’s M-Pesa, it was reported earlier this month that mobile money agents – particularly those of M-Pesa -- in the central region of the country lose an estimated US$13,000 a month to spoofs, after several fraudsters posed as the mobile network operator’s engineers to defraud them.
According to Embu West District Security Committee chairman Daniel Obudo, as reported by HumanIPO, the fraudsters, while pretending to be upgrading the system, impersonated Safaricom employees to trick the M-Pesa agents into giving them details about their businesses.
“They then transfer the money in the agent’s accounts into their accounts and withdraw it from other outlets,” he said. “The conmen ask for the agents’ ID number and PIN among other details.”
Experts have warned mobile users to be economical with the details they provide to unverifiable callers.
“You don’t know who is on the other end of the line, no matter what your caller ID might say,” said Sandy Chalmers, a division manager at the Department of Agriculture, Trade and Consumer Protection in Wisconsin, in an interview with the New York Times. “Do not trust your caller ID. And if you pick up the phone and someone asks for your personal information, hang up.”
Outside of Africa such as in Canada, private officials are already on alert. In the United States, Congress took action in 2006 when New York Democratic
Congressman Eliot Engel and Texas Republican Congressman Joe Barton introduced legislation that would criminalise the practice. A similar bill was later introduced in the Senate, although it wasn’t until 2012 that the “Truth in Caller ID Act (TCIA)” was passed in both chambers and President Barack Obamasigned it into law.
Cyber security has recently come into question globally, explaining why some companies, such asTrustID.com, have initiated telephone transaction platforms to validate caller identities. The company helps financial institutions and companies that specialise in mobile-based commerce such as mobile money identify who they are actually speaking to. In the long run, it automates their telephone and authentication processes.
“We do it in a unique, technological way that doesn’t require interrogations,” said TrustID founder Patrick Cox in an interview with thePortland Business Journal in 2010. “I say that to be provocative — the notion that when you call a bank they ask you 20 questions – we can really short-circuit a lot of that.”
In Kenya, the question of the legitimacy of caller ID spoofing has sparked countrywide debates. In a bid to educate themselves on latest fraud trends targeting mobile money, mobile money transfer agents in Central Kenya have formed a group called the Association of Mobile Phone Money Transfer Agents of Kenya (AMPHOTRAK), whose objective is to educate members on the current mobile fraud trends.