'Untraceable' VoIP caller ID-spoofing website accepts Bitcoin
It won't take hard cash
A new VoIP service allows you to hide who you are by being web-based, having no registration checks, allowing you to spoof caller identity, and pay by Bitcoin.
Bitphone calls itself the Bitcoin Payphone. As well as taking Bitcoin, the service accepts more than forty other altcoins.
Users can pay with a Bitcoin transfer from a wallet in their mobe using a QR code transfer. This is tied to a browser cookie but there is no need to register to make calls and the service will show whoever you dial its own Arizona number.
If you want to set the outgoing CLI you’ll need to register – but in The Register's tests we used a burner email address and a VPN. There were no checks on the ownership of the email address or use of a VPN. All the “security” is down to the cookie.
We could then make calls showing whatever CLI we wanted. We could even call a number showing that it was the recipient’s own number calling him. There are options to conference call two people and show each of them spoofed CLIs.
Calls are very cheap, at around 1.3p a minute to UK landlines. However, calling a UK premium rate number which usually charges £1.50 a minute plus operator's access charge gives an estimated call cost of 1.3p/minute, which shows that some of their billing hasn’t been fully resolved.
You can build some cases for wanting to do this – such as working from home and wanting work to pay for the calls and to show the work number – but these are edge cases.
The service, provided by Solidcloud.io, says in its terms and conditions that you must not use the service unlawfully. Its FAQs give details of the illegality of spoofing CLI in the US. The service is how we hacked EE and Three’s voicemail systems – backdoors which, thanks to our help, are now shut.
British regulators have moved to close down CLI spoofing services in the past but a US-based website will be outside Ofcom’s jurisdiction. ®
Vulture Central's backroom gremlins reckon the website could fall foul of the Computer Misuse Act, if used for serious naughtiness in Blighty. We've asked Ofcom for its opinion.
Sponsored: Becoming a Pragmatic Security Leader