{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,3]],"date-time":"2026-03-03T16:13:15Z","timestamp":1772554395024,"version":"3.50.1"},"reference-count":32,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,12,12]],"date-time":"2023-12-12T00:00:00Z","timestamp":1702339200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000266","name":"EPSRC","doi-asserted-by":"crossref","award":["EP\/T014784\/1"],"award-info":[{"award-number":["EP\/T014784\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2024,2,29]]},"abstract":"<jats:p>Caller ID spoofing is a global industry problem and often acts as a critical enabler for telephone fraud. To address this problem, the Federal Communications Commission has mandated telecom providers in the U.S. to implement STIR\/SHAKEN, an industry-driven solution based on digital signatures. STIR\/SHAKEN relies on a public key infrastructure (PKI) to manage digital certificates, but scaling up this PKI for the global telecom industry is extremely difficult, if not impossible. Furthermore, it only works with IP-based systems (e.g., SIP), leaving the traditional non-IP systems (e.g., SS7) unprotected. So far the alternatives to the STIR\/SHAKEN have not been sufficiently studied. In this article, we propose a PKI-free solution, called Caller ID Verification (CIV). CIV authenticates the caller ID based on a challenge-response process instead of digital signatures, hence requiring no PKI. It supports both IP and non-IP systems. Perhaps counter-intuitively, we show that number spoofing can be leveraged, in conjunction with Dual-tone Multi-frequency, to efficiently implement the challenge-response process, i.e., using spoofing to fight against spoofing. We implement CIV for Voice over Internet Protocol, cellular, and landline phones across heterogeneous networks (SS7\/SIP) by only updating the software on the user\u2019s phone. This is the first caller ID authentication solution with working prototypes for all three types of telephone systems in the current telecom architecture. Finally, we show how the implementation of CIV can be optimized by integrating it into telecom clouds as a service, which users may subscribe to.<\/jats:p>","DOI":"10.1145\/3625546","type":"journal-article","created":{"date-parts":[[2023,9,27]],"date-time":"2023-09-27T08:35:04Z","timestamp":1695803704000},"page":"1-25","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Spoofing Against Spoofing: Toward Caller ID Verification in Heterogeneous Telecommunication Systems"],"prefix":"10.1145","volume":"27","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1515-8789","authenticated-orcid":false,"given":"Shen","family":"Wang","sequence":"first","affiliation":[{"name":"University of Warwick, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6354-330X","authenticated-orcid":false,"given":"Mahshid","family":"Delavar","sequence":"additional","affiliation":[{"name":"University of Warwick, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1707-018X","authenticated-orcid":false,"given":"Muhammad Ajmal","family":"Azad","sequence":"additional","affiliation":[{"name":"School of Computing and Digital Technology, Birmingham City University, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0284-2098","authenticated-orcid":false,"given":"Farshad","family":"Nabizadeh","sequence":"additional","affiliation":[{"name":"Nar Co., Iran"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7783-2313","authenticated-orcid":false,"given":"Steve","family":"Smith","sequence":"additional","affiliation":[{"name":"trueCall Ltd, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8664-5074","authenticated-orcid":false,"given":"Feng","family":"Hao","sequence":"additional","affiliation":[{"name":"University of Warwick, United Kingdom"}]}],"member":"320","published-online":{"date-parts":[[2023,12,12]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1002\/9781119644682"},{"key":"e_1_3_2_3_2","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1007\/978-3-031-20215-5_2","volume-title":"Proceedings of the International Conference on Multimedia Communications, Services and Security","author":"Beumier Charles","year":"2022","unstructured":"Charles Beumier and Thibault Debatty. 2022. Attack detection in SS7. In Proceedings of the International Conference on Multimedia Communications, Services and Security. Springer, 11\u201320."},{"issue":"1","key":"e_1_3_2_4_2","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1002\/bltj.20367","article-title":"Authenticating displayed names in telephony","volume":"14","author":"Chow Stanley T.","year":"2009","unstructured":"Stanley T. Chow, Christophe Gustave, and Dmitri Vinokurov. 2009. Authenticating displayed names in telephony. Bell Labs Tech. J. 14, 1 (2009), 267\u2013282.","journal-title":"Bell Labs Tech. J."},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3241539.3241573"},{"key":"e_1_3_2_6_2","volume-title":"Signaling System No. 7 (SS7\/C7): Protocol, Architecture, and Services","author":"Dryburgh Lee","year":"2005","unstructured":"Lee Dryburgh and Jeff Hewett. 2005. Signaling System No. 7 (SS7\/C7): Protocol, Architecture, and Services. Cisco Press."},{"key":"e_1_3_2_7_2","unstructured":"FCC. 2023. Caller ID Spoofing. Retrieved from https:\/\/www.fcc.gov\/spoofing"},{"key":"e_1_3_2_8_2","unstructured":"FCC. 2023. Combating Spoofed Robocalls with Caller ID Authentication. Retrieved from https:\/\/www.fcc.gov\/call-authentication"},{"key":"e_1_3_2_9_2","unstructured":"IETF. 2023. Secure Telephone Identity Revisited (STIR). Retrieved from https:\/\/datatracker.ietf.org\/wg\/stir\/documents\/"},{"issue":"2","key":"e_1_3_2_10_2","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1109\/MSP.2014.20","article-title":"Caller ID: Whose privacy?","volume":"12","author":"Lesk Michael","year":"2014","unstructured":"Michael Lesk. 2014. Caller ID: Whose privacy? IEEE Secur. Priv. 12, 2 (2014), 77\u201379.","journal-title":"IEEE Secur. Priv."},{"key":"e_1_3_2_11_2","first-page":"745","volume-title":"Proceedings of the World Conference on Information Systems and Technologies","author":"Li Jikai","year":"2017","unstructured":"Jikai Li, Fernando Faria, Jinsong Chen, and Daan Liang. 2017. A mechanism to authenticate caller ID. In Proceedings of the World Conference on Information Systems and Technologies. Springer, 745\u2013753."},{"key":"e_1_3_2_12_2","first-page":"1","article-title":"Softwarization and virtualization of VoIP networks","author":"Montazerolghaem Ahmadreza","year":"2022","unstructured":"Ahmadreza Montazerolghaem. 2022. Softwarization and virtualization of VoIP networks. J. Supercomput. (2022), 1\u201333.","journal-title":"J. Supercomput."},{"key":"e_1_3_2_13_2","first-page":"168","volume-title":"Proceedings of the 44th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks","author":"Mustafa Hossen","year":"2014","unstructured":"Hossen Mustafa, Wenyuan Xu, Ahmad Reza Sadeghi, and Steffen Schulz. 2014. You can call but you can\u2019t hide: Detecting caller id spoofing attacks. In Proceedings of the 44th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks. IEEE, 168\u2013179."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2016.2580509"},{"key":"e_1_3_2_15_2","unstructured":"Ofcom. 2022. Number Spoofing Scams. Retrieved from https:\/\/www.ofcom.org.uk\/phones-telecoms-and-internet\/advice-for-consumers\/scams\/phone-spoof-scam"},{"key":"e_1_3_2_16_2","first-page":"575","volume-title":"Proceedings of the 26th USENIX Security Symposium","author":"Reaves Bradley","year":"2017","unstructured":"Bradley Reaves, Logan Blue, Hadi Abdullah, Luis Vargas, Patrick Traynor, and Thomas Shrimpton. 2017. Authenticall: Efficient identity and content authentication for phone calls. In Proceedings of the 26th USENIX Security Symposium. 575\u2013592."},{"key":"e_1_3_2_17_2","first-page":"963","volume-title":"Proceedings of the 25th USENIX Security Symposium","author":"Reaves Bradley","year":"2016","unstructured":"Bradley Reaves, Logan Blue, and Patrick Traynor. 2016. Authloop: End-to-end cryptographic authentication for telephony over voice channels. In Proceedings of the 25th USENIX Security Symposium. 963\u2013978."},{"key":"e_1_3_2_18_2","first-page":"235","volume-title":"Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P\u201917)","author":"Sahin Merve","year":"2017","unstructured":"Merve Sahin, Aur\u00e9lien Francillon, Payas Gupta, and Mustaque Ahamad. 2017. SoK: Fraud in telephony networks. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P\u201917). IEEE, 235\u2013250."},{"key":"e_1_3_2_19_2","volume-title":"Proceedings of the 49th Research Conference on Communication, Information and Internet Policy","author":"Sherman Imani","year":"2021","unstructured":"Imani Sherman, Daniel A. Delgado, Juan E. Gilbert, Jaime Ruiz, and Patrick Traynor. 2021. Characterizing user comprehension in the STIR\/SHAKEN anti-robocall standard. In Proceedings of the 49th Research Conference on Communication, Information and Internet Policy."},{"key":"e_1_3_2_20_2","unstructured":"BT Group. [n.d.]. The UK\u2019s PSTN Network will Switch off in 2025. Retrieved from https:\/\/business.bt.com\/why-choose-bt\/insights\/digital-transformation\/uk-pstn-switch-off\/"},{"key":"e_1_3_2_21_2","unstructured":"TransNexus. 2022. Reply Comments on SHAKEN Extensions and Effectiveness. Retrieved from https:\/\/transnexus.com\/blog\/2022\/shaken-effectiveness-extensions-reply-comments\/"},{"key":"e_1_3_2_22_2","unstructured":"TransNexus. 2022. Robocalls up Sharply in October. Retrieved from https:\/\/transnexus.com\/blog\/2022\/robocalls-up-sharply-october\/"},{"key":"e_1_3_2_23_2","unstructured":"TransNexus. 2021. Service Provider STI Fee Changes for 2021. Retrieved from https:\/\/transnexus.com\/blog\/2021\/sti-provider-rate-changes\/"},{"key":"e_1_3_2_24_2","unstructured":"TransNexus. 2022. STIR\/SHAKEN Statistics from October 2022. Retrieved from https:\/\/transnexus.com\/blog\/2022\/shaken-statistics-october\/"},{"key":"e_1_3_2_25_2","unstructured":"trueCall. 2023. Retrieved from https:\/\/www.truecall.co.uk\/"},{"key":"e_1_3_2_26_2","unstructured":"Truecaller. 2023. Retrieved from https:\/\/www.truecaller.com\/"},{"key":"e_1_3_2_27_2","unstructured":"Truecaller. 2022. 2022 U.S. Spam & Scam Report. Retrieved from https:\/\/truecaller.blog\/2022\/05\/24\/truecaller-insights-2022-us-spam-scam-report\/"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.27"},{"issue":"3","key":"e_1_3_2_29_2","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1109\/MCOMSTD.2017.1700019","article-title":"Toward standardization of authenticated caller ID transmission","volume":"1","author":"Tu Huahong","year":"2017","unstructured":"Huahong Tu, Adam Doup\u00e9, Ziming Zhao, and Gail-Joon Ahn. 2017. Toward standardization of authenticated caller ID transmission. IEEE Commun. Standards Mag. 1, 3 (2017), 30\u201336.","journal-title":"IEEE Commun. Standards Mag."},{"key":"e_1_3_2_30_2","doi-asserted-by":"crossref","DOI":"10.1002\/047004814X","volume-title":"Signaling in Telecommunication Networks","author":"Bosse John G. Van","year":"2006","unstructured":"John G. Van Bosse and Fabrizio U. Devetak. 2006. Signaling in Telecommunication Networks. Vol. 87. John Wiley & Sons."},{"key":"e_1_3_2_31_2","first-page":"1","volume-title":"Advances in Computers","author":"Wang Xinyuan","year":"2011","unstructured":"Xinyuan Wang and Ruishan Zhang. 2011. VoIP security: Vulnerabilities, exploits, and defenses. In Advances in Computers. Vol. 81. Elsevier, 1\u201349."},{"key":"e_1_3_2_32_2","unstructured":"YouGov. 2019. Don\u2019t Call Me: Nearly 90% of Customers Won\u2019t Answer the Phone Anymore. Retrieved from https:\/\/martech.org\/dont-call-me-nearly-90-of-customers-wont-answer-the-phone-anymore-study\/"},{"key":"e_1_3_2_33_2","first-page":"277","volume-title":"Advances in Security, Networks, and Internet of Things","author":"Yu James","year":"2021","unstructured":"James Yu. 2021. An analysis of applying STIR\/SHAKEN to prevent robocalls. In Advances in Security, Networks, and Internet of Things. Springer, 277\u2013290."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3625546","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3625546","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:50:37Z","timestamp":1750287037000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3625546"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,12]]},"references-count":32,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,2,29]]}},"alternative-id":["10.1145\/3625546"],"URL":"https:\/\/doi.org\/10.1145\/3625546","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,12,12]]},"assertion":[{"value":"2023-02-06","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-09-18","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-12-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}