ISUP and QSIG Security

Automatic Number Identification (ANI)-based security mechanisms can be spoofed
in both directions, although some carriers claim to have clamped down on this practice
(I'm not convinced this can be done).This can be used to create false Caller-ID
data to subscribers. If your organization uses ANI to verify identity (as a very large
credit card user has been known to do), you are asking for trouble. It’s only slightly
more difficult than spoofing an e-mail address if you know what you’re doing, so
tread carefully here.
Other ISUP and QSIG fields have similar problems, so be very careful with any
trust assumptions you make with these protocols. Always assume that CLASS services
like distinctive ringing, selective call acceptance, selective call forward, and so on will
be fooled by ANI spoofing and similar ISUP or SSIG attacks.