For all of the palace
intrigue recently about who in Rupert Murdoch’s News Corporation
kingdom knew what about phone hacking when, one fundamental question
about the scandal has gone mostly unanswered:
Just how vulnerable are everyday United States residents to similarly
The answer is, more than you might think.
AT&T, Sprint and T-Mobile do not require cellphone customers to use a
password on their voice mail boxes, and plenty of people never bother
to set one up. But if you don’t, people using a service colloquially
known as caller ID spoofing could disguise their phone as yours and get
access to your messages. This is possible because voice mail systems
often grant access to callers who appear to be phoning from their own
Meanwhile, as Edgar Dworsky, a consumer advocate who founded ConsumerWorld.org,
discovered recently, someone armed with just a bit of personal
information about a target can also gain access to the automated phone
systems for Bank of America and Chase credit card holders.
Once those systems recognize the phone number of the incoming call and
those bits of personal information, they offer up the latest on the
cardholder’s debts, late payments and credit limits. Bank of America’s
computer will even read off a list of dozens of recent charges,
including names of doctors and other businesses the cardholder might
There are additional steps that the mobile phone companies and the card
issuers could take to stop this sort of thing from ever happening. The
fact that many of them don’t, however, makes this your problem to solve.
These sorts of breaches wouldn’t happen without spoofing, and
surprisingly enough, it’s an activity that turns out to be perfectly
legal, up to a point.
Commercial spoofing operations, which began offering services to
seven years ago, are easy to find and cost $10 or so for 60 minutes
of calling time. A Google search on “caller ID spoofing” leads to many
providers with names like SpoofCard, whose slogan is “Be Who
You Want to Be.”
Registered users call an access number (or use a form on a Web site) and
enter the phone number they are calling and the phone number they want
to show up on the caller ID display of the person they are calling. Then
the service puts the call through.
Late last year, President Obama signed the Truth
in Caller ID Act, which prohibits knowingly using spoofing services
to defraud, cause harm or wrongfully obtain anything of value. The fine
is up to $10,000 for a single incident.
The new law, however, is not much of a disincentive for people already
engaged in illegal activity. After all, for years, even before
commercial services were available, hacker thieves were manipulating
caller ID information to convince consumers that a bank was phoning.
Unwitting recipients of these calls would hand over their Social
Security numbers and become identity
Another common tactic was the jury duty fraud, in which thieves would
program their phones to make it appear that they were calling from a
local courthouse. Then they’d tell recipients that they’d missed their
jury duty assignment and needed to pay a fine by credit card over the
phone to avoid arrest. Once the thieves had the card numbers, they’d go
on a spending spree.
Given all of this, it’s hard to imagine a legitimate use for caller ID
spoofing, but there are at least a few. People who have been victims of
domestic violence may not want anyone to know where they are calling
from. Doctors use it when calling patients from cellphones to keep
patients from getting the number and pestering them later. Parents
sometimes use the service as well, if they have children who tend to
ignore their calls.
Using spoofing services to listen to someone’s voice mail is probably
not a legitimate use. That said, mobile phone voice mail systems would
be more spoof-proof if they required passwords every time a user called
in, no matter what phone someone was calling from. Only Verizon Wireless
does this, though.
After a recent article
in The Boston Globe showing how vulnerable voice mail was to
spoofing, AT&T Wireless improved its security a bit. While it still
lets users choose whether to require a password each time they call
their voice mail, the default is to have them use one — the opposite of
the previous practice. Sprint is similar to AT&T in this regard,
while T-Mobile allows users to require a password every time they call
in for voice mail, but doesn’t default to that option.
Why didn’t AT&T force all customers to use a password? “We take the
position that customers should have the information and tools available
to make the right decision for them,” said Mark Siegel, a spokesman.
Mr. Dworsky of
ConsumerWorld, a former consumer protection lawyer for the state of
Massachusetts, read the Globe article and wondered whether some credit
card companies’ phone systems recognized callers if they were phoning in
from a particular number.
He set about testing a number of major credit card issuers’ phone
systems and found that with a couple of pieces of easily obtainable data
— I’m not going to say what exactly — he could obtain access to a
person’s credit card account information at Chase and Bank of America.
Chase’s phone system gives out individual purchase data by category,
letting a caller know that there was a $12 purchase at a drug store.
Bank of America’s phone system often reads off each transaction along
with the name of the merchant, say a specific doctor or Web site or
In my tests and Mr. Dworsky’s, most spoofing services put through calls
placed to banks, though some seemed to have those
When the calls went through, spoofing services were successful in
gaining access to Chase’s systems 100 percent of the time. Bank of
America blocked calls that we placed from some spoofing services while
letting others through. Neither bank seems to allow callers to use these
systems in ways that could actually draw on a cardholder’s credit —
like ordering new cards or requesting cash advances — without asking for
more information or speaking to a representative.
Chase and Bank of America could close these holes by asking for a bit
more information on the phone — say, the last four digits of a Social
Security number. But Bank of America doesn’t want to, because officials
there don’t think their customers want them to.
“One of the top reasons customers use the automated system is because
they want to quickly check basic account status and transaction
information,” said Betty Riess, a Bank of America spokeswoman, in an
e-mail statement. “Our objective is to balance customers’ need for
convenience and quick access to general information with industry-best
protection of their accounts.”
Somehow I doubt that customers feel strongly about where banks ought to
strike that balance, though. Has Bank of America attracted scores of
credit card customers because it doesn’t ask for the last four digits of
a Social Security number when they call? And would it really drive many
people away if it started asking for the full card number each time
people called the automated system?
A Chase spokesman, Paul Hartwick, declined to discuss the bank’s
security in much detail but said that the risks from spoofing in this
instance were “minimal.”
Mr. Dworsky did not find either bank’s response satisfying. “I think
it’s alarming that virtually anyone can get access to your payment and
purchase information,” he said. “But it’s even worse that these two big
banks seemingly care so little about customers’ privacy that they’re
unwilling to prevent this type of invasion, which they could do so
Until banks start asking for a bit more information, you are on your own
here. If you’re in a personal or professional situation where someone
might be interested in what you’re spending and where, don’t spend it on
a Chase or Bank of America credit card.
Also, if you’re in the habit of throwing out credit card receipts, shred
them instead, since some of the data there can be useful to people
looking to exploit the card issuers’ automated systems.
As for your cellphone, if you’re not a Verizon user, set up a voice mail
password and use it, simple as that.
With each passing year, technology brings more convenience and delight
to all of us. But it also creates vulnerabilities. Fortunately, spoofing
is pretty easy to combat once you know that people are doing it.
Meanwhile, it’s too bad that some service providers don’t seem to want
to help by making customers take a few extra seconds to shield
Jenna Wortham contributed reporting.