Monday, October 26, 2009
Call Spoofing: So easy, even famous people do it!
A simple but effective call spoofing technique has hit the main stream. Former high profile Dolce & Gabbana publicist Ali Wise used a phone call spoofing service called SpoofCard to listen to her ex-boyfriend's voicemails. The service hides the phone number you're calling from, routes the call through their server, and spoofs the caller ID with any 10-digit number. Several years ago, Paris Hilton was also in the news for allegedly using SpoofCard to listen her friends' voicemails. Voicemail users that do not have a passcode prompt even for calling from their own number are vulnerable to this technique.
I tested the SpoofCard iPhone app, and using only the 'first 5 minutes free' I was able to prove that it does everything it claims. I called myself, spoofing the number with another 10-digit number, and disguised my voice using the built-in voice modifier. The choice of "man" or "woman" isn't good. I would know it wasn't a real voice... Unless I was expecting a call from the DaVinci Virus in Hackers. (But phishing scams are prime for automated messages) The call recording feature works perfectly and portably. With very little effort I had voicemail access without password prompting. The only part that didn't work as expected was routing the call through Google Voice. It came up "Unknown."
Besides listening to voicemails, there are reasons to be concerned. Two weeks ago, Elizabeth Wharton and I led a discussion at the Atlanta chapter meeting of NAISG about Identity Theft using Social Networks. One case in point I experienced personally. The attacker had already obtained the login credentials of a Facebook user in my friends list. They approached me via chat under my friend's name. They claimed that they had been mugged while on a trip to London and wanted to borrow $400 to pay the hotel bill. Since I knew the whereabouts of my friend, the attack ended there. But what if I wasn't so sure? Would a call from my friend's phone convince me? Since many Facebook users keep their phone numbers in their profile, this opens huge door for phishing attackers. Remember that Identity Theft is not attributed to one large vulnerability but rather to dozens of innocuous details displayed freely around the Internet. Being able to appear officially like they're calling from any other number may be the last piece the attacker needs to convince you to give up crucial information.
So should SpoofCard be able to continue this service? Their record shows that they've been keeping their nose clean for years, and even won the lawsuit against 123spoof.com for using "spoof" in their business name. Their website claims the most appropriate use for this tool is in places like doctors offices that want to have multiple numbers but don't want to appear confusing to the customers. While this sounds perfectly reasonable, I question whether this service is the optimal way to do that. They do not support misuse of the product, and "if there is illegal activity and we are served with a subpoena, we will cooperate with the court or law enforcement agency." It looks like for now the responsibility is still in our hands to be smart and protect ourselves with instinct and good judgment. (And take your phone number off the Internet!)