March 29, 2024

Your Money: Your Phone May Be Less Secure Than You Thought

Just how vulnerable are everyday United States residents to similarly determined snoops?

The answer is, more than you might think.

ATT, Sprint and T-Mobile do not require cellphone customers to use a password on their voice mail boxes, and plenty of people never bother to set one up. But if you don’t, people using a service colloquially known as caller ID spoofing could disguise their phone as yours and get access to your messages. This is possible because voice mail systems often grant access to callers who appear to be phoning from their own number.

Meanwhile, as Edgar Dworsky, a consumer advocate who founded ConsumerWorld.org, discovered recently, someone armed with just a bit of personal information about a target can also gain access to the automated phone systems for Bank of America and Chase credit card holders.

Once those systems recognize the phone number of the incoming call and those bits of personal information, they offer up the latest on the cardholder’s debts, late payments and credit limits. Bank of America’s computer will even read off a list of dozens of recent charges, including names of doctors and other businesses the cardholder might have patronized.

There are additional steps that the mobile phone companies and the card issuers could take to stop this sort of thing from ever happening. The fact that many of them don’t, however, makes this your problem to solve.

These sorts of breaches wouldn’t happen without spoofing, and surprisingly enough, it’s an activity that turns out to be perfectly legal, up to a point.

Commercial spoofing operations, which began offering services to individuals about seven years ago, are easy to find and cost $10 or so for 60 minutes of calling time. A Google search on “caller ID spoofing” leads to many providers with names like SpoofCard, whose slogan is “Be Who You Want to Be.”

Registered users call an access number (or use a form on a Web site) and enter the phone number they are calling and the phone number they want to show up on the caller ID display of the person they are calling. Then the service puts the call through.

Late last year, President Obama signed the Truth in Caller ID Act, which prohibits knowingly using spoofing services to defraud, cause harm or wrongfully obtain anything of value. The fine is up to $10,000 for a single incident.

The new law, however, is not much of a disincentive for people already engaged in illegal activity. After all, for years, even before commercial services were available, hacker thieves were manipulating caller ID information to convince consumers that a bank was phoning. Unwitting recipients of these calls would hand over their Social Security numbers and become identity theft victims.

Another common tactic was the jury duty fraud, in which thieves would program their phones to make it appear that they were calling from a local courthouse. Then they’d tell recipients that they’d missed their jury duty assignment and needed to pay a fine by credit card over the phone to avoid arrest. Once the thieves had the card numbers, they’d go on a spending spree.

Given all of this, it’s hard to imagine a legitimate use for caller ID spoofing, but there are at least a few. People who have been victims of domestic violence may not want anyone to know where they are calling from. Doctors use it when calling patients from cellphones to keep patients from getting the number and pestering them later. Parents sometimes use the service as well, if they have children who tend to ignore their calls.

Using spoofing services to listen to someone’s voice mail is probably not a legitimate use. That said, mobile phone voice mail systems would be more spoof-proof if they required passwords every time a user called in, no matter what phone someone was calling from. Only Verizon Wireless does this, though.

After a recent article in The Boston Globe showing how vulnerable voice mail was to spoofing, ATT Wireless improved its security a bit. While it still lets users choose whether to require a password each time they call their voice mail, the default is to have them use one — the opposite of the previous practice. Sprint is similar to ATT in this regard, while T-Mobile allows users to require a password every time they call in for voice mail, but doesn’t default to that option.

Why didn’t ATT force all customers to use a password? “We take the position that customers should have the information and tools available to make the right decision for them,” said Mark Siegel, a spokesman.

Jenna Wortham contributed reporting.

Article source: http://feeds.nytimes.com/click.phdo?i=c71227d4638fee77994b2b829a291031