Probes Scrutinize Caller ID Hacks

wired.com | Mar 21st 2012

Government interest is gathering around so-called Caller ID spoofing services that allow users to camouflage their phone numbers, with Florida's attorney general following the FCC in investigating the technology.

On Friday, state Attorney General Charlie Crist issued subpoenas targeting five different spoofing sites. For four of them, the subpoenas are directed at the registrars handling the services' anonymous domain name registrations, and are aimed at unmasking the owners of the sites. A fifth went directly to one of the spoofing sites, Tricktel.com, demanding business records and the identities of any Florida customers.

"People use Caller ID to protect themselves from unwanted calls and contact from those who would do them harm," Crist said in a press release. "It is wrong for individuals or businesses to deceive our citizens, and this cannot be allowed to continue unchecked."

In addition to serving as attorney general, Crist is the Republican candidate for governor of Florida.

The probe comes on the heels of a broad federal investigation that began late last month, when the FCC issued letters to at least three Caller ID spoofing sites demanding detailed information on the structure of the businesses, as well as the names of every customer that has used the services, the dates they used them and the number of phone calls they made.

One of those services, Telespoof.com, confirmed that it turned over its customer records to the commission last week, after the FCC followed up the letter with a formal subpoena.

"If I were a user, I would not be particularly concerned, because I think the FCC has obligations to keep it confidential," says Telespoof attorney Mark Del Bianco. "But I think there ought to be concerns about why the FCC wants the identities of all the subscribers.... It does not necessarily go out and subpoena the identities of ISP customers or others on a wholesale basis."

Telespoof, started in 2004 by a now-21-year-old phone hacker, has about 600 users, its founder says.

The Florida probe is separate from the FCC investigation, and does not encompass Telespoof. Crist is focused on five other sites: SpoofCom, SpoofTech, SpoofTel, SpoofCard and Tricktel. SpoofCard is also represented by Del Bianco, and the lawyer says the company is considering its options.

SpoofTel, which is based in Canada, says it's outside of the Florida attorney general's jurisdiction, but that the company doesn't tolerate unlawful use of its service. "I would like to remind your readers that SpoofTel's services are to be used for entertainment purposes only," SpoofTel said in a statement. "We certainly do not condone any misuse or abuse of our system. In the case of any misuse, we will immediately suspend that account while we proceed to investigate and determine whether termination is required."

None of the other sites responded to e-mail inquiries from Wired News.

Caller ID spoofing was once the exclusive province of shady boiler rooms that could afford bulk-rate phone connections and expensive equipment. But in 2004, hackers found a way to spoof their Caller ID by taking advantage of permissive voice over internet protocol service providers that offer connections to the conventional phone network while allowing customers to send anything they want as their Caller ID. Entrepreneurs began marketing web-based spoofing to private investigators and pranksters shortly thereafter.

To use a spoofing service, a customer typically pre-purchases minutes with a credit card or PayPal account. Then to make a call they simply visit the website and fill in three fields: their phone number, the number they want to call and the number they want to appear to be calling from.

The service dials them back automatically and connects them. At the receiving end, the caller sees only the spoofed number, which could be anything from the White House to Paris Hilton's private line.

Tricktel differs a bit from the other sites. It's a professional prank phone calling service that allows users to select from recordings of funny sounds to play to the victim, and to program in whatever number they want as their Caller ID.

Despite the obvious deception involved, Del Bianco says spoofing services are primarily used for lawful aims. "We're talking about private investigators, skip tracers, law enforcement agencies, attorneys, others who are legitimately trying to locate people to enforce their rights or in many cases the rights of the public," he says. "There are lots of legitimate uses of this."

But criminals have reportedly used the sites while making pretext phone calls to wheedle private information like bank account and Social Security numbers out of consumers and companies. Experts say the services have also been used to target businesses that rely on Caller ID for authentication -- Western Union's money-transfer service has been particularly vulnerable, as are T-Mobile voicemail boxes in their default configuration.

"Primarily, we think that it's a way for telemarketers to hide their identity, and consumers or citizens will be more likely to answer the phone if they don't think it's somebody trying to sell them something," says Joanna Carrin, a spokeswoman for the Florida attorney general's office. "We are using our deceptive and unfair business practices law to look into what these companies are doing."

In the United States, federal law already prohibits telemarketers from falsifying their Caller IDs.

Chris Hoofnagle, an attorney with the Electronic Privacy Information Center, says he thinks Caller ID spoofing has legitimate uses, and would rather see fraudsters prosecuted for their crimes than have spoofing sites categorized as burglar tools.

"I think the thing to do here is to prosecute the underlying fraud," says Hoofnagle. "It seems to me it could be a privacy-enhancing technology that has useful purposes. For instance to call a police tip line or a newspaper perhaps."

Original Page: http://www.wired.com/science/discoveries/news/2006/03/70462

Shared from Read It Later

 אל