Phishing by phone--VoIP raises security concerns
Net phone services have drawn millions of users. Now they're also attracting identity thieves looking to turn stolen credit cards into cash.
Some Internet phone services let scam artists make it appear that they're calling from another phone number--a useful trick that enables them to drain credit accounts and pose as banks or other trusted authorities, online fraud experts say.
"It's like you've handed people an entire phone network," said Lance James, who as chief technology officer of Secure Science sees such scams on a daily basis.
The emerging scams underline the lower level of security protecting voice over Internet Protocol, or VoIP, the Internet-calling standard that has upended the telecommunications industry over the past several years.
Traditional phone networks operate over dedicated equipment that is difficult for outsiders to penetrate. Because VoIP calls travel over the Internet, they cost much less but are vulnerable to the same security problems that plague e-mail and the Web.
Internet worms that snarl online networks can render VoIP lines unusable, and experts at AT&T say VoIP conversations can be monitored or altered by outsiders.
Federal Trade Commission Chairman Deborah Platt Majoras recently warned that unscrupulous telemarketers could use VoIP to blast huge numbers of voice messages to consumers, a technique known as SPIT, for "spam over Internet telephony."
All of these threats remain largely in the realm of theory. Caller ID spoofing, on the other hand, has emerged over the past six months as a useful tool for identity thieves and other scam artists, according to fraud experts.
Any reporter would scramble for a ringing phone that reads "White House media line" on its caller ID display.
But it's not the Bush administration on the line--it's security instructor Ralph Echemendia, calling from a mobile phone on a remote Georgia highway.
"You can see how this sort of thing could be used in a very malicious way," said Echemendia, a security instructor at the Intense School, a technology training company.
Caller ID spoofing is not prohibited by law, but the Federal Communications Commission requires telemarketers to identify themselves accurately, a spokeswoman said.
Echemendia built his own system to spoof calls, but several free or low-cost services allow even technical novices to falsify caller ID information as well.
Debt collectors and private investigators use Camophone.com's 5-cents-per-call service to trick people into answering the phone, according to messages posted on a discussion board.
Traveling salesmen say the service comes in handy when they want clients to return calls to the main office, rather than their motel room.
James said criminal uses of caller ID spoofing have become common over the last six months.
Wire-transfer services like Western Union require customers to call from their home phone when they want to transfer money, an effort to deter fraud, but a barrier easily sidestepped by any identity thief using a caller-ID spoofing service.
Fraud rings can now transfer money directly out of stolen credit-card accounts, rather than buying merchandise and reselling it, he said.
Western Union spokeswoman Danielle Periera said the company has no other way to verify that transfer requests are valid.
"We try hard to stay one step ahead of them and recognize that scam artists are sophisticated and often change their schemes," she said.
Criminals can use caller ID spoofing to listen to other people's voice mail, James said, especially when those accounts are not protected by passwords.
They also have begun to use the technology to make it appear that they are calling from a bank or other financial institution, said Dave Jevans, who chairs the Anti-Phishing Working Group, a banking-industry task force.
That helps them convince consumers to divulge account numbers, passwords and other sensitive information in a scam that echoes the "phishing" e-mails that have become common, he said.
VoIP industry pioneer Jeff Pulver, whose Free World Dialup service can be used to spoof calls, said he couldn't prevent abuse of his system.
The problem will likely recede as companies like VeriSign and NeuStar develop ways to verify online identities, he said: "We're not there yet, but we're going to get there."
Story Copyright © 2005 Reuters Limited. All rights reserved.