Your Voice Mail May Be Even Less Secure Than You Thought

From the August 20, 2011 edition, The New York Times, p. B1

By Ron Lieber

For all of the palace intrigue recently about who in Rupert Murdoch’s News Corporation kingdom knew what about phone hacking when, one fundamental question about the scandal has gone mostly unanswered:

Just how vulnerable are everyday United States residents to similarly determined snoops?

The answer is, more than you might think.

AT&T, Sprint and T-Mobile do not require cellphone customers to use a password on their voice mail boxes, and plenty of people never bother to set one up. But if you don’t, people using a service colloquially known as caller ID spoofing could disguise their phone as yours and get access to your messages. This is possible because voice mail systems often grant access to callers who appear to be phoning from their own number.

Meanwhile, as Edgar Dworsky, a consumer advocate who founded ConsumerWorld.org, discovered recently, someone armed with just a bit of personal information about a target can also gain access to the automated phone systems for Bank of America and Chase credit card holders.

Once those systems recognize the phone number of the incoming call and those bits of personal information, they offer up the latest on the cardholder’s debts, late payments and credit limits. Bank of America’s computer will even read off a list of dozens of recent charges, including names of doctors and other businesses the cardholder might have patronized.

There are additional steps that the mobile phone companies and the card issuers could take to stop this sort of thing from ever happening. The fact that many of them don’t, however, makes this your problem to solve.

These sorts of breaches wouldn’t happen without spoofing, and surprisingly enough, it’s an activity that turns out to be perfectly legal, up to a point.

Commercial spoofing operations, which began offering services to individuals about seven years ago, are easy to find and cost $10 or so for 60 minutes of calling time. A Google search on “caller ID spoofing” leads to many providers with names like SpoofCard, whose slogan is “Be Who You Want to Be.”

Registered users call an access number (or use a form on a Web site) and enter the phone number they are calling and the phone number they want to show up on the caller ID display of the person they are calling. Then the service puts the call through.

Late last year, President Obama signed the Truth in Caller ID Act, which prohibits knowingly using spoofing services to defraud, cause harm or wrongfully obtain anything of value. The fine is up to $10,000 for a single incident.

The new law, however, is not much of a disincentive for people already engaged in illegal activity. After all, for years, even before commercial services were available, hacker thieves were manipulating caller ID information to convince consumers that a bank was phoning. Unwitting recipients of these calls would hand over their Social Security numbers and become identity theft victims.

Another common tactic was the jury duty fraud, in which thieves would program their phones to make it appear that they were calling from a local courthouse. Then they’d tell recipients that they’d missed their jury duty assignment and needed to pay a fine by credit card over the phone to avoid arrest. Once the thieves had the card numbers, they’d go on a spending spree.

Given all of this, it’s hard to imagine a legitimate use for caller ID spoofing, but there are at least a few. People who have been victims of domestic violence may not want anyone to know where they are calling from. Doctors use it when calling patients from cellphones to keep patients from getting the number and pestering them later. Parents sometimes use the service as well, if they have children who tend to ignore their calls.

Using spoofing services to listen to someone’s voice mail is probably not a legitimate use. That said, mobile phone voice mail systems would be more spoof-proof if they required passwords every time a user called in, no matter what phone someone was calling from. Only Verizon Wireless does this, though.

After a recent article in The Boston Globe showing how vulnerable voice mail was to spoofing, AT&T Wireless improved its security a bit. While it still lets users choose whether to require a password each time they call their voice mail, the default is to have them use one — the opposite of the previous practice. Sprint is similar to AT&T in this regard, while T-Mobile allows users to require a password every time they call in for voice mail, but doesn’t default to that option.

Why didn’t AT&T force all customers to use a password? “We take the position that customers should have the information and tools available to make the right decision for them,” said Mark Siegel, a spokesman.

Mr. Dworsky of ConsumerWorld, a former consumer protection lawyer for the state of Massachusetts, read the Globe article and wondered whether some credit card companies’ phone systems recognized callers if they were phoning in from a particular number.

He set about testing a number of major credit card issuers’ phone systems and found that with a couple of pieces of easily obtainable data — I’m not going to say what exactly — he could obtain access to a person’s credit card account information at Chase and Bank of America.

Chase’s phone system gives out individual purchase data by category, letting a caller know that there was a $12 purchase at a drug store. Bank of America’s phone system often reads off each transaction along with the name of the merchant, say a specific doctor or Web site or store.

In my tests and Mr. Dworsky’s, most spoofing services put through calls placed to banks, though some seemed to have those numbers blocked.

When the calls went through, spoofing services were successful in gaining access to Chase’s systems 100 percent of the time. Bank of America blocked calls that we placed from some spoofing services while letting others through. Neither bank seems to allow callers to use these systems in ways that could actually draw on a cardholder’s credit — like ordering new cards or requesting cash advances — without asking for more information or speaking to a representative.

Chase and Bank of America could close these holes by asking for a bit more information on the phone — say, the last four digits of a Social Security number. But Bank of America doesn’t want to, because officials there don’t think their customers want them to.

“One of the top reasons customers use the automated system is because they want to quickly check basic account status and transaction information,” said Betty Riess, a Bank of America spokeswoman, in an e-mail statement. “Our objective is to balance customers’ need for convenience and quick access to general information with industry-best protection of their accounts.”

Somehow I doubt that customers feel strongly about where banks ought to strike that balance, though. Has Bank of America attracted scores of credit card customers because it doesn’t ask for the last four digits of a Social Security number when they call? And would it really drive many people away if it started asking for the full card number each time people called the automated system?

A Chase spokesman, Paul Hartwick, declined to discuss the bank’s security in much detail but said that the risks from spoofing in this instance were “minimal.”

Mr. Dworsky did not find either bank’s response satisfying. “I think it’s alarming that virtually anyone can get access to your payment and purchase information,” he said. “But it’s even worse that these two big banks seemingly care so little about customers’ privacy that they’re unwilling to prevent this type of invasion, which they could do so easily.”

Until banks start asking for a bit more information, you are on your own here. If you’re in a personal or professional situation where someone might be interested in what you’re spending and where, don’t spend it on a Chase or Bank of America credit card.

Also, if you’re in the habit of throwing out credit card receipts, shred them instead, since some of the data there can be useful to people looking to exploit the card issuers’ automated systems.

As for your cellphone, if you’re not a Verizon user, set up a voice mail password and use it, simple as that.

With each passing year, technology brings more convenience and delight to all of us. But it also creates vulnerabilities. Fortunately, spoofing is pretty easy to combat once you know that people are doing it. Meanwhile, it’s too bad that some service providers don’t seem to want to help by making customers take a few extra seconds to shield themselves.

Jenna Wortham contributed reporting.