By Andy Sullivan
WASHINGTON (Reuters) - Internet phone services have drawn millions of
users looking for rock-bottom rates. Now they're also attracting
identity thieves looking to turn stolen credit cards into cash.
Some Internet phone services allow scam artists to make it appear that
they are calling from another phone number -- a useful trick that
enables them to drain credit accounts and pose as banks or other
trusted authorities, online fraud experts say.
"It's like you've handed people an entire phone network," said Lance
James, who as chief technology officer of Secure Science Corp. sees
such scams on a daily basis.
The emerging scams underline the lower level of security protecting
Voice Over Internet Protocol, or VOIP, the Internet-calling standard
that has upended the telecommunications industry over the past several
years.
Traditional phone networks operate over dedicated equipment that is
difficult for outsiders to penetrate. Because VOIP calls travel over
the Internet, they cost much less but are vulnerable to the same
security problems that plague e-mail and the Web.
Internet worms that snarl online networks can render VOIP lines
unusable, and experts at AT&T say VOIP conversations can be monitored
or altered by outsiders.
Federal Trade Commission Chairman Deborah Platt Majoras recently
warned that unscrupulous telemarketers could use VOIP to blast huge
numbers of voice messages to consumers, a technique known as SPIT, for
"spam over Internet telephony."
All of these threats remain largely in the realm of theory. Caller ID
spoofing, on the other hand, has emerged over the past six months as a
useful tool for identity thieves and other scam artists, according to
fraud experts.
PRESIDENT BUSH ON THE LINE
Any reporter would scramble for a ringing phone that reads "White
House media line" on its caller ID display.
But it's not the Bush administration on the line -- it's security
instructor Ralph Echemendia, calling from a mobile phone on a remote
Georgia highway.
"You can see how this sort of thing could be used in a very malicious
way," said Echemendia, a security instructor at the Intense School, a
technology training company.
Caller ID spoofing is not prohibited by law, but the Federal
Communications Commission requires telemarketers to identify
themselves accurately, a spokeswoman said.
Echemendia built his own system to spoof calls, but several free or
low-cost services allow even technical novices to falsify caller ID
information as well.
Debt collectors and private investigators use Camophone.com's
5-cents-per-call service to trick people into answering the phone,
according to messages posted on a discussion board.
Traveling salesmen say the service comes in handy when they want
clients to return calls to the main office, rather than their motel
room.
James said criminal uses of caller-ID spoofing have become common over
the last six months.
Wire-transfer services like Western Union require customers to call
from their home phone when they want to transfer money in an effort to
deter fraud -- a barrier easily sidestepped by any identity thief
using a caller-ID spoofing service.
Fraud rings can now transfer money directly out of stolen credit-card
accounts, rather than buying merchandise and reselling it, he said.
Western Union spokeswoman Danielle Periera said the company has no
other way to verify that transfer requests are valid.
"We try hard to stay one step ahead of them and recognize that scam
artists are sophisticated and often change their schemes," she said.
Criminals can use caller-ID spoofing to listen to other people's voice
mail, James said, especially when those accounts are not protected by
passwords.
They also have begun to use the technology to make it appear that they
are calling from a bank or other financial institution, said Dave
Jevans, who chairs the Anti-Phishing Working Group, a banking-industry
task force.
That helps them convince consumers to divulge account numbers,
passwords and other sensitive information in a scam that echoes the
"phishing" e-mails that have become common, he said.
VOIP industry pioneer Jeff Pulver, whose Free World Dialup service can
be used to spoof calls, said he couldn't prevent abuse of his system.
The problem will likely recede as companies like VeriSign Inc. and
NeuStar Inc. develop ways to verify online identities, he said: "We're
not there yet, but we're going to get there."
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . Hundreds of new articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Reuters Limited.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml