Network News

X My Profile
View More Activity

When Phones Lie

I've spent the last few months reporting a couple of stories on the hacking of hotel heiress Paris Hilton's cell phone and the escalating investigation into the January intrusion at LexisNexis, in which hackers hijacked several accounts to download private information on thousands of consumers. Turns out the attacks were done by the same group, according to my reporting.

We were planning to run a sidebar to the Paris Hilton story on the ways some hackers are using phone spoofing to gain access to sensitive information, but as it wasn't directly related to the two stories we opted to publish it out as a blog entry.

The following is a look at several techniques that hackers can use to trick people into giving up personal and financial information. One of the kids I interviewed in reporting the two stories said he used all of the techniques described below to gain access to sensitive information and Web sites.


Pretending to be someone you are not has become easier with new, inexpensive online services that allow telephone users to fool caller ID systems by "spoofing" -- or faking -- the phone number that appears in the display window on the recipient's wireless phone or caller ID screen. At sites like and, a customer can fill out a simple Web form with the target's phone number and any 10-digit source number that he or she wants to display. A block of 100 minutes of spoofed calls costs just $5.

Spoofing services are popular among private investigators, bill collectors and law enforcement, but experts say they also pose unique threats in the hands of criminals. For example, credit card issuers typically require card holders to call from their home phone numbers to activate a new card. But this security feature can easily be defeated by caller ID spoofing, according to Kevin Mitnick, whose storied hacking career included breaking into phone company networks.

Hackers also can exploit spoofing to listen to a target's voice mail or change the outgoing message. Several cell-phone providers rely on caller ID to verify that someone checking a voice mail account is calling from the account holder's mobile handset, said Bob Egan, chief executive officer of

In February, Egan's company released a report that found many wireless providers allow consumers to turn off or bypass the passcode-checking function used to safeguard access to voice-mail accounts.

"Some carriers have been billing this as a convenience feature and have lulled their subscribers by saying, "If you're accessing your voice mail from your handset, then you're fine,'" Egan said. "As we have found, ... information about how to exploit those vulnerabilities is widely shared on online hacker chat channels."

Egan said all of the mobile carriers he buys service from are vulnerable, including Sprint, Cingular and T-Mobile. Egan said he recently used spoofing to change the outgoing message on the voice mail account of a friend -- an executive at one of the major wireless carriers.

"I called him in the middle of the night when his phone was off and was able to walk right into his voice-mail box," Egan said.

A Cingular spokesperson confirmed that customers are able to skip their passcode feature if they want. Sprint spokesman Charles Fleckenstein said the company recently sent notices along with customer bills explaining how to disable the "skip password" function in the company's voice-mail system. T-Mobile spokesman Peter Dobrow said T-Mobile customers do have the choice to use a password to access their voice mail box, and that the company "strongly recommends" that customers use one.

By Brian Krebs  |  May 19, 2005; 1:10 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Before You Fire the Company Geek...
Next: Gutting the Phish


Scary thought, isn't it?

Had to check out the links for the two number spoofing sites mentioned - nice to see that has been shut down.

Posted by: Janice in Lorton | May 20, 2005 6:53 PM | Report abuse

What happened tro covertcall?

Posted by: Anonymous | May 28, 2005 7:42 PM | Report abuse even better then both of those :P

Posted by: Larry | June 4, 2005 5:01 AM | Report abuse even better then both of those :P

Posted by: Larry | June 4, 2005 5:01 AM | Report abuse

Spooftel sucks, no free test calls like covertcall used to have.

Posted by: Anonymous | August 2, 2005 6:15 PM | Report abuse

1: Why is it "nice to see" that a place where you can enhance your privacy "has been shut down"??? If privacy is so bad to you, prove that by going out naked, with your credit card numbers (and PINs) tattoed on your back or chest. I didn't THINK so.

2: All you need to do this is a router with with a VIC, and a low-end program to feed it config updates. And that's the "hard" way to do this!

3: Look at your own CallerID!! Look how screwed up so many of them are!! Look how Vonage (e.g.) just dittos the number into the text part. Look how many cell carriers can't even get the number right sometimes. Here we go again: the people who are supposed to be Serving their Customers are unable to provide the services, but overprivileged latchkey kids can do what they want with it. I have no problem with overprivileged latchkey kids, but I do wish Vonage, Alltel, Cingular, et al. would hire some!!!! CallerID is a nifty tool, but even Ma Bell can't get it right.

Posted by: Anonymous-Suzerain | August 15, 2005 10:20 AM | Report abuse

I don't know who they are using for there carriers, but the sound quality is horrible!

Posted by: Joe L | October 31, 2005 12:50 AM | Report abuse

CallerID Monitor features various call announce options per-contact based. You can choose how you want your contact to be announced. Choose between group sound, specific custom sound or computer-generated voice using text-to-speech engine. In order to work with text-to-speech, you will need to have SAPI Engine installed on your computer. CallerID Monitor supports both versions, SAPI 4 and SAPI 5.1.

Posted by: tom | April 24, 2006 4:25 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company