The feud between celebrities Paris Hilton and Lindsay Lohan has taken a turn for the geeky, with a small fake caller ID seller accusing Hilton of hacking into voice-mail accounts on an unnamed mobile phone network.
Hilton was one of more than 50 customers whose accounts were suspended because they had been using SpoofCard.com’s caller ID spoofing service to hack into voice-mail accounts, according to Mark Del Bianco, SpoofCard.com’s attorney. Many of the accounts that were hacked via the spoofing service belonged to well-known celebrities, including Lohan, he said.
SpoofCard.com has not actually accused Hilton of hacking into Lohan’s voice mail. But celebrity gossip sheets, already abuzz with the rivalry between the two divas, have jumped on the story.
The New York Post reported last month that someone had stolen the password to Lohan’s BlackBerry and sent her friends “disgusting and very mean messages that everyone thought were coming from Lindsay.” Lohan’s representatives hinted that Hilton may have been behind the hack, the Post said. That story can be found here.
Hilton could not be reached for comment, but her spokesman, Elliot Mintz, told E! Online that the alleged hacking “just didn’t happen,” and suggested that someone else may have opened the SpoofCard.com account in Hilton’s name. That story can be found here.
Both the Cingular Wireless and T-Mobile USA telephone networks use caller ID to identify voice-mail users without requiring passwords. So users on either network could have been vulnerable to the misuse alleged by SpoofCard.com, said Lance James, chief scientist with security vendor Secure Science.
The scandal illustrates how the telephone industry has been affected by inexpensive telephony software, like the open-source Asterisk telephone system. Recently, phishers have been using this software to set up inexpensive phone networks that give their fake e-mails an added air of authenticity, for example.
And with fewer than 10 employees, SpoofCard.com was able to use Asterisk and Linux to create a line of business that would have been far too expensive just 10 years ago. The fake Caller ID vendor sells US$10, 60-minute calling cards that let users call a toll-free number and type in whatever Caller ID number they want their call to display.
While SpoofCard.com maintains there are legitimate uses for Caller ID spoofing — allowing remote employees to appear as though they are dialing from their company’s phone system, for example — the latest incident indicates that this technology has created new opportunities for misuse as well.
One year ago, U.S. Rep. Tim Murphy claimed he was the victim of someone who used fake caller ID to leave inappropriate messages that appeared to come from his own office.
Earlier this year, the U.S. Federal Communications Commission launched an investigation into caller ID spoofing sites, but according to James, these voice-mail break-ins could be stopped if all mobile carriers simply required passwords.
“The fix is on the communications side,” he said. “They just need to lock [their voice-mail systems] down like Verizon does.”
By Robert McMillan, IDG News Service (San Francisco Bureau)