Phone Hacking Equals Credit Card Hacking
Everyone was shocked recently by the phone hacking scandal at the News Of The World paper in England. The technical details involve using caller ID to fool the telephone company into thinking that an unauthorized caller is really calling form the victim’s phone. Since the voicemail system automatically allows access to the owner without a password, gaining access was easy, so long as you can spoof the caller ID system. Unfortunately, the caller ID system is about as secure as the return address on an envelope. Caller ID information is just a small piece of data in a telephone transmission that is easily manipulated by a number of products and services.
The Implications For Credit Cards
Like the vulnerable voicemail systems, banks often rely on your caller ID to partially authenticate you. Often, they will ask for the last four digits of your credit card or your zip code. This is where the vulnerability lies. The last four digits of your card are listed on your receipt, and can be easily memorized by anyone who comes into contact with your credit card. Your zip code is hardly private information either. Put this information together with your phone number, and anyone can spoof the bank’s system into authenticating your phone call and handing out all sorts of private information. How private? Are you seeing a medical specialist or a mental health professional? Do you want other people to know how much you spend or where you travel to? Although this information might be very boring in my case, other people can be very vulnerable to such an easy hack. Think of battered spouses, people in messy divorces, and, of course, celebrities and politicians. According to this article in Consumer World, Bank of American and Chase are the two major card issuers that are most vulnerable to this flaw.
What You Can Do
First, withhold as much information as possible. This means don’t give out your zip code or phone number to any merchant unless it is absolutely necessary. Protect all of your credit card receipts, as they contain the last four digits of your telephone number. I am not sure if it will work, but you can at least request that you bank fully authenticate you before divulging information as it may be possible for them to turn off the fast track authentication features that rely on your caller id. Now that caller ID spoofing is a well known phenomenon, we can expect it to be utilized by mainstream users like News Of The World, not just a small cadre of elite hackers. Every time you call a company, be it a bank or corporation offering some other service, be especially conscious of their use of your caller ID information in authenticating you before divulging your personal information.
Conclusions
Back in the time of War Games, hacking used to be the hobby of uber geeks with expensive computers and too much time on their hands. Today, everyone has a computer and people are becoming increasingly savvy on how to easily manipulate vulnerable systems to their advantage. By understanding vulnerabilities such as the caller ID spoof, you can better protect yourself and your information from malicious people.
