By Andy Sullivan
WASHINGTON (Reuters) - Internet phone services have drawn millions of users looking for rock-bottom rates. Now they're also attracting identity thieves looking to turn stolen credit cards into cash.
Some Internet phone services allow scam artists to make it appear that they are calling from another phone number -- a useful trick that enables them to drain credit accounts and pose as banks or other trusted authorities, online fraud experts say.
"It's like you've handed people an entire phone network," said Lance James, who as chief technology officer of Secure Science Corp. sees such scams on a daily basis.
The emerging scams underline the lower level of security protecting Voice Over Internet Protocol, or VOIP, the Internet-calling standard that has upended the telecommunications industry over the past several years.
Traditional phone networks operate over dedicated equipment that is difficult for outsiders to penetrate. Because VOIP calls travel over the Internet, they cost much less but are vulnerable to the same security problems that plague e-mail and the Web.
Internet worms that snarl online networks can render VOIP lines unusable, and experts at AT&T say VOIP conversations can be monitored or altered by outsiders.
Federal Trade Commission Chairman Deborah Platt Majoras recently warned that unscrupulous telemarketers could use VOIP to blast huge numbers of voice messages to consumers, a technique known as SPIT, for "spam over Internet telephony."
All of these threats remain largely in the realm of theory. Caller ID spoofing, on the other hand, has emerged over the past six months as a useful tool for identity thieves and other scam artists, according to fraud experts.
PRESIDENT BUSH ON THE LINE
Any reporter would scramble for a ringing phone that reads "White House media line" on its caller ID display.
But it's not the Bush administration on the line -- it's security instructor Ralph Echemendia, calling from a mobile phone on a remote Georgia highway.
"You can see how this sort of thing could be used in a very malicious way," said Echemendia, a security instructor at the Intense School, a technology training company.
Caller ID spoofing is not prohibited by law, but the Federal Communications Commission requires telemarketers to identify themselves accurately, a spokeswoman said.
Echemendia built his own system to spoof calls, but several free or low-cost services allow even technical novices to falsify caller ID information as well.
Debt collectors and private investigators use Camophone.com's5-cents-per-call service to trick people into answering the phone, according to messages posted on a discussion board.
Traveling salesmen say the service comes in handy when they want clients to return calls to the main office, rather than their motel room.
James said criminal uses of caller-ID spoofing have become common over the last six months.
Wire-transfer services like Western Union require customers to call from their home phone when they want to transfer money in an effort to deter fraud -- a barrier easily sidestepped by any identity thief using a caller-ID spoofing service.
Fraud rings can now transfer money directly out of stolen credit-card accounts, rather than buying merchandise and reselling it, he said.
Western Union spokeswoman Danielle Periera said the company has no other way to verify that transfer requests are valid.
"We try hard to stay one step ahead of them and recognize that scam artists are sophisticated and often change their schemes," she said.
Criminals can use caller-ID spoofing to listen to other people's voice mail, James said, especially when those accounts are not protected by passwords.
They also have begun to use the technology to make it appear that they are calling from a bank or other financial institution, said Dave Jevans, who chairs the Anti-Phishing Working Group, a banking-industry task force.
That helps them convince consumers to divulge account numbers, passwords and other sensitive information in a scam that echoes the "phishing" e-mails that have become common, he said.
VOIP industry pioneer Jeff Pulver, whose Free World Dialup service can be used to spoof calls, said he couldn't prevent abuse of his system.
The problem will likely recede as companies like VeriSign Inc. and NeuStar Inc. develop ways to verify online identities, he said: "We're not there yet, but we're going to get there."
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at. Hundreds of new articles daily. *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, Reuters Limited.
For more information go to: