As we come to rely more and more upon technology as a filter for our life experiences, opportunities to bend reality abound. In theory, none of this is new. Ask anybody who has ever been on an online dating site and they will tell you what you see is not always what you get. Yet as technology plays an ever-increasing role as an intermediator for our daily experiences, those who control the technology can control our experiences. These changes have some significant implications for crime and social disorder in the 21st century.
Phishing emails routinely take users to websites that appear to be genuine, but are in fact controlled by organized crime. Unsuspecting victims enter their personal banking details and are defrauded shortly thereafter. Pedophiles pretend to be teenagers, creating extensive fake online profiles in order to lurk in chat-rooms popular with young adults and to contact them. The creation of hundreds of thousands of blogs has turned the common man into a broadcaster, making it harder to judge the quality and veracity of the news. Is the story about the latest celebrity death real or is it rumor? The stories look real and official. Perhaps they are true? Of course one false story about a company’s latest quarterly financials is enough to move markets and create a financial fraud costing victims billions of dollars.
As noted below, there are now a number of software applications that have been created to “spoof” or alter the caller identification on outbound mobile phone calls. While there are relatively benign uses of these technologies, (like playing jokes on other teenage friends), there can also be potentially deadly consequences. In a phenomenon known as “Swatting,” criminals have been able to telephone police 911/emergency phone systems with spoofed telephone identities and reporting non-existent crimes resulting in the response of heavily-armed police SWAT units to various locations. In many cases, the offenders placed calls that appeared to come from legitimate addresses several states away and reported ongoing kidnapping or hostage scenarios in progress. Using these technologies, it was possible for a man in Ohio (USA) to use a spoofed phone identification to report a nonexistent hostage crisis, sending armed police bursting into the homes of innocent people.
Spoofed phone numbers can also allow criminals access to the voice-mail systems of others. Since many mobile phone carriers do not require a password to enter a voicemail box system by default, a spoofed caller ID means criminals can listen to the phone messages of others without authorization. Valuable information could be obtained regarding pending business transactions, mergers and acquisitions and even personal medical data. Noted celebrities have also been accused of abusing this technology to gather gossip on rivals. From a social engineering perspective, telephone spoofing creates a powerful tool for the criminal mind. A spoofed telephone call to a company’s IT-Department requesting a system password or the latest WiFi WPA key, is much more likely to be successful if the call appears to be emanating from within the company’s own telephone infrastructure (internal to the company). Of course this particular technique is not new. Even 15 years ago, fax machines allowed their owners to enter any particular information they desired for identifying the machine and its originating phone number. What is changing however, is the pervasive use of technology and the widespread means to alter the user experience in real time.
Researchers at Stanford University’s Virtual Human Interaction Lab have done extensive research on human behavior in virtual spaces and have presented a number of techniques to alter in an instant how our virtual selves are presented to others. The implications for future forms of criminality are noteworthy as evidenced by these experiments. For example, it is widely known that people in traditional human-to-human interactions tend to have greater trust in people who look, sound and act just as they do. That is to say, generally speaking, all things being equal, somebody would likely more trust and believe in somebody of their own race, gender or age, than somebody who differed in these characteristics. As such, it is possible to alter one’s appearance, depending on the appearance of others. Thus if I wanted to sell an individual a life insurance policy, I would have a better chance of making the sale if I emulated the physical characteristics of the person to whom I was selling. This is hard to do in real life, but easy to do with an avatar that mimicked a target’s own movements and appearance in order to gain their trust. Con men have been doing this for years. Now, however, the entire process can be done in real time through computer scripting and AI.
The relevant “take-home” message is that in the future, seeing something with your own two eyes and hearing it with your own ears, may not mean that it is real or actually occurred. Entertainers long deceased, such as Elvis, Marilyn Monroe and Humprey Bogart have been resurrected in digital form and are being used in commercial advertisements to sell a wide variety of products, often without the permission of the entertainer’s estate. Since there is enough video and photographic footage of these famous individuals, their likeliness can be appropriated, or misappropriated as the case may be, and made to do or sell anything. As more and more non-celebrities, including your parents, children or spouse, post their own photos and videos online on sites such as Flikr, Picassa, Facebook and Youtube, what is to prevent an unscrupulous individual from taking them an repurposing them for criminal purposes, (such as threatening the rightful owner with the release of a highly realistic, verisimilitudinous pornographic creation unless financial extortion demands are met).
Rapid advances in virtual reality technologies will only exacerbate this problem. For example, researchers at the Stanford University VHI laboratory were able to show that children immersed in virtual reality environments were unable to distinguish between what happened in the real world and what happened in VR. The Stanford report on the subject entited Virtually true: Children’s acquisition of false memories in virtual reality, showed that when a realistic avatar of a child’s own image was shown swimming undersea with a whale, the children believed and reported that in fact they actually did swim with a real whale. The subject in the study did not experience the time with the whale as anything other than a real undersea play-date with an actual whale. This raises significant opportunities for the planting of false memories in child sexual abuse cases, among a wide variety of additional crimes.
The story below is but the tip of the iceberg in a whole new generation of future crimes. Moreover, it underscores now more than ever the old addage that perception is indeed reality.
The Rise of Caller ID Spoofing
February 5, 2010
Applications that let users change or “spoof” their Caller ID are gaining in popularity in mobile phone app stores, even as Congress considers stalled legislation to outlaw particular uses of the technology, and criminals use it to engage in nefarious activity.
Caller ID spoofing technology allows a user to change the caller ID to show any desired number on a recipients caller ID display. There are currently a handful of companies that offer this service including SpoofCard (and it’s mobile application called Spoof App) and Spoofem, among others.
Most spoofing apps allow pranksters to mask or change their voice as well, and Spoofem actually allows users to fake texts and email. Popular desktop versions are now becoming available online in Blackberry and Droid app stores.
Spoofem and Spoofcard both claim over a million customers. “People use it as a lifestyle,” says Meir Cohen, President of TelTech Systems, SpoofCard’s parent company. Most services tend to charge $10 an hour. Spoofem’s President Gregory Evans claims more than a million dollars a year in profit.
There are useful and legitimate applications of the software: A doctor who has to call back a patient late at night and doesn’t want them to have his home or cell phone number, for instance; A public relations specialist calling on behalf a client, and wanting the client’s name to pop up on the Caller ID display.
And, of course, there is the cheating issue. Spoofem started marketing its product to women when it found, early on, that 80 percent of its users were women who were trying to catch their boyfriend or girlfriend cheating.
But the same spoofing software lets users hack into other people’s voicemail, by taking advantage of a feature in most mobile phone carriers that allows calls from a person’s own phone to default to voicemail without a password.
Spoofing companies blame the carriers for the security flaw. “It is not the service…. it’s the cell phone companies,” says Gregory Evans, President of Spoofem.com. “The cell phone companies have to take some type of responsibility.”
Some companies, such as T-Mobile have a default setting for voicemail that does not include a password.
“If the customer does not elect to turn the password on during setup, then the default setting is off,” says a spokesman for the company. “Individuals using these spoofing applications risk criminal as well as personal liability for their actions.”
AT&T also does not default its users to a passcode for voicemail. “Our customers strongly prefer to have one touch voicemail,” a spokeswoman says. “However, we make it simple to set your voicemail settings to require a password and encourage customers to do so.”
Amy Storey, A spokeswoman for CTIA, the International Association for Wireless Telecommunications, which represents wireless carriers, believes Caller ID spoofing should be illegal and supports proposed lesiglation that would make certain uses of spoofing software illegal.
Spoofing companies are confident they will survive, in the same way email technology survived spamming, or similar phishing scams. Washington, D.C.-area based Telecom Attorney Mark Del Bianco, who also represents Spoofcard, says Congress cannot legislate against a technology. “They can’t make telling lies illegal,” he says.
Del Bianco recommends setting up and keeping a password prompt on mobile voicemail. “In the end, it’s the responsibility of anyone who has a voicemail box to make sure it’s not easy to hack into that voicemail box,” he says.
And for those thinking of committing a crime with the Caller ID spoofing software, Del Bianco has words of caution. “There are an awful lot of people who believe that if they use Caller ID spoofing, somehow there is no call record, and it can’t be traced. That’s not the case.” He says Spoof Card gets regular subpoena requests from unhappy spouses and the NSA, among others.
