The feud between celebrities Paris Hilton and Lindsay Lohan has taken a turn for the geeky, with a small fake-Caller ID seller accusing Hilton of hacking into voice-mail accounts on an unnamed mobile phone network.
Hilton was one of more than 50 customers whose accounts were suspended because they had been using SpoofCard.com's Caller ID spoofing service to hack into voice-mail accounts, according to Mark Del Bianco, SpoofCard.com's attorney. Many of the accounts that were hacked via the spoofing service belonged to well-known celebrities, including Lohan, he said.
SpoofCard.com has not actually accused Hilton of hacking into Lohan's voice mail. But celebrity gossip sheets, already abuzz with the rivalry between the two divas, have jumped on the story.
The New York Post reported last month that someone had stolen the password to Lohan's BlackBerry and sent her friends "disgusting and very mean messages that everyone thought were coming from Lindsay." Lohan's representatives hinted that Hilton may have been behind the hack, the Post said.
Hilton could not be reached for comment, but her spokesperson Elliot Mintz told E! Online that the alleged hacking "just didn't happen," and suggested that someone else may have opened the SpoofCard.com account in Hilton's name.
What It Means for You
Both the Cingular Wireless and T-Mobile telephone networks use Caller ID to identify voice-mail users without requiring passwords. So users on either network could have been vulnerable to the misuse alleged by SpoofCard.com, according to Lance James, chief scientist with security vendor Secure Science.
The scandal illustrates how the telephone industry has been affected by inexpensive telephony software, like the open-source Asterisk telephone system. For example, phishers have recently been using this software to set up inexpensive phone networks that give their fake e-mails an added air of authenticity.
And with under ten employees, SpoofCard.com was able to use Asterisk and Linux to create a line of business that would have been far too expensive to establish just ten years ago. The fake-Caller ID vendor sells $10, 60-minute calling cards that let users call a toll-free number and type in whatever Caller ID number they want their call to display.
While SpoofCard.com maintains there are legitimate uses for Caller ID spoofing--allowing remote employees to appear as though they are dialing from their company's phone system, for example--the latest incident indicates that this technology has created new opportunities for misuse as well.
In an earlier incident one year ago, U.S. Representative Tim Murphy claimed he was the victim of someone who used a fake Caller ID to leave inappropriate messages that appeared to come from his own office.
Get a Password
Earlier this year, the U.S. Federal Communications Commission launched an investigation into Caller ID spoofing sites but, according to security scientist James, these voice-mail break-ins could be stopped if all mobile carriers simply required passwords.
"The fix is on the communications side," he said. "They just need to lock [their voice-mail systems] down like Verizon does."