The feud between celebrities Paris Hilton and Lindsay Lohan has taken a turn for the geeky, with a small fake Caller ID seller accusing Hilton of hacking into voicemail accounts on an un-named mobile phone network.
Hilton was one of more than 50 customers whose accounts were suspended because they had been using SpoofCard.com's Caller ID spoofing service to hack into voicemail accounts, according to Mark Del Bianco, SpoofCard.com's attorney. Many of the accounts that were hacked via the spoofing service belonged to well-known celebrities, including Lohan, he said.
SpoofCard.com has not actually accused Hilton of hacking into Lohan's voicemail. But celebrity gossip sheets, already abuzz with the rivalry between the two divas, have jumped on the story.
The New York Post reported last month that someone had stolen the password to Lohan's BlackBerry and sent her friends "disgusting and very mean messages that everyone thought were coming from Lindsay." Lohan's representatives hinted that Hilton may have been behind the hack, the Post said. That story can be found here: http://www.nypost.com/gossip/pagesix/lohan_blackberry_attacked_pagesix_.htm
Hilton could not be reached for comment, but her spokesman Elliot Mintz told E! Online that the alleged hacking "just didn't happen," and suggested that someone else may have opened the SpoofCard.com account in Hilton's name. That story can be found here: http://www.eonline.com/News/Items/0,1,19840,00.html
Both the Cingular Wireless and T-Mobile USA telephone networks use Caller ID to identify voicemail users without requiring passwords. So users on either network could have been vulnerable to the misuse alleged by SpoofCard.com, said Lance James chief scientist with security vendor Secure Science.
The scandal illustrates how the telephone industry has been affected by inexpensive telephony software, like the open-source Asterisk telephone system. Recently phishers have been using this software to set up inexpensive phone networks that give their fake e-mails an added air of authenticity, for example.
And with less than 10 employees, SpoofCard.com was able to use Asterisk and Linux to create a line of business that would have been far too expensive just ten years ago. The fake Caller ID vendor sells US$10, 60-minute calling cards that let users call a toll-free number and type in whatever Caller ID number they want their call to display.
While SpoofCard.com maintains there are legitimate uses for Caller ID spoofing -- allowing remote employees to appear as though they are dialing from their company's phone system, for example -- the latest incident indicates that this technology has created new opportunities for misuse as well.
One year ago, U.S. Representative Tim Murphy claimed he was the victim of someone who used fake Caller ID to leave inappropriate messages that appeared to come from his own office.
Earlier this year, the U.S. Federal Communications Commission launched an investigation into Caller ID spoofing sites, but according to James these voicemail break-ins could be stopped if all mobile carries simply required passwords.
"The fix is on the communications side," he said. "They just need to lock [their voicemail systems] down like Verizon does."