A recent Fusion video showed how a hacker could take over someone's online account using nothing but a phone.
It all starts with "spoofing" a number — a tactic of changing the phone number seen on a caller ID — and we found it's surprisingly easy to do.
In the past, phone hackers trying to mask a phone number behind someone else's used fairly complex hardware called "orange boxes," but now anyone can use simple solutions like Spoofcard, which allows users to purchase credits towards call time used in a simple smartphone app.
With Spoofcard, users input the number they want to call, and what number they want displayed on the other end — initiating an untraceable call that leaves the other person only seeing the spoofed caller ID.
For a hacker trying to gain access to someone's online accounts, spoofing the call number is just step one in a social engineering play to convince a customer service representative they are legitimate. In the Fusion example, a hacker named Jessica Clark spoofs her target's number and then pretends to be his wife, taking complete control over his cell phone account in a matter of minutes.
"I'm so sorry, can you hear me OK? My baby, I'm sorry. My husband is like, we're about to apply for a loan and we just had a baby, and he's like 'Get this done today,'" Clark says, setting the scene that she's a busy mom who really needs help. "I'm trying to log in to our account for usage information and I can't remember what email address we used."
Surprisingly, spoofing phone numbers isn't necessarily illegal — though the test example from Clark certainly would be. The FCC only prohibits someone from using a misleading caller ID number if their intent is to defraud, cause harm, or obtain anything of value. That means someone who wants to maintain their privacy or prank call a friend would be in the clear.
But there is plenty of misuse in the world of spoofing. The tactic has been used in the past by "swatters" who call police to report hostage crisis hoaxes, so armed police respond at an unsuspecting victim's door. It's even been used to break into people's voicemail boxes, which often do not require a password if called from the phone number associated with it.
Spoofcard did not immediately respond to a request for comment.
While Spoofcard may be easy to use, the service told The Wall Street Journal in 2010 it frowned upon illegal usage and often complied with law enforcement requests, including subpoenas from the NSA.
“There are an awful lot of people who believe that if they use Caller ID spoofing, somehow there is no call record, and it can’t be traced," Attorney Mark Del Bianco, who has represented Spoofcard, told the Journal. "That’s not the case.”
