Consumer Watch test: Phone spoofing
Last Friday morning, Aimee Whitcroft of the Science Media Centre sent her boss Peter Griffin a text message:
It was a heck of a coincidence because almost simultaneously he sent her one that said:
In actual fact - and it spite of what the caller IDs on their respective phones told them - I sent both messages.
It's called spoofing - using technology to masquerade as someone else - and it's just one of the mobile phone hazards I look at in the December issue of NZ PC World, on sale from today.
(And in case you're wondering, no one quit/got fired. I'd asked Aimee and Peter if I could use them as crash test dummies and warned them to be on the lookout for odd messages.)
Test #1: SMS SpoofingSpoofing the text messages was simplicity itself. I used SMSgang. You purchase pincodes from the site and one pincode is enough for one message. There are a number of plans ranging from 3 pincodes for €2.50 (NZ$4.65) up to 25 pincodes for €8.00 (NZ$17.20). After your purchase, you're emailed the code. The whole process only takes a few minutes.
The site lists the networks supported (and not supported) in each country. For New Zealand, Telecom, TelstraClear and Vodafone all make the grade, so no worries there.
Messages are sent from the site. Enter your message, pincode, your victim's phone number and the number of whoever you'd like the message to appear to be from, and click the Send SMS button.
It's simplicity itself and message transmission time is virtually instantaneous. I timed a message to myself at a whisker under 10 seconds.
Neither of my crash test dummies spotted anything to suggest the messages weren't from who they purported to be from, so a good result. It's a moderately expensive prank - even at the 25-pincode rate each call will cost you around 70 cents - but the spoofing works flawlessly.
Test #2: Voice SpoofingI chose SpoofCard for a voice spoofing the test. The site claims that not only can spoof someone else's caller ID, but you can also disguise your voice and even record the call to replay your prank.
Purchasing credits is straightforward. Like SMSgang, a number of plans are offered ranging from 25 credits for US$4.95 (NZ$7.10) up to 560 credits for US$79.95 (NZ$114.68). Credits don't necessarily equal minutes though. A handy lookup table on the site shows that local landline calls cost 1 credit per minute but mobile calls cost 3 credits per minute.
After purchase, you're emailed a PIN number that you use to login to the site. You can either place a call by dialing an access number or via the "Place a Call" web dialer ...
Seems pretty straightforward. But the web dialer didn't work.
I tried several times, leaving it for over 10 minutes on the last attempt, but nothing happened.
The other option is to go via an access number. It's only when you click on the drop-down list that you discover SpoofCard only works from certain countries - and one legendary submerged island ...
That's the complete list.
I tried the Australian number - several times - but couldn't get through. In the end I called the US. So that's a call to the States, spoofed and routed back to New Zealand. Even without paying SpoofCard, this is getting expensive!
But worst of all it simply didn't work. The number that came up on my target's phone was prefixed 001 - the US country code - meaning there's no way to use SpoofCard to spoof a New Zealand voice call. And don't bother with the voice changer. The quality was terrible. (Imagine shouting down an echoing waterpipe while a freight train rumbles past.) No doubt this due to a local call being routed via the States, but even so ...
The website claims that "SpoofCard now offers international calling capabilities". Technically, it does. It just doesn't spoof.
It you're looking for voice spoofing, find a site that specifically lists the countries and networks it supports before your purchase time on their network. As always, caveat emptor.