‘Spoofing’ New ID Theft Threat for Wireline, Wireless
Caller ID “spoofing,” in which wrongdoers change the data displayed in a caller ID box to gain access to someone else’s personal information, is the next big threat to wireless and wireline carriers, Sprint Nextel warned Wed. during a D.C. Bar Assn. seminar on Internet and cellphone privacy.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
“Spoofing is something we're starting to see more of,” Heidi Salow, senior counsel at Sprint, said: “This is going to be the next big privacy issue… This is an area where the carriers would like to see regulation.” Urging legislation and regulation, Salow said Sprint has alerted the Secret Service but has not yet raised the issue at DoJ.
“It’s a real threat,” Al Gidari, an attorney who advises telecoms on privacy, said: “Some carriers don’t have password protection for voicemail, for example, so if you dial in using your number directly and if you spoof that number you're into someone else’s mailbox. People do that.” Spoofing endangers wireline and wireless carriers and other companies, he said, noting that FCC rules don’t address it. “It has significant ramifications across industry,” he said: “It’s a problem that needs to be fixed.”
“A lot of these calls are routed over a VoIP network and that has to do with the way the caller information gets routed,” Eric Wenger, trial attorney in DoJ’s Computer Crime & Intellectual Property Section, said: “This is a very, very new area.” DoJ has prosecuted one spoofing case, he said.
In other discussion, Marc Groman, chief privacy officer at the FTC, said while the federal govt. will go to court after companies that don’t follow proper procedures to protect customer records, it isn’t taking a “gotcha” approach. “The cases have not been close calls from our perspective,” he said: “We're not dancing on a line here… These are cases where a company tossed into a dumpster highly sensitive, personal information, where very low cost patches could have been used to protect against a very common [computer] attack.”
Companies, financial or not, should heed the safeguards rule on bank protection of customer data implemented under the Gramm-Leach-Bliley Act, Groman said: “The core standard is what we import into all our enforcement.” The FTC knows firms want flexible rules, he said: “We get it. I get it. I really do.”
The FCC is writing regulations on how carriers are to guard customer proprietary network information (CPNI) data, under an NPRM pending since Feb. (CD Feb 16 p10). Gidari has been telling clients to expect tighter rules, and “sooner rather than later,” he said. “The degree of burden which comes from those rules and whether they're flexible enough for carriers to meet with legacy systems and old billing systems… remains to be seen.”