For all of the palace intrigue recently about who in Rupert Murdoch's News Corp. kingdom knew what about phone hacking when, one fundamental question about the scandal has gone mostly unanswered: Just how vulnerable are everyday U.S. residents to similarly determined snoops?
The answer is, more than you might think.
AT&T, Sprint and T-Mobile do not require cell phone customers to use a password on their voice mail boxes, and plenty of people never bother to set one up. But if you don't, people using a service colloquially known as caller ID spoofing could disguise their phone as yours and get access to your messages. Voice mail systems often grant access to callers who appear to be phoning from their own number.
Meanwhile, as Edgar Dworsky, a consumer advocate who founded consumerworld.org, discovered recently, someone with just a bit of personal information can also gain access to the automated phone systems for Bank of America and Chase credit card holders.
Once those systems recognize the phone number of the incoming call and those bits of personal information, they offer up the latest on the cardholder's debts, late payments and credit limits. Bank of America's computer will even list recent charges, including names of doctors and other businesses.
There are additional steps that the mobile phone companies and the card issuers could take to stop this sort of thing. The fact that many of them don't, however, makes this your problem to solve.
Spoofing is perfectly legal, up to a point. Commercial spoofing operations, which began offering services to individuals about seven years ago, are easy to find and cost $10 or so for 60 minutes of calling time. A Google search on "caller ID spoofing" leads to many providers with names like SpoofCard, whose slogan is "Be Who You Want to Be."
Registered users call an access number (or use a form on a website) and enter the phone number they are calling and the phone number they want to show up on the caller ID display of the person they are calling. Then the service puts the call through.
Late last year, President Obama signed the Truth in Caller ID Act, which prohibits knowingly using spoofing services to defraud, cause harm or wrongfully obtain anything of value. The fine is up to $10,000 for a single incident.
There are at least a few legitimate uses for caller ID spoofing. Domestic violence victims may not want anyone to know where they are calling from. Doctors use it to keep patients from pestering them later. Parents sometimes use the service if they have children who tend to ignore their calls.
Until banks start asking for a bit more information, you are on your own here. If you're in a personal or professional situation where someone might be interested in what you're spending and where, don't spend it on a Chase or Bank of America credit card.
Also, if you're in the habit of throwing out credit card receipts, shred them instead, since some of the data there can be useful to people looking to exploit the card issuers' automated systems.
As for your cell phone, if you're not a Verizon user, set up a voice mail password and use it, simple as that.