FIGURE 9-1. SpoofCard allows anyone to easily fake the incoming caller ID
The security researchers even released audio files of them calling LifeThings customer
service with a spoofed caller ID and instructing the agent to help them unlock the main door.
Simin Powell released this response to the media:
The security and privacy of our customers is of utmost importance to us. We feel the individuals
who have released information on how to social-engineer our customer service team demonstrated
unprofessionalism by exposing this information and that hacking services such as SpoofCard
enable malicious activities such as these and should be banned. That said, we are continuously
researching ways to serve our customers using the most efficient and secure methods.The problem with Powell’s response is that it is solely based on an emotional response
toward the researchers and offers no tangible solution to address the risk posed to the custom-
ers. This is common in situations in which companies do not fully appreciate the risks to their
business and their customers. It is also common when organizations are under pressure to
provide experiences to customers, but they haven’t had time to think through the security con-
trols. Moreover, the fact that the researchers had attempted to report the issue was not
acknowledged in Powell’s statement; this lack of transparency can lead to a loss of consumer
confidence and have a negative impact on the company’s brand.
The (In)Secure Token
Since the service agents at LifeThings had to do their best to solve customers’ problems
within five minutes, they typically spent the first two minutes of a call evaluating whether it
A CASE OF ANGER, DENIAL, AND SELF-DESTRUCTION 257