15 comments

[ 3.0 ms ] story [ 40.3 ms ] thread
Interesting. I didn't know it was possible, but, seeing as it is an UDP-like unidirectional message and an old system, it isn't surprising.

Wikipedia has more information for the interested[1].

[1] http://en.wikipedia.org/wiki/SMS_spoofing

You can use this trick to listen to anyone's voicemail (by identifying the calling number as the recipient's number) if they do not have a password. Anyone. Talk about security hole.
IIRC, this same flaw was used by Murdoch's papers to hack various celebrities'/deceased individuals' voicemails.
It depends, many voicemail system require a PIN, especially after some of the recent exploits.

BTW, this is talking about SMS, not CID spoofing, so your comment wasn't exactly on topic.

This doesn't work on my cellphone's voicemail. I guess the new systems closed that hole.
I am not sure about that. I tried it as recently as 6 months ago.
You can do this from any SMS gateway, as there is no real verification. However most gateways do not allow their users to spoof the sender because predictably the carriers do not like it.
Indeed, it's nothing new. I've used this trick so many times with friends :)
If you don't mind me asking, how do you do it?
"Kostnaden för sms:et är 10 kr plus eventuell operatörsavgift."

"The cost of the text message is 10 SEK plus possible operator fees"

10 SEK = $1.5 USD

Any decent SMS gateway should let you send messages from who the hell you want. Add far as analogies go, it works pretty much the range as email, and would take the same fundamental redesign to fix.
Email at least has SPF records and DKIM.
At least in the US it's against the law to spoof a 'From' SMS address you don't have access to.
Nothing new.

Skype also allows you to freely choose the sending number of your SMS (however, it first checks if you can receive SMS at this number).

We have this feature in 8centsms.com but we verify ownership of mobile numbers. We've had problems with spammers sending fraudulent "from" headers like "BTUK" (ie. british telecom) so we recently put in some checks to ensure we have to manually verify each account once they spend up to a certain amount. I think that if you're blindly allowing people to spoof the sender id you're just asking for trouble ... Also this seems to be a pretty expensive prank ;)