Tech Shrine - CAUTION

How a terror group cloned Ted Rogers' cellphone

By Peter Cheney

The Globe and Mail
Saturday, December 17, 2005

A journey of 1,000 miles begins with a single step — and so it was that law professor Susan Drummond's long, strange trip into the world of wireless security, where she learned that a terrorist organization had appropriated Ted Rogers' cellphone number, was launched by the arrival of a phone bill for $12,237.60.

Ms. Drummond, who had just returned from a month-long trip to Israel, went numb as she looked at the stupefying figure, which was more than 160 times higher than her typical monthly bill of about $75. The Rogers Wireless bill included a five-page list of calls charged to her phone, almost all of them to foreign countries that included Pakistan, Libya, Syria, India and Russia.

Ms. Drummond quickly determined what had happened: Someone had stolen her phone while she was away. She called Rogers Wireless, which told her there was nothing it could do, and she would have to pay the entire amount.

"I was shocked," she said. "Who wouldn't be?"

Since making that call to Rogers last August, Ms. Drummond and her partner, Harry Gefen, have been researching the cellphone giant, yielding some unexpected discoveries, among them that the phones of senior Rogers executives, including Mr. Rogers himself, were repeatedly "cloned" by terrorist groups that used them to make thousands of overseas calls.

That bit of information came out at a conference Mr. Gefen attended in September, where he spoke with Cindy Hopper, a manager in Rogers security department, who told him that the phones of top Rogers executives had been the target of repeated cloning by a group linked to Hezbollah. (Cloning involves the duplication of a cellphone's identity by capturing its number and encrypted security code.)

Speaking into Mr. Gefen's tape recorder — and unaware that he was an aggrieved customer — Ms. Hopper said terrorist groups had identified senior cellphone company officers as perfect targets, since the company was loath to shut off their phones for reasons that included inconvenience to busy executives and, of course, the public-relations debacle that would take place if word got out.

"They were cloning the senior executives repeatedly, because everyone was afraid to cut off Ted Rogers' phone," Ms. Hopper says on the tape.

"They were using actually a pretty brilliant psychology. Nobody wants to cut off Ted Rogers' phone or any people that are directly under Ted Rogers, so they took their scanners to our building, like our north building, where our senior top, top, top executives are. They took their scanners there and also to Yorkville, where there are a lot of high rollers and like it would be a major PR blunder to shoot first and ask questions later. . . . Nobody wants to shut off Ted. Even if he is calling Iran, Syria, Lebanon, and Kuwait."

Ms. Hopper also told Mr. Gefen what he had come to suspect — that Rogers has automated security systems that alert them to radical changes in calling patterns like the ones that Ms. Drummonds' phone had undergone.

Armed with this knowledge, Ms. Drummond is pursuing legal action against the cellphone giant, charging that the company can easily spot a fraud-in-progress, yet "lets the meter run."

"There's a lot they don't want people to know," Ms. Drummond says. "They're afraid that people will lose faith in the system."

Ms. Drummond, who teaches law at Osgoode Hall, is suing Rogers in small claims court, and has filed hundreds of pages of documents to support her charges that the company is profiting from crime by failing to shut down stolen or cloned cellphones.

"There's more at stake here than money," she says.

But as the battle between Ms. Drummond and Rogers Wireless mounts, so do the charges. Each month, the company has added late fees to the outstanding balance (according to Ms. Drummond, the interest rate works out to 26 per cent annually). Rogers now wants a total of $14,141.00.

Ms. Drummond and Mr. Gefen, a technology journalist, have spent the past several months researching cellphone security. Mr. Gefen, who describes himself as "curious by nature," hit pay dirt in September when he attended the Toronto Fraud Forum, an annual conference for security experts.

He decided to go after noticing that one of the speakers was Cindy Hopper, a manager in Rogers fraud and security department, who was scheduled to give a speech titled "Using Cellphone Records to Investigate Fraud, Insurance Claims and Crime."

On Sept. 27, Mr. Gefen arrived at the conference, which was held at a Ramada Inn near Highway 401 and the Don Valley Parkway in Toronto. He paid a $200 registration fee and wore a nametag marked "Harry Gefen/ Knowledge Media."

After listening to Ms. Hopper's speech, Mr. Gefen engaged her in a tape-recorded follow-up conversation that provided an unexpected glimpse into the secret world of cellphone security. Ms. Hopper said Rogers definitely has the means to spot unusual activity on an account, using technology similar to that used by banks to spot fraudulent activity involving debit or credit cards.

"We have a fraud-management system that looks for extraordinary patterns," she told Mr. Gefen.

"And what activates it?" he asked.

"It would be something like, say, you'd never called long distance before and suddenly your phone gets, uh, nonstop to India," she replied.

"What happens after that point?" Mr. Gefen asked.

"Someone calls the customer and asks them whether they're really doing that or whether someone's stolen their phone," she said. Ms. Hopper said that if a customer can't be reached, the company sometimes cuts off the phone's long-distance access to prevent further fraud.

In her statement of claim against Rogers, Ms. Drummond charges that Rogers Wireless knew that something was amiss with her cellphone, yet did nothing to stop it. She notes that she had never made an overseas call with the phone, yet in the month of August, it was used to make more than 300.

"Rogers has a systematic, computer-generated program that immediately alerts their fraud department of atypical calling patterns," she says in one court filing. ". . . In relation to the contract for my cellphone number, Rogers breached its duty of care to prevent fraudulent phone calls being made. . . ."

Jan Innes, a vice-president with Rogers Communications, confirmed that the company has an automatic fraud-detection system that flags suspicious calling patterns, but refused to say how it works. "We do not give out information that might help people get around the system," she said.

Ms. Innes said that Rogers has a policy of contacting consumers if fraud is suspected. In some cases, she admitted, phones are shut off automatically, but refused to say what criteria were used. (Ms. Drummond and Mr. Gefen believe that the company bases the decision on a customer's creditworthiness. "If you have the financial history, they let the meter run," Ms. Drummond said.) Ms. Drummond noted that she has a salary of more than $100,000, and a sterling credit history. "They knew something was wrong, but they thought they could get the money out of me. It's ridiculous."

Ms. Innes denies that charge. "Creditworthiness doesn't enter into it," she said. Ms. Innes conceded that the hundreds of calls made to foreign hot spots represented a dramatic change in Ms. Drummond's phone usage, but insists that Rogers does not bear responsibility for failing to shut off the service when they couldn't contact her.

"That was in the terms of her contract," she said. ". . . Many of our customers have unusual patterns. It would be onerous if we shut them all down."

In court filings, the company has made it clear that it intends to hold Ms. Drummond responsible for the calls made on her phone. ". . . the plaintiff is responsible for all calls made on her phone prior to the date of notification that her phone was stolen," the company says. "The Plaintiff's failure to mitigate deprived the Defendant of the opportunity to take any action to stop fraudulent calls prior to the 28th of August 2005."

Ms. Innes said the company has offered to settle the case with Ms. Drummond, but said she has refused. Ms. Drummond confirmed that the company had offered to write off the bill if she pays $2,000, but she has rejected the offer.

"I shouldn't have to pay any of this," she said. "The company knew what was going on. I'm not going to pay them for theft."