A journey of 1,000 miles begins with a single step -- and so it was that law professor Susan Drummond's long, strange trip into the world of wireless security, where she learned that a terrorist organization had appropriated Ted Rogers' cellphone number, was launched by the arrival of a phone bill for $12,237.60.
Ms. Drummond, who had just returned from a month-long trip to Israel, went numb as she looked at the stupefying figure, which was more than 160 times higher than her typical monthly bill of about $75. The Rogers Wireless bill included a five-page list of calls charged to her phone, almost all of them to foreign countries that included Pakistan, Libya, Syria, India and Russia.
Ms. Drummond quickly determined what had happened: Someone had stolen her phone while she was away. She called Rogers Wireless, which told her there was nothing it could do, and she would have to pay the entire amount.
"I was shocked," she said. "Who wouldn't be?"
Since making that call to Rogers last August, Ms. Drummond and her partner, Harry Gefen, have been researching the cellphone giant, yielding some unexpected discoveries, among them that the phones of senior Rogers executives, including Mr. Rogers himself, were repeatedly "cloned" by terrorist groups that used them to make thousands of overseas calls.
That bit of information came out at a conference Mr. Gefen attended in September, where he spoke with Cindy Hopper, a manager in Rogers security department, who told him that the phones of top Rogers executives had been the target of repeated cloning by a group linked to Hezbollah. (Cloning involves the duplication of a cellphone's identity by capturing its number and encrypted security code.)
Speaking into Mr. Gefen's tape recorder -- and unaware that he was an aggrieved customer -- Ms. Hopper said terrorist groups had identified senior cellphone company officers as perfect targets, since the company was loath to shut off their phones for reasons that included inconvenience to busy executives and, of course, the public-relations debacle that would take place if word got out.
"They were cloning the senior executives repeatedly, because everyone was afraid to cut off Ted Rogers' phone," Ms. Hopper says on the tape.
"They were using actually a pretty brilliant psychology. Nobody wants to cut off Ted Rogers' phone or any people that are directly under Ted Rogers, so they took their scanners to our building, like our north building, where our senior top, top, top executives are. They took their scanners there and also to Yorkville, where there are a lot of high rollers and like it would be a major PR blunder to shoot first and ask questions later. . . . Nobody wants to shut off Ted. Even if he is calling Iran, Syria, Lebanon, and Kuwait."
Ms. Hopper also told Mr. Gefen what he had come to suspect -- that Rogers has automated security systems that alert them to radical changes in calling patterns like the ones that Ms. Drummonds' phone had undergone.
Armed with this knowledge, Ms. Drummond is pursuing legal action against the cellphone giant, charging that the company can easily spot a fraud-in-progress, yet "lets the meter run."
"There's a lot they don't want people to know," Ms. Drummond says. "They're afraid that people will lose faith in the system."
Ms. Drummond, who teaches law at Osgoode Hall, is suing Rogers in small claims court, and has filed hundreds of pages of documents to support her charges that the company is profiting from crime by failing to shut down stolen or cloned cellphones.
"There's more at stake here than money," she says.
But as the battle between Ms. Drummond and Rogers Wireless mounts, so do the charges. Each month, the company has added late fees to the outstanding balance (according to Ms. Drummond, the interest rate works out to 26 per cent annually). Rogers now wants a total of $14,141.00.
Ms. Drummond and Mr. Gefen, a technology journalist, have spent the past several months researching cellphone security. Mr. Gefen, who describes himself as "curious by nature," hit pay dirt in September when he attended the Toronto Fraud Forum, an annual conference for security experts.
He decided to go after noticing that one of the speakers was Cindy Hopper, a manager in Rogers fraud and security department, who was scheduled to give a speech titled "Using Cellphone Records to Investigate Fraud, Insurance Claims and Crime."
On Sept. 27, Mr. Gefen arrived at the conference, which was held at a Ramada Inn near Highway 401 and the Don Valley Parkway in Toronto. He paid a $200 registration fee and wore a nametag marked "Harry Gefen/ Knowledge Media."
After listening to Ms. Hopper's speech, Mr. Gefen engaged her in a tape-recorded follow-up conversation that provided an unexpected glimpse into the secret world of cellphone security. Ms. Hopper said Rogers definitely has the means to spot unusual activity on an account, using technology similar to that used by banks to spot fraudulent activity involving debit or credit cards.
"We have a fraud-management system that looks for extraordinary patterns," she told Mr. Gefen.
"And what activates it?" he asked.
"It would be something like, say, you'd never called long distance before and suddenly your phone gets, uh, nonstop to India," she replied.
"What happens after that point?" Mr. Gefen asked.
"Someone calls the customer and asks them whether they're really doing that or whether someone's stolen their phone," she said. Ms. Hopper said that if a customer can't be reached, the company sometimes cuts off the phone's long-distance access to prevent further fraud.
In her statement of claim against Rogers, Ms. Drummond charges that Rogers Wireless knew that something was amiss with her cellphone, yet did nothing to stop it. She notes that she had never made an overseas call with the phone, yet in the month of August, it was used to make more than 300.
"Rogers has a systematic, computer-generated program that immediately alerts their fraud department of atypical calling patterns," she says in one court filing. ". . . In relation to the contract for my cellphone number, Rogers breached its duty of care to prevent fraudulent phone calls being made. . . ."
Jan Innes, a vice-president with Rogers Communications, confirmed that the company has an automatic fraud-detection system that flags suspicious calling patterns, but refused to say how it works.
"We do not give out information that might help people get around the system," she said.
Ms. Innes said that Rogers has a policy of contacting consumers if fraud is suspected. In some cases, she admitted, phones are shut off automatically, but refused to say what criteria were used. (Ms. Drummond and Mr. Gefen believe that the company bases the decision on a customer's creditworthiness. "If you have the financial history, they let the meter run," Ms. Drummond said.) Ms. Drummond noted that she has a salary of more than $100,000, and a sterling credit history. "They knew something was wrong, but they thought they could get the money out of me. It's ridiculous."
Ms. Innes denies that charge. "Creditworthiness doesn't enter into it," she said. Ms. Innes conceded that the hundreds of calls made to foreign hot spots represented a dramatic change in Ms. Drummond's phone usage, but insists that Rogers does not bear responsibility for failing to shut off the service when they couldn't contact her.
"That was in the terms of her contract," she said. ". . . Many of our customers have unusual patterns. It would be onerous if we shut them all down."
In court filings, the company has made it clear that it intends to hold Ms. Drummond responsible for the calls made on her phone. ". . . the plaintiff is responsible for all calls made on her phone prior to the date of notification that her phone was stolen," the company says. "The Plaintiff's failure to mitigate deprived the Defendant of the opportunity to take any action to stop fraudulent calls prior to the 28th of August 2005."
Ms. Innes said the company has offered to settle the case with Ms. Drummond, but said she has refused. Ms. Drummond confirmed that the company had offered to write off the bill if she pays $2,000, but she has rejected the offer.
"I shouldn't have to pay any of this," she said. "The company knew what was going on. I'm not going to pay them for theft."
Toronto Police Constable Chris Dionne, who is investigating the theft of Ms. Drummond's phone, said the long list of foreign calls made on her unit has been forwarded to the Canadian Security and Intelligence Service for investigation.
"There's not a lot we can do from this end," Constable Dionne said. "To us, it's just a theft."
Norman Inkster, a security consultant and former RCMP Commissioner, says the theft and cloning of cellphones by terrorists, as well as garden-variety criminals, has created a nightmare for consumers such as Ms. Drummond.
"There have been cases where people got bills as thick as a phone book," he said.
Mr. Inkster said cellphone firms have the technology to spot aberrant usage, and should use it to protect customers.
"They have very sophisticated billing and tracking systems. They can tell when people step outside the normal pattern. I think they should be using the technology to prevent abuse."
Ben Soave, who once headed the federal organized crime unit of the RCMP, agreed that the technology available to cellphone companies should be used more diligently to protect consumers.
"There are very high risks," he said. "And people are paying a steep price."
As part of her legal battle with Rogers, Ms. Drummond has also taken issue with the limits the company tries to impose on consumers who dispute their bills. According to clause 34 of the company's standard contract, customers cannot pursue disputes in court, or engage in a class-action lawsuit against the company.
Instead, the contract stipulates, they must agree to binding commercial arbitration.
In Ms. Drummond's view, this discourages complaints, and prevents aggrieved consumers from learning about others who are in the same position.
"This is an old strategy," she said. "It's divide and conquer."
When a Toronto contractor we'll refer to as Steve wanted a new cellphone, a friend told him he could get one for $120 that had an amazing feature -- no phone bill. The deal was done, and Steve's new phone, a Motorola flip model, arrived in a Bell Mobility box.
The phone worked as advertised. Steve made hundreds of calls, local and long distance, and never got a bill. And then, five months later, his phone went silent. It was only later that Steve learned what he had actually bought -- a cloned cellphone. Someone had copied the identity of a legitimate Bell Mobility phone, and created another one that "piggybacked" on to the existing account.
In many cases, legitimate phone owners fail to notice extra calls tacked on their bills, and the calls go on for months, or even years. In other cases -- like Steve's -- the fraud is spotted, and the extra phone is shut down.
Cellphone cloning has been widely used by organized crime as a moneymaker and by terrorist groups to make hard-to-trace calls. Until the late 1990s, when digital cellphones began pushing out older analog models, cloning was exceedingly easy. In 1998, a group linked to Hezbollah managed to clone analog phones used by Ted Rogers and other senior cellphone executives by intercepting transmissions with small antennas that captured enough information to clone them.
At the moment, the most widely used cellular security system is GSM (Global System for Mobile Communication), which has been adopted by more than 200 carriers worldwide, including Rogers Wireless. Together, these companies have more than one billion customers.
GSM phones use smart cards called Subscriber Identification Modules (SIM) that contain the identity of the cellphone. Among other things, the SIM card allows cell carriers to "poll" subscribers phones by sending out signals that determine whether there is more than one phone operating with the same identity. When duplicates are spotted, they can be deactivated, as in the case of Steve, the Toronto contractor.
Although GSM makes cloning more difficult, it is not impossible. At a recent security conference, a Rogers security official said that a GSM phone could be cloned with "brute force. . . . It takes about 10 to 12 hours to crack the encryption."
Others believe it is far easier. At an IBM security conference in Israel, digital security expert Elad Barkan said that thieves can hack into calls made by GSM phones in "seconds," and quickly crack the encryption using nothing more than a personal computer.