"You are in a maze of twisty little passages, all alike"
>Go East
"You have been eaten by a Grue. A dwarf starts singing about gold"

Smashing! Just like the pictures are better on the radio, so the graphics are immeasurably superior when they're in your head. Don't get me wrong, I love the 5.1 surround sound snarl of a rabid beast rendered in 1080p - but nothing is quite as good as using your imagination.

Text Adventures - or, more properly, Interactive Fiction - is enjoying a mini-renaissance at the moment. There are emulators for smart phones, computers, and consoles.

But for SMS? None that I could find. Think about it; SMS is close to the perfect medium for Interactive Fiction. Your commands are concise enough to fit into a single message, you don't have to worry about the speed of your response, everything is text based.

So, I present to you, Zork via SMS (with a little help from Twilio).

Brilliant!

HOWTO

Although superficially a simple project, there are a few gotchas along the way. This documentation is mostly for me - but may be of use to you :-)

Let's start at the end.... Using Twilio you can send an SMS to a phone number, that is then POSTed to a webserver of your choice.

Twilio will send an SMS back if it receives a response such as

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <sms>You are in an open field west of a big white house with a boarded
front door.
There is a small mailbox here.
</sms>
</response>

Easy enough. (NB the free account prepends your messages with a trial message. Once you pay, that goes away.)

So, how do we get a text adventure like Zork running server side? There are plenty of client side emulators out there - but I only found one which was purely server side.

THCnet have a PHP interpreter for Zork. It's slightly cludgy - but it works. I'm checking to see if I can distribute it on GitHub.

The game library "dtextc.dat" must be installed in "/usr/games/lib/". The source code is available if you want to recompile it and place it somewhere more accessible.

A MySQL database needs to be created to keep track of users and sessions.

A temporary directory (which must be readable and writeable) will also be needed to store the state of play for each session. I've used "tmp/404/" but you can alter config.php to point wherever is convenient. You will also need to adjust index.php and functions.php with the new location.

Finally, the executable "zork" must be runable.

That's pretty much it.

When a user (or, in this case, Twilio) first makes a request to the URL, we check to see if they already have a session cookie. If they don't, create one, and start the game by returning the opening text.

For every subsequent connection, we check the state of the game based on their cookie, then apply the body of their SMS to the game engine. Whatever Zork spits out, we return as an SMS.

By default, Twilio kills unused sessions after 4 hours, and all cookies will be lost.

Where Next?

It strikes me that the various forms of text adventures are excellent as a sort of mini-IVR. A nice little finite-state-machine which can quite happily run for years. Services like Frontline SMS are great for information sharing, but they're really not designed for this sort of work.

Could we use interactive fiction in places where SMS is cheap but other forms of entertainment are expensive? Could IF be used to augment existing media events? SMS is lowest common denominator - even iPhones can use it.

But, for now, all I have to worry about is someone texting me "Go west'); DROP TABLE ..." ;-)

A scammer rings the mark and asks for her credit card details. If the mark refuses, the scammer tells her to hang up the phone, then dial 999 and ask for "Sergeant Scammer of the Fraud Squad".

The mark does so, and is connected to what they assume is the emergency services. However, because the scammer hasn't hung up at their end, the call is still active. So the mark isn't speaking to 999, but to the scammer.

Pretty devious. Luckily, it can't work on mobile. But it got me thinking - how could you get someone to give you credit card details over the phone? I'm inspired by both Bruce Schneier's "Movie Plot Threat" competitions and Kevin Mitnick's work on Social Engineering.

Trying to think like "the enemy" is a crucial part of understanding how nefarious people can exploit a situation. I think it should be considered the seventh "thinking hat".

The Goal

I want the victim to willingly give me her credit card details. I do not want her to be suspicious or report my activity to the police.

The Strategy

• The victim receives a text on her phone.

• "Your Barclay's credit card (starting 4304) was recently used to buy £2,103.54 worth of goods in China. If you wish to dispute this transaction, please call 0113 496 0123."

• The victim checks her BarclayCard - it does start 4304. Damn! She rings the number.
• "Welcome to the BarclayCard fraud line," says the voice at the other end.
• "To protect your security, please type in your sixteen digit card number," says the automated voice. So that's what the victim does.
• ... after typing in several more details, the victim finally gets through to the scammer.
• At this point, the scammer can attempt to get more information - such as home address - or simply assure the victim that the fraud has been reported.
• "Unfortunately," the fraudster says, "the £2,103.54 will show up on your July statement. But you will see the refund on the August statement."

How It Works

There are a number of factors which go into making this a potentially successful scam.

1. People are quite used to receiving texts from their card issuer.
2. It's quite common to be asked to confirm a suspicious transaction.
3. Credit cards number have a predictable start sequence. That's why credit card receipts often show you only the last few digits. This tricks the victim into thinking that the scammer knowa two crucial pieces of information; the credit card issuer and the credit card number.
4. We're trained not to give details to strangers who ring us up. By contrast, we're expected to give details to people when we ring them!
5. You can't argue or otherwise interrogate an IVR. You either have to give that disembodied voice your details or hang up.
6. Again, we're quite used to typing in our credit card details and then pressing the hash key!
7. If we do get through to a real person, the standard Social Engineering tricks all apply. Only, in this case, not only is the victim worried about the potential fraud, she has also primed herself into thinking she's speaking with her credit card provider.
8. At this point, the scammer knows that they can use the card for a fraudulent purchase and the victim won't report it! It will only be after two statements have been received that the victim will notice that she hasn't been refunded.

Problems

Now, this fraud isn't without issue. The most notable being that you do not know who has a credit card issued by a specific provider. The scammer would either need some third party intelligence that their victims all use HSBC, or they could just go on a phishing expedition. Spam a few thousand numbers and there will bound to be a few which have the card which is being targeted.

How To Do It

Using services like Twilio and Tropo, it's quite easy to create a telephone menu. It can play back a recorded voice, save all the user's keypresses, then pass the call on to the scammer.

They can even handle the automated sending of the text messages, playing back different messages depending on the caller - "Welcome to HSBC", "Welcome to American Express", etc.

Defending Against This Scam

There are three main strategies for defending against this scam - and they all boil down to trust

Don't Trust An Unknown Phone Number

Save your credit card provider's phone number in your address book. That is the only number you should ring. If someone rings you - tell them that you will take their name and call them back on the official number. If you receive a text - call the official number to check it is legitimate.

Don't Trust Partial Information

The first few numbers of your credit card are fairly generic. Trusting someone who guesses your Visa Electron starts with "4197" is like trusting a psychic who says "You were a bit of a handful growing up, especially in your teens." It's such general information as to be worthless.

Don't Trust The Other Person

I sometimes act deviously. When asked to give my address, I'll give an incorrect house number or post code. If the person at the other end doesn't pick up on the mistake, I assume I'm talking to a scammer. Similarly, you don't have to trust interactive menus. You can input incorrect information, and see if it is accepted without complaint - a sure sign of a scam. Or see if it gets you through to a human.

Is This Scam Possible?

One hurdle is targeting enough people who have the "correct" credit card. The scam would work without the credit card info, but may be less effective.

The cost of sending out the texts is also a constraint. Although text bundles are relatively cheap now.

Shutting down the numbers - or tracing them - is perhaps the biggest issue. Buying a disposable pre-pay SIM is virtually anonymous. A landline number is probably fairly easy to trace - assuming the police have the time and staffing levels to investigate such a scam.

And that may be the deciding issue. If someone reports a suspicious text to the police or their credit card provider, how quickly can the number be shut down? If the scammer is sending out hundreds of fraudulent SMS an hour, it would only take a few responses to make the scheme worthwhile.

Disclaimer

Naturally, you should not attempt this. The penalties for credit card fraud a very serious. This is intended as a thought experiment.

If you want people to willingly give up their credit card information - take a look at the morons on Twitter posting photos of their cards!