Amid the scandal about alleged hacking of thousands of British citizens’ phones by the News of the World (read the latest news on the Murdochs’ testifying before a British Parliament committee), there has been much discussion about the privacy and security of telephone voicemail systems. Now, USA Today reports on the ease with which a voicemail system can be hacked — especially if the hacker uses applications that can “spoof” Caller ID numbers. With spoofing, the number that shows up on a call recipient’s Caller ID display is different from the actual phone number the dialer is using. (Read a previous post about the good and the bad of spoofing.)
USA Today reports:
Three giant U.S. cellphone service providers do not require consumers to use voice mailbox PIN codes, making their customers vulnerable to the kind of hacks fueling the British tabloids scandal, security and privacy experts say.
AT&T, T-Mobile and Sprint allow subscribers to access voice messages without entering a Personal Identification Number. This practice makes it trivial for an intruder to fully access the voice mailbox associated with any valid phone number, using a tried-and-true technique dubbed “caller ID spoofing.”
The hack involves using a caller ID spoofing service, such as spooftel.com, to place a call to the targeted phone number — from the same number. This technique, which has been known for years, can open full access to the associated voice mailbox for that number, says Anup Ghosh, CEO of web browser security firm Invincea. […]
British tabloid snoopers allegedly hacked into the mobile phone voice mailboxes of high-profile celebrities and 9/11 victims. Details of how they did it haven’t been disclosed. But hackers for years have been taking advantage of the fact that the use of PIN codes to access voice mailboxes has not become a universal practice. What’s more, consumers who do use PIN codes often use easy-to-guess ones, such as 1-2-3-4, says Ghosh. […]
“As mobile devices have become embedded into our daily lives, the security of the devices, services and data must be revisited,” says Craig Spiezle, executive director of the non-profit advocacy group Online Trust Alliance. “Having no PIN, or even having a simple numeric code for unlocking a device is no longer adequate protection from the onslaught of nefarious activities.” There is really no way for consumers to discern that their voice mailbox has been hacked unless the intruder starts deleting messages, or fraudulently using stolen information.