Home » » Voicemail hacking: How easy is it?

Voicemail hacking: How easy is it?

Thursday, July 21, 2011 | 0 comments


Fresh phone-hacking allegations against UK newspaper News of the Worldclaim that the voicemail messages of murder and terrorism victims were intercepted by the paper, in addition to the celebrity phone-hackings admitted previously. New Scientist takes a look at the technicalities of phone hacking – and whether you could become a hacker's prey.

How can you hack into someone's 
voicemail?
"Phone hacking" conjures up images of criminal masterminds cracking into ultra-secure data systems, but the reality is much simpler. Cellphone networks allow you to access your voicemail from any phone, not just your own handset, by dialling a certain number – depending on the network, this number could be based on your own mobile number, or a generic one for all customers. Not hard for a hacker to work out.
Once through to the voicemail service you'll be prompted for a PIN, normally a four-digit number. This should be known only to you, but some networks use default PINs for all new customers. All a would-be hacker need do is work out which network you're on – easy enough to do, or they can simply try the numbers of all of the major networks.
It's not surprising that using the default PIN is insecure, which is why mobile networks prompt you to change it as soon as possible. O2 changed its policy in 2006, in response to the first round of phone-hacking allegations. "A customer is now required to personalise their PIN number from their mobile phone if they wish to access their voicemails from another phone," explains spokesperson Andrew Cocks. If they don't, they can access their voicemail only from their cellphone. Virgin Mobile also prompts customers to change their PIN, but doesn't require it – you can just use the default PIN if you wish.
Am I secure if I change my PIN?
Not from a determined hacker. Mobile networks let forgetful customers reset their PIN to the default by calling customer services and providing a password – but if you've forgotten your PIN, you've probably forgotten your password too, so the networks also let your reset by providing a few personal details.
How easy is it to reset your PIN?
To find out if I could hack my own voicemail I called my mobile provider, Virgin Mobile, from a landline and asked to reset my PIN. I was asked for my password, which I claimed to have forgotten, and then given a previously set password hint, which I claimed didn't jog my memory. I was then asked for the first line of my address and my birthday. I gave these and was granted the PIN reset. I later received a text message informing me that my voicemail number had been updated, but there was no mention of a PIN reset and the voicemail access number remained the same: if I really had been hacked, I might easily have ignored this message as a general status update.A journalist could easily dig up those two pieces of personal information, especially when a celebrity is involved, suggesting that even a personalised PIN won't necessarily protect you. A Virgin Media spokesperson said: "To confirm a caller's identity, we ask for a password or confirmation of personal information, including date of birth and address, before updating account details. Our processes are robust and fully DPA [Data Protection Act] compliant, and we continuously review and evolve our approach to ensure all of our customers' information is protected."
Obviously, security varies from network to network – a colleague on the Vodafone network tried to access his voicemail with an incorrect PIN and was immediately sent a text warning him that an unsuccessful access attempt had been made.

Should mobile networks do more to protect
 customers?
"It's always a trade-off between security and convenience," says Rik Ferguson, a security researcher at Trend Micro in Marlow, UK. Mobile networks could decide to accept PIN requests only in writing, and send new PINs by post, but customers are unlikely to appreciate waiting days to access their messages. Still, the new revelations should prompt firms to examine their security processes once more, says Ferguson. "Public awareness has been massively raised by this, and I think mobile providers would be well advised to step up."

What can I do to protect myself?
There isn't much you can do against someone who manages to reset your PIN, but always using a custom PIN at least makes it more challenging, says Ferguson. "Don't leave it at default, don't leave it unprotected at all by a PIN, and do make it as long as you're able," he says, though he adds PINs are often limited to just four digits. And if you're particularly worried about phone hacking, you can always take the paranoid approach: "If you try logging in once a day: if it's still your PIN, you know it hasn't been reset," says Ferguson.

What other mobile security issues should I
 be aware of?
It's important to remember that the alleged phone-hacking took place in the first half of the 2000s, before the rise of smartphones such as the iPhone. Now that we can do so much more with our mobiles, there is an increased risk of criminals and other malicious attackers getting access to data on our phones or using malware to monitor calls. "With the rise of smartphones, mobile malware is now very much on the agenda," says Ferguson. "People need to start paying attention to the security of their mobile device in the same way they already do with their PCs."
Share this article :

0 comments:

Post a Comment

 
| |
Copyright © 2011. Sarath The king - All Rights Reserved
Template Designed by Sarath