Voice mail hacking vs website security


Whilst I think the actions of the journalists at News of the World (and perhaps other ‘press’ organisations) have been totally guilty of their conduct, I find it interesting how the phone companies have managed to get away relatively unscathed.

When a website user database is hacked, the press consider the lack of security of the website to be the guilty party. In the voicemail scenario, I’ve hardly seen any commentary around the mobile phone operators.

There are two main ways of hacking voicemails:

  1. The first method is to use the remote dial in number to access voicemails, enter the phone number of the person you’re trying to gain access to, and guess the PIN code. The PIN is usually 4 digits, and companies simply ‘brute force’ their way into mailboxes. Brute force is simply a case of guessing 0000, then 0001 and so on.
  2. The second method is to clone a user’s phone number using a proxy-style service. It’s very simple – you dial a phone number (the proxy) and you’ll hear a message asking what number you want your phone number to appear to be to the person you’re about to call. You stay on the call and then enter the phone number you want to call, and the recipient sees the ‘new’ phone number you entered earlier. A number of offshoring cold call sales companies use this type of service to make it look like they are calling you from the UK. Voicemail hackers phone a proxy, enter the phone number of the person they are trying to hack, and the mobile phone voicemail thinks the incoming call is from that victim’s number (and there’s no need to enter a PIN number).

Neither of these methods are particularly elaborate. A simple Google search provides a long list of companies who offer the proxy service (although to be fair all the ones I went to said they didn’t allow the service to be run for UK phone numbers).

In my opinion, the phone companies should do the following:

  1. Every time the remote voicemail is accessed a text message should be sent to the phone number. At the very least, each unsuccessful PIN number attempt should send a text message to the mobile warning of the attempt.
  2. If the wrong PIN number is entered more than say, four times, the voicemail should be “locked”.
  3. Phone companies should be able to work out if a phone number has been cloaked (run through the proxy) more accurately.

Leave a Reply

Your email address will not be published. Required fields are marked *