How Are Voicemails Hacked?

How Are Voicemails Hacked?

 

Voicemail hacking is surprisingly easy — for low-brow tabloids desperate for stories, temptingly so.

Most mobile networks assign a default PIN (personal identification number) to customers that allows them to access their voicemail messages from anywhere. A cellphone user can simply dial his or her own phone number from another phone, let it go to voicemail, enter the PIN and listen away. Most users don't change their PIN from the default, and so hackers often need only dial in to a hacking victim's voicemail inbox remotely and try the handful of default PINs assigned by the major networks. Some networks use a generic number, such as 0000. Others use the last four digits of the corresponding phone number.



Changing your PIN won't thwart a sophisticated hacking attempt, however. Hackers can simply call up a mobile network claiming to be an account holder, and say they've forgotten the access code. They'll be asked for the account holder's password, but it doesn't sound overly suspicious or unreasonable for them to claim to have forgotten that as well. The phone company then attempts to verify the caller's identity by requesting personal information, typically the account holder's address and birthday. If the hacker already has the hacking victim's phone number, though, and is motivated to steal their voicemail, then they probably have this "private" information, too. After providing an address and birthday, the hacker can change the PIN. They then have free reign to check the victim's messages.

In many cases, there's an even easier option for hackers. Some mobile phone carriers do not require users to use a passcode or PIN at all when checking their messages from their own phones. Sprint and T-Mobile, for example, allow users to opt for a "Skip Passcode" setup when accessing voicemails directly from their cellphones. For hacking victims who have opted for this setup, hackers can simply use phone-number-spoofing software to appear to a phone carrier as if they are calling from the phone associated with the voicemail inbox. Easy as pie.

The recent hacking scandal perpetrated by the now-defunct British tabloid News of the World may prompt phone companies to re-examine their voicemail security procedures, experts say. "Public awareness has been massively raised by this, and I think mobile providers would be well advised to step up," security researcher Rik Ferguson of Trend Micro, a U.K. company, told the New Scientist.