Fresh phone-hacking against UK newspaper 快猫短视频 of the World claim that the voicemail messages of murder and terrorism victims were intercepted by the paper, in addition to the celebrity phone-hackings admitted previously. 快猫短视频 takes a look at the technicalities of phone hacking 鈥 and whether you could become a hacker鈥檚 prey.
How can you hack into someone鈥檚 voicemail?
鈥淧hone hacking鈥 conjures up images of criminal masterminds cracking into ultra-secure data systems, but the reality is much simpler. Cellphone networks allow you to access your voicemail from any phone, not just your own handset, by dialling a certain number 鈥 depending on the network, this number could be based on your own mobile number, or a generic one for all customers. Not hard for a hacker to work out.
Once through to the voicemail service you鈥檒l be prompted for a PIN, normally a four-digit number. This should be known only to you, but some networks use default PINs for all new customers. All a would-be hacker need do is work out which network you鈥檙e on 鈥 easy enough to do, or they can simply try the numbers of all of the major networks.
Advertisement
It鈥檚 not surprising that using the default PIN is insecure, which is why mobile networks prompt you to change it as soon as possible. O2 changed its policy in 2006, in response to the first round of phone-hacking allegations. 鈥淎 customer is now required to personalise their PIN number from their mobile phone if they wish to access their voicemails from another phone,鈥 explains spokesperson Andrew Cocks. If they don鈥檛, they can access their voicemail only from their cellphone. Virgin Mobile also prompts customers to change their PIN, but doesn鈥檛 require it 鈥 you can just use the default PIN if you wish.
Am I secure if I change my PIN?
Not from a determined hacker. Mobile networks let forgetful customers reset their PIN to the default by calling customer services and providing a password 鈥 but if you鈥檝e forgotten your PIN, you鈥檝e probably forgotten your password too, so the networks also let your reset by providing a few personal details.
How easy is it to reset your PIN?
To find out if I could hack my own voicemail I called my mobile provider, Virgin Mobile, from a landline and asked to reset my PIN. I was asked for my password, which I claimed to have forgotten, and then given a previously set password hint, which I claimed didn鈥檛 jog my memory. I was then asked for the first line of my address and my birthday. I gave these and was granted the PIN reset. I later received a text message informing me that my voicemail number had been updated, but there was no mention of a PIN reset and the voicemail access number remained the same: if I really had been hacked, I might easily have ignored this message as a general status update.
A journalist could easily dig up those two pieces of personal information, especially when a celebrity is involved, suggesting that even a personalised PIN won鈥檛 necessarily protect you. A Virgin Media spokesperson said: 鈥淭o confirm a caller鈥檚 identity, we ask for a password or confirmation of personal information, including date of birth and address, before updating account details. Our processes are robust and fully DPA [Data Protection Act] compliant, and we continuously review and evolve our approach to ensure all of our customers鈥 information is protected.鈥
Obviously, security varies from network to network 鈥 a colleague on the Vodafone network tried to access his voicemail with an incorrect PIN and was immediately sent a text warning him that an unsuccessful access attempt had been made.
Should mobile networks do more to protect customers?
鈥淚t鈥檚 always a trade-off between security and convenience,鈥 says Rik Ferguson, a security researcher at Trend Micro in Marlow, UK. Mobile networks could decide to accept PIN requests only in writing, and send new PINs by post, but customers are unlikely to appreciate waiting days to access their messages. Still, the new revelations should prompt firms to examine their security processes once more, says Ferguson. 鈥淧ublic awareness has been massively raised by this, and I think mobile providers would be well advised to step up.鈥
What can I do to protect myself?
There isn鈥檛 much you can do against someone who manages to reset your PIN, but always using a custom PIN at least makes it more challenging, says Ferguson. 鈥淒on鈥檛 leave it at default, don鈥檛 leave it unprotected at all by a PIN, and do make it as long as you鈥檙e able,鈥 he says, though he adds PINs are often limited to just four digits. And if you鈥檙e particularly worried about phone hacking, you can always take the paranoid approach: 鈥淚f you try logging in once a day: if it鈥檚 still your PIN, you know it hasn鈥檛 been reset,鈥 says Ferguson.
What other mobile security issues should I be aware of?
It鈥檚 important to remember that the alleged phone-hacking took place in the first half of the 2000s, before the rise of smartphones such as the iPhone. Now that we can do so much more with our mobiles, there is an increased risk of criminals and other malicious attackers getting access to data on our phones or using malware to monitor calls. 鈥淲ith the rise of smartphones, mobile malware is now very much on the agenda,鈥 says Ferguson. 鈥淧eople need to start paying attention to the security of their mobile device in the same way they already do with their PCs.鈥