Avoiding voicemail hacking in the US

Simple actions by U.S. telephone companies can avoid the sorts of break-ins to voicemail accounts that are at the heart of the Murdoch newspaper hacking scandal. Congressional and regulatory attention to this problem can make an immediate difference.

Attempts to hack voicemails in the U.S. have reportedly featured actor Jude Law and victims of the Sept. 11, 2011, attacks. Britain has seen reports of hacking into more than 4,000 voicemail accounts, ranging from the Royal Family to politicians and the voicemails of a murdered 13-year-old girl.

ADVERTISEMENT
Private investigators in Britain abused an embarrassing, widespread security flaw in the U.K. wireless carriers’ systems: many companies used the same default personal identification number (PIN), such as 2222, for all customers. Because the carriers did not require their customers to choose a custom PIN, anyone who knew the cell phone number of a particular target would have a good chance of getting in. 

In the aftermath of the scandal, British wireless carriers have locked down their phone systems. Notably, most now require their customers to do what American consumers already do for bank cash machines — set custom PINs and forbid easily-guessed PINs. 

Here in the United States, our voicemail systems have different yet easy-to-exploit security flaws. U.S. carriers do require their customers to establish PINs to authenticate access to voicemail services. Several companies, though, do not require users to enter their PINs when they are calling from their own telephone numbers. This feature saves consumers time  and reduces the number of tech support calls when consumers have forgotten their PINs.

Unfortunately for consumers, it is very easy to trick this system. Caller ID “spoofing” services enable hackers to make it seem as though they are calling from the victim’s telephone and thus bypass the PIN check. Unlike many forms of computer hacking, caller ID spoofing is trivial to perform, does not require technical skill and takes just a few seconds using one of several popular, free websites, such as www.phone

gangster.com. 

Of the four large national wireless carriers, only Verizon requires a PIN from the cellphone number itself. Most consumers subscribing to AT&T, T-Mobile and Sprint wireless services remain wide open to hackers.

When interviewed recently by The Boston Globe, officials from both AT&T and T-Mobile acknowledged that their voicemail systems are vulnerable to malicious spoofers. Rather than embracing secure default settings, the firms instead “encourage” their customers, via small-print warnings on their websites, to seek out and enable the obscure option to always require a PIN. 

In the past, the security vs. convenience trade-off for voicemail without a PIN arguably made sense. It is easier to use for people who have a hard time remembering or entering a four-digit code.

Fortunately, recent innovations now let consumers have both convenience and security. On smartphones, “visual voicemail” apps store the PIN or password on the consumers’ handset. The PIN is sent to the phone company each time that voicemail is accessed, but the consumer only has to enter it the first time. Millions of Verizon customers thus already benefit from secure, yet easy to access, visual voicemail. 

As smartphones take over the market and visual voicemail becomes the norm, it is inexcusable for the carriers to continue to leave their voicemail systems open to hackers as unskilled as Paris Hilton, who broke into actress Lindsay Lohan’s voicemail in 2006. The Murdoch scandal alone will alert “copy cat” hackers of how easy it is to break into many Americans’ voicemail.

Carriers should do the responsible thing and require a PIN of all customers. The carriers could let consumers choose to bypass the PIN once they understand the risks. However, this low-security option should not be enabled by default.

At least one leading consumer protection official agrees. At a Brookings Institution event last Thursday, Federal Trade Commission Chairman Jon Leibowitz said that wireless operators should embrace “privacy by design” by requiring PIN access to voicemail. The FTC, though, lacks jurisdiction over wireless carriers. 

Attention to this issue from Congress or the Federal Communications Commission would make a crucial difference in protecting Americans’ voicemail from hacking. The rest of the wireless industry should require use of a PIN when accessing voicemail, unless the consumer chooses otherwise. This approach is feasible, as shown by its use today in both the U.S. and Britain.

Consumers should have hacker-free voicemail by default. 

Soghoian is a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. Until 2010, he was the first ever in-house technologist at the Federal Trade Commission’s Division of Privacy and Identity Protection. Swire is a professor of law at the Ohio State University. He was a policy official in the White House under both Presidents Obama and Clinton.