With new phone hacking allegations against News of the World employees coming to light, questions over who is susceptible to voicemail hackings and what is being done to prevent future attacks are becoming increasingly important.
According to Sahba Kazerooni, the director of professional services at Security Compass, an information security firm, hackers are taking advantage of weak forgotten password questions.
“What happens is you call into the helpdesk and you ask to reset your password and they will probably ask you a secret phrase or question,” said Kazerooni. “Either that secret phrase can be weak or it can be something that can be easily guessable, something you can find in a public domain, or they will ask you a number of questions to try to identify you. For example what is your date of birth, phone number, and last four digits of social security number?”
The issue, according to Kazerooni, is that the answer to those types of questions aren’t usually kept very private or can usually be found in the public domain, such as court records. People will use that to reset your password.
Another issue involves carriers not having mandatory pins, or using pins that are pre-set and do not require updating. These pre-set pins are easily traceable online from carrier to carrier.
In recent years more carriers, including Vodafone, have required users to choose their own specific pin.
“Customers can only access their voicemail from their own phone or from another phone by using a pre-set pin code which they themselves have requested and set from their phone or which is a number generated at random by our system,” said Libby Pritchard, head of corporate reputation and responsibility for Vodafone. “If attempts are made to access voicemail with a different pin, the customer receives a text to alert them.”
Using a pin for voicemails is a relatively new requirement within most carriers, and many of these moves have been a direct result of alleged phone hackings in the past.
“After the first reports of phone hacking in 2006 by or on behalf of journalists, we put in place additional measures to protect our customers' privacy specifically designed to prevent the kind of unlawful intrusions that may have been committed by others in the past, said Pritchard. “We are confident that our voicemail system is secure.”
The phone hacking in 2006 involved a News of the World editor and investigator, who were both found guilty of hacking royal household phones and sent to jail. Throughout the years there have been multiple allegations of phone hacking on the publication, leading up to last month’s breaking scandal involving the alleged voicemail hacking of British soldiers killed in Iraq and Afghanistan, victims of the 7/7 British terrorist attacks, celebrities, and 13-year-old Milly Dowling, who was kidnapped and murdered in 2002.
Many of these hackings took place when voicemail security was not implementing pin codes, but according to Kazerooni more precautious, both by users and carriers should be taken. These precautions include requiring users to change passwords regularly, more complexity in the passwords (longer passwords), and notifying the user every time a pin is changed.