You’ve no doubt heard about Britain’s phone hacking scandal that brought down the 168 year old News of the World tabloid and led to the arrest of its former editor Rebekah Brooks and the resignation of at least two high ranking British police officials. Brooks along with News Corp. CEO Rupert Murdoch and his son James Murdoch testified about the scandal before House of Commons committees on Tuesday.
Officials at News Corp have admitted that detectives working for the company broke into the voice mail systems of several people to gain access to their messages.
You don’t have to be rich or famous to be a phone hacking victim. The tabloid newspaper reportedly went after crime victims and relatives of killed service personnel. Unethical journalism aside, it can also happen to someone involved in a messy divorce, a civil suit or as corporate espionage.
There are several methods for phone hacking including using default passwords, using services to spoof your phone number, using social engineering to talk a phone company into giving you a user’s PIN number or planting malware on a phone.
Default PIN numbers
The use of default PIN numbers is easy to do and easy to thwart. Most phone mail services assign a default PIN number to each account such as 1111, 0000 or 1234 so users can get started. As part of the phone mail set up process, users are invited to change the PIN but a lot of people don’t bother. So, rule number one is change your PIN number to something that’s not easy to guess like a consecutive string of numbers, your birthdate or the four digits of your phone number.
Caller ID Spoofing
Another relatively simple method of phone hacking is to use a spoofing service that makes it appear as if the hacker is calling from the phone he or she is trying to break into. As a convenience feature, many phone mail services allow you to avoid having to type in a PIN every time you check your mail as long as you call from your own phone. But these easy to find spoofing services can make it look as if the hacker is calling from your phone so rule number two is to make sure your phone requires a PIN each time you check your voice mail.
There is also the possibility of malware being used to infect a smart phone. There have been cases of malware on Android phones that give the attacker complete control over the phone, so it is quite possible for a piece of malicious software to access your voice mail as well as your contact list, calendar or even your physical location.
I’m not sure what to say about social engineering since most cases involve the hacker calling the phone company and posing as the subscriber. We have a right to expect that companies have good security processes in place which make it possible for legitimate users to recover a password or PIN without making it possible for unauthorized access. Companies need to use positive measures to make sure they’re speaking with the right persona and use extra precautions such as sending the PIN # to the phone itself (via text) so that – at the very least – you have to have physical possession of the phone to get the information.
Avoid secrets on your phone
Finally, it’s a good idea to encourage people not to leave highly confidential messages on your phone. Sure you have the right to privacy but, unfortunately, if someone is determined to break into your voice mail, there are ways to do it despite your efforts to stop them. So, as a precaution, don’t use cell phones for secret communications or messages.