How to prevent voicemail hacking

Voicemail hacking is not new. The two main methods are guessing PINs or using spoofing to bypass caller ID-based access control.

For convenient remote access to voicemail, e.g. where caller ID is not available or when the user is calling from a different phone, service providers let users authenticate through the use of PINs. Invariably these are short, usually four digits, and often they are preset to a known default, making hacking a simple guessing game.

Where caller ID is available, service providers use it to identify users automatically and allow direct access into their voicemail boxes. Unfortunately, caller ID spoofing has been around as long as caller ID. This facility can be misused to falsely represent the calling party and bypass such access control.

Historically, service providers have not put much effort into the prevention and detection of brute-force PIN guessing or caller ID spoofing attacks. Some limit the number of attempts per call, say to three, but attackers can set up automated brute-force attack systems to break even a four-digit PIN over a weekend.

In the US it is not illegal to offer a public caller ID spoofing service. In the UK, regulator Ofcom has wisely tried to restrict such public service offerings. Unfortunately, access to the right switchboard software or network signalling can enable a caller to set whatever caller ID they wish.

Caller ID spoofing services can help to reduce this type of fraud by not allowing the spoofing of a calling ID where it is the same as the called party number, so that someone cannot masquerade as a mobile phone and be automatically admitted by the mobile operator’s filtering mechanism. Some already have this restriction.

Mobile operators could improve things by:

1. requiring that robust PIN numbers are set for all accounts with voicemail;

2. notifying users of (repeated) failed attempts to log in to accounts - not just with a voicemail, which a successful attacker would delete;

3. only trusting calls presenting caller IDs of their own customers, originating from their own and roaming partner networks;

4. relying less on presentation ID (easily spoofed) than network ID (less easily spoofed) when automatically connecting a caller to voicemail.

Users could improve things by:

1. regularly changing voicemail PIN to non-predicable numbers;

2. listening out for old messages they don’t recall hearing before;

3. noticing when told of a voicemail being left that they did not receive;

4. disabling voicemail where not required or concerned about intrusion.

Awareness is the name of the game and reporting suspected breaches to your service provider, police and the Information Commissioner’s Office will maintain focus on this continued area of weakness in personal communications.