X

Passwords alone won't protect your mobile voice mail

Wireless carriers are encouraging customers to use passwords to lock down their cell phone voice mail accounts in the wake of a massive phone hacking scandal. But that's really just a start.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
6 min read

Mobile phone operators could be doing more to beef up security of their voice mail systems, say some security experts.

Since it was revealed that thousands of cell phone voice mails had been hacked in the U.K., wireless subscribers all over the world have wondered whether their voice mails are safe. And experts have been touting the importance of using passwords on voice mail accounts to keep the bad guys out.

Last month it came to light that more than 4,000 voice mail accounts had potentially been hacked by journalists from the London-based newspaper The News of the World. Celebrities, politicians, and possibly even 9/11 victims' families, were allegedly targeted in these attacks.

Since then, it's been widely reported how easy it is to hack into voice mail. Hackers use commercially available caller ID spoofing services that place phone calls using the same number as the intended victim. And if there is no password in place on the account, the message simply plays. Spoofing technology has been around for years and there are actually some legitimate uses for it. In fact, Google Voice and Skype use caller ID spoofing so that people can place calls from these services and have their phone numbers recognized.

Last week, AT&T, the second largest wireless provider in the U.S. with more than 98 million subscribers, said it has changed its policy to make passwords on voice mail accounts the default setting on all new cell phones. Under this policy, which will begin next year, all new phones will automatically have the settings that require subscribers to enter a four-digit personal identification number to access their voice mail. Existing customers upgrading their phones will also see the change.

"Given the advent and, unfortunately, the wide availability of sophisticated telephone number spoofing technology that allows people to 'fake' the telephone number they are calling from, we are moving in a new direction," AT&T's chief privacy officer, Robert Quinn, said in a blog post Friday.

Related stories:
AT&T finally tightens up password security
Kevin Mitnick shows how easy it is to hack a phone
British tabloid to shutter in wake of phone hacking scandal

Currently AT&T customers are not required to enter a password when they check voice mail. And in fact they still won't be required to use a password on their accounts, even if it is the default on new accounts. Verizon Wireless is the only major operator in the U.S. that sets the password option as a default for its subscribers and also requires subscribers use the password when checking voice mail. Other wireless operators, such as Sprint Nextel, have made it the default and offer customers the option to skip the password for convenience.

But are passwords enough? Patrick Cox, co-founder and CEO of TrustID, a company that sells a security product called Telephone Firewall that verifies phone calls, says no. Passwords are a good start toward securing a voice mail account, since the message can't be played without typing in the four-digit code. But he said more needs to be done.

"PINs can be changed," he said. "It's very easy for someone to call a call center and pretend to be you and change your PIN."

A second or third line of defense
Cox said a call center needs to use at least two factors of authentication to make sure that the person asking for personal information is really authorized to have access to that information and isn't just trying to smooth-talk a representative into providing it. The second factor of authentication that a subscriber can give might be a secure ID token or a biometric identifier, such as the subscriber's voice, but what's most commonly used is for a subscriber to provide something they know, such as a Social Security number or the amount of their last bill.

Even so, this is where security can still often break down. Cox said that unless wireless operators have some other way to authenticate users beyond simply asking for personal information, then security can be breached and PINs can be changed, leading to unauthorized access to voice mails and other account information.

Wireless operators, AT&T, Verizon, T-Mobile, and Sprint Nextel all say they encourage their customers to use passwords and to reset them often. AT&T and Verizon Wireless said that they employ additional internal methods for making sure that customer information is secure. But neither company was willing to disclose what measures are being taken.

Sprint Nextel also wouldn't go into detail, but a representative said that in addition to asking personal identification questions that would validate the account holder, the company would verify the subscriber by sending a link to reset a password via SMS to the phone.

Cox said that only allowing PINs to be reset through an SMS text message sent directly to the subscriber could act as another factor of authentication, because it means that the person resetting the account password be in possession of the phone.

This isn't the first time that cell phone companies have been scrutinized for how customer information is accessed. In 2006, Congress held hearings on the legally questionable practice of "pretexting," which involves tricking a business into disclosing information by posing as someone else, after it was discovered that Hewlett-Packard had accessed the phone records of some journalists, including several at CNET, and of its own board members. Since then the wireless and wireline telecommunications industries have consolidated. Some operators said in 2006 that they had made it more difficult for fraudsters to trick call center reps into giving out certain information. For example, Cingular, which is now AT&T Mobility, said at the time that it was putting in more ways to verify callers.

But Cox said it is still relatively easy for criminals to circumvent passwords and get information to reset passwords on accounts.

"Until the phone companies get at least two factors of authentication onto devices as well into their call centers, the PIN as security is almost useless since almost anyone can change it or even guess it," he said. "The only way to keep information confidential is to secure the call centers. Transaction PINs are a good start, but it shouldn't end there."

Cox said his company's application can help, especially in the call center. The Telephone Firewall de-spoofs the spoofers to ensure that the phone that is making the call to the call center requesting customer information or to change a PIN is the phone that is owned by the subscriber.

"We look at the telephone network, and the time that the call was made to do some network forensics," he said. "We don't exactly trace the call, so we can't pinpoint an address of where the call is coming from, but we know if it's coming from the device that it claims to be coming from."

TrustID isn't currently working with any phone companies to help secure their data centers. But its technology is already being used in the financial industry.

Of course, TrustID's technology isn't the only solution out there that can be used to help keep voice mail secure. Some security experts advocate the use of voice identification technology, a biometric identifier, that could also help to verify that a caller is who he or she claims to be. Voice recognition could also be used at the call center to ensure passwords aren't reset by just anyone.

Speech identification systems can be text-dependent or text-independent, or sometimes they're a combination. In a text-dependent example, numbers or phrases can become spoken passwords that can be compared to a sample of those same words that were acquired when the voice mail was set up. Text-independent voice identification doesn't require a specific phrase be spoken, but it analyzes a speaker's free speech for unique vocal characteristics.

The biggest advantage to this type of speaker verification is that it's easy to use and it's relatively inexpensive to implement, say experts. But there are downsides. Voice authentication systems aren't always reliable and they often have high rates of errors. There are many factors that can affect accuracy, such as poor quality voice samples, the variability of the speaker's voice because of illness or mood or any changes that may occur over time. And background noise can also cause issues.

Still, even with these loopholes, experts say that passwords are the first line of defense against in protecting personal data. And they also suggest not making cell phone numbers widely available to people. Because the fewer people who know your cell phone number, the less chance there is that someone could access your voice mail or other account information without that information.