CNET también está disponible en español.

Ir a español

Don't show this again


AT&T finally tightens up password security

As threats to personal cell phone voice mails increase, the carrier is changing up its policy and making password protection the default setting for its consumers.

AT&T is stepping up the protection of its customers' voice messages amid mounting security concerns raised by the phone hacking incidents in the U.K.


The Dallas telecommunications giant changed its policy today so that a password was the default setting for its cell phone voice mail boxes, Chief Privacy Officer Robert Quinn posted on a company blog. New phones will automatically have the settings changed, and beginning early next year, existing customers who upgrade their phones will also see the change.

AT&T customers can currently access their voice messages without entering a password, a practice standard in the industry. But the vulnerability was exposed after the The News of the World scandal erupted, as details emerged of journalists who used cloning techniques to mimic another person's phone and access their voice messages.

The scandal has extended to the U.S., with allegations that the families of the victims from the September 11 terrorist attacks had their voice messages hacked, and has drawn in high-profile figures such as CNN anchor Piers Morgan, who denies any involvement in hacking, and more recently an editor at the Guardian. Other ripples include the resignation of various News Corp. executives, including Dow Jones Chief Executive Les Hinton, and scuttling of a deal by News Corp. to acquire a full stake in U.K.'s BSkyB pay-TV operator.

The privacy concerns also hit the wireless carriers, which have long been lax on their policies regarding passwords on voice mails, all in the name of convenience for the consumer.

"For folks who do a lot of talking while traveling, that option proved safe and certainly more convenient (no entering four or more numbers into the telephone) for our users," Quinn said.

Hackers, however, can use a caller ID spoofing service to place a call using the same number as the intended victim, allowing them easily access their voice messages. This method of breaking into a person's cell phone mail box has been around for years, and the service has some legitimate commercial uses.

"Given the advent and, unfortunately, the wide availability of sophisticated telephone number spoofing technology that allows people to "fake" the telephone number they are calling from, we are moving in a new direction," Quinn said.

Verizon is the only carrier that mandates a password protection on its customers' voice mail. The other carriers allow people to directly access their messages, though they strongly suggest using a password.

AT&T said it is working on changing its system to reflect the policy switch. In the meantime, Quinn said customers who visit AT&T's stores will be shown how to set up their password. Eventually, all customers will have the default switched to password protect.

Sprint, meanwhile also requires customers to set up a password, but allows customers to disable it after listening to a warning, according to a representative.

Likewise, AT&T said it would still give the option to not use a password, saying it still wanted to give customers the choice.

Updated at 1:41 p.m. PT: with a comment from Sprint.

Updated at 11:18 a.m. PT: with additional background.