Belgian-based IT security consultancy ScanIT is testing voicemail systems and exchanges for telecoms companies who want to investigate how hackers gain entry to their networks, following a year of attacks that have cost the industry millions of dollars worldwide.
Security companies are warning private voicemail systems can be exploited using tools and software available on the Internet.
"When a hacker breaches someone’s voicemail account they can make international calls that are charged back to customers," David Michaux, ScanIT’s managing director explains.
"These hackers range from amateur "script kiddies" – programmers who operate from a home or bedroom computer – to organised gangs that comb businesses telephone exchanges looking for security ‘loopholes’.
"When they identify a security hole they divert premium airtime from that company to other providers who sell the airtime on through international call shops."
There are a number of ways hackers enter users’ accounts.
A favoured method is to guess the pin code, often the default number issued by the phone company at the point of purchase.
The hacker then records a message that responds affirmatively to an automated operator that calls the person’s home phone seeking approval for third-party billing of a long-distance call.
Verizon, an American telecom company, has advised its customers to protect themselves against this growing phenomenon.
John Lewandowski, Verizon’s security manager, warns: "Voicemail hackers currently operating out of the Far East and elsewhere are believed to be responsible for huge long-distance bills charged to US home-phone lines, businesses and government agencies."
Another US telco giant, AT&T, also warns its customers to be vigilant of hackers using the same trick.
The company advises customers to always change the default password provided by the voicemail vendor; to choose a complex voicemail password at least six digits long; not to use obvious passwords such as an address, birth date or phone number and to change a voicemail password often.
Checking the announcement your phone gives regularly to ensure the greeting is indeed yours; and to disable auto-attendant, call-forwarding and out paging capabilities of voicemail if these features are not used are also recommended.
In other words, all of the usual precautions we never bother to read, much less observe, in the directions that come with a new phone.
AT&T has seemingly run out of patience with what it sees as a lack of security co-operation on the customers’ side, despite please through the press for them to take more care over their pin codes.
The company refused to come to the rescue of a San Francisco-based graphic artist who it says owed $12,000 in long-distance charges that were rung up by a hacker.
The hacker apparently changed the customer’s voicemail message to accept third-party billed calls to Saudi Arabia and the Philippines. The customer had not changed her voicemail security code from the default code issued when she bought the phone.
"It is the responsibility of the customer to secure their voicemail system," said Gordon Diamond, a spokesman for AT&T in San Francisco.
But flaws remain within the providers’ systems too and it is unfair to put the blame squarely onto the consumer, says Michaux.
"At AT&T, the automated system always asks the same questions and waits a set interval for a response, making it fairly easy for a hacker to synchronise his fraudulent voicemail message," says Michaux.
But in some cases the onus of responsibility clearly lies with the customer. Generic pin codes are a gift to hackers and are readily available over the Internet.
In the UK, Orange’s voicemail code is 1111; O2/BTCellnet’s default is 8705 and T-Mobile’s is 1210.
Vodafone even encourages customers to use pin codes made up from their birthdays – information that could easily be garnered from the Internet and often the second code a hacker will try after a default pin code.
However, it’s not just organised criminals that pose a threat to user’s voicemail boxes. James Hipwell, the former Daily Mirror ‘City Slicker’, admits journalists regularly breach the voicemail boxes of those in the public eye for stories.
"There are many stories every week – mainly show business – that couldn’t have been got by any other means," he told the Media Guardian.
"It’s underhand and it’s not encouraged but it is common practice and everyone does it."
The trend of voicemail hacking is growing over fixed lines as well as over mobile phone networks…
Dublin-based telecoms management company, Soft-ex, says an organised gang used a succession of fixed-line PBX exchanges to re-route tens of thousands of euros of international calls to India, Pakistan and Africa from a house in England last year.
The owners of each of exchange system involved had to foot substantial carrier bills, including one for €75,000, which had been run up over a single weekend.
The fraudsters threw the final exchange it used over to Dublin – a favoured trick of hackers used to give the impression they are somewhere other than their real location – and hence a local company, Soft-ex, was called in to trace them.
Ken Francis, Managing Director of Soft-ex, says voicemail is just one of the entry points fraudsters use to breach users’ accounts.
"Dealing with security threats solely on the providers’ side amounts to building a "Maginot Line" against an army of hackers that will simply march around it and come in through the back – which, as history proves in this case is a customer leaving their pin codes as default. However, providers should ensure they have attained the strongest possible level of security for customers too."
Again, AT&T experienced the theft of $30,000 worth of unauthorised calls through a customer – the East Palo Alto City Hall phone system – over five days in July last year.
Almost a year later the question of who should pay the bill remains in dispute between customer and provider. "
A good security balance can only be obtained if both the service provider has ensured their system’s external access points have been secured; and, the end-user is security conscious about their pin number," Michaux said.