In the past week, investigations into the British hacking scandal reported that News of the World journalists may have hacked into as many as 4,000 mobile phones. These attacks have raised serious concerns and even spurred three US Senators to lobby for investigations here in the United States. This news has left many mobile users wondering how it was that hackers were able to gain access to mobile devices and what steps they can take to protect themselves from such attacks?
There are multiple techniques that News of the World newspapers might have used to hack into phones. One method takes advantage of poorly password protected voicemail accounts. Many people choose very simplistic voicemail codes (1111) or never even take the time to change the factory default voicemail PIN number on their devices, making it very easy for hackers to listen to voicemail messages that are stored on cell phone carrier’s servers. If a hacker called a victim’s phone, another hacker could call the line at the same time and be sent directly to voicemail. The hacker could then enter the default codes and be granted access to the account without the victim’s knowledge.
Attackers might also use social engineering to impersonate a user or otherwise trick a third party (for example, carrier support personnel) into resetting access codes and thus granting them access to an account.
Hackers may also have gained access to accounts by spoofing the victim’s caller ID. Hackers can use a Voice-Over-IP (VOIP) service that allows them to select a different outbound caller ID. They then only need to call a victim’s cell phone number, and unless they encounter a PIN gating the voicemail box, the hacker will gain access to the victim’s voicemail account.
While these hackers used a variety of tricks to access accounts, there are steps that users can take to protect their phones. First, make sure to set a password on your voicemail. You should not rely solely on the voicemail system to detect that the call comes from your number. Second, it is important to set a strong password on your voicemail account. Avoid simplistic passwords: such as the last four digits of your phone number, or public information (birthday). As a general rule of thumb, if the passcode information may be available on Facebook—don’t use it for your code. For added protection, you may also be able to ask your mobile carrier to set a password on your account to prevent people from modifying it without your knowledge. By following these basic steps, users can keep their phones—and privacy—better protected.