Remember Voice Mail? It's Still Remotely Hackable

Unless you've been on a wilderness excursion the last couple of weeks, you're aware that there's a scandal of newspaper-shuttering, business-deal-busting, prison-time-threatening proportions across the pond -- one that stems from that most ordinary of phone features, voice mail. You remember, that remotely accessible digital answering machine? The thing we used to exchange messages in the days before texting and Twitter?

Despite being repeatedly described as a "phone hacking" scam, the British tabloid News of the World didn't engage in anything nearly as sophisticated as intercepting live cell phone conversations using techniques such as those described at last summer's Def Con conference or the recent Vodafone exploit. No, this involved simply breaking a voice mail PIN and nosing around.

In this age of data-laden smartphones and targeted spear phishing attacks, it's easy to forget about plain old voice mail. However, as Tiger Woods found out and this latest scandal reiterates, there's often plenty of sensitive information on our cloud-based answering machines. For businesspeople who aren't routinely stalked by the paparazzi, those info nuggets certainly aren't juicy enough for tabloid fodder, but they could be just as damaging to your company. Whether it's tidbits about a new product scooped up by a competitor or hints of a takeover offer leaked to a hedge fund manager, voice mail can contain information valuable to an outsider. Sometimes, even the records of whom you called, and when, are enough to tip off a potential foe, as dramatically illustrated by HP's pretexting scandal. Hence, this recent "news of the world" makes it a good time to review phone security 101.

First, and most obviously, pick a random PIN. Most carriers force you to change the default PIN the first time you enter voice mail, but unfortunately, a common suggestion for choosing a memorable one, using your birth month and year, is a bad idea in this age of social networks, where such information is often publicly (albeit, sometimes unwittingly) shared. So don't use any number that's publicly associated with you (i.e., your house address) or an easily guessed string (1234), and, if your carrier gives the option, don't use just four digits (the more, better).

Second, check your voice mail regularly, even when you don't have any messages. Why? As this latest scandal demonstrates, a favorite trick of voice mail voyeurs is changing the victim's PIN in order to prolong their access and keep competitive spies out. If you can't log in to your own account, it's a good bet someone else is. Even if you've chosen a completely random seven-digit PIN, a determined attacker can often get it changed either by pretexting (impersonating you to the carrier and, knowing just enough personal information to be convincing, getting the support person to reset it to a default) or hacking into your account at the carrier's website (you are using a strong password there, aren't you?).

This incident raises a larger question about the wisdom of carriers allowing unfettered remote access to voice mail in the first place. Sure, this policy made sense in the days when wireless phones weren't our primary voice lines, but now, with more people cutting the cord and carrying their phones everywhere, and with forwarding services like Google Voice, the downsides of remote voice mail access seem to outweigh the benefits. Just allowing customers to whitelist a set of allowable numbers would be an improvement, but until carriers enable stronger voice mail security features, password hygiene and vigilant account monitoring will have to suffice.

InformationWeek Analytics is conducting a survey on mobile device management and security. Respond to the survey and be eligible to win an iPod Touch. Take the survey now. Survey ends July 22.