Protect yourself from phone hacking

As the ‘phone hacking’ news wave reaches far and wide, not much
attention is paid to the methods used by hackers – nor are there
precautions for readers worried about the privacy of their mobile
communications, bank accounts and other private data.The easiest and least technically challenging way to break into a
person’s history of mobile conversations would be to guess their voice
mailbox PIN. Most people never change the default ‘0000’ common to many
mobile operators or would use their date of birth, year of graduation,
or a clever combination of 1234 or perhaps even 2580.

Many mobile operators allow landline telephones to reach a subscriber’s
voicemail system. As the pre-recorded message is played to the caller,
pressing the # or * key would direct them to the voicemail’s login
option. A correct pin will let them in. Failed attempts are logged (and
some systems will lock the voicemail service after 3 or 10 incorrect
attempts) however these logs are usually reset if the caller hangs up
and tries again.

Some voicemail systems can be tricked by spoofing the caller ID. Once
you are in possession of the target’s mobile number it is possible to
set up VoIP services to imitate it and initiate a call to the mobile
provider’s voicemail system or customer support. Then by answering a few
default identification questions, or as already mentioned, guessing the
PIN, access to recorded messages or even the opportunity to reset the
PIN code is available.

There is a way to reduce the success of such rather rudimentary and
probably quite successful hacking methods. Mobile operators should
generate random passwords as the standard default for new accounts and
ensure that common PIN combinations should not be accepted (such as
repeated or sequential numbers, nor anything beginning with 19** or
20**) should the user wish to change it. The user in turn, should exceed
the minimum 4 number combination and perhaps spell out a word on the
keypad. The user should also request that a security pass-phrase be
demanded of them when calling customer support. General questions used
by many providers to authenticate the caller, such as address and
post-code, should be replaced with information only the genuine caller
would know – amount due on the last bill, frequently dialed/received
numbers.

Of course there are more sophisticated methods of breaking into phone
systems and snooping on telephone conversations. Social engineering
attacks and corrupt employees working for the mobile operator or law
enforcement are to be suspected.  However the sheer number of phones
that were hacked and the general misconception that digital
communications and devices are private and secure by default, leads this
writer to believe that the simplest solutions are those that often work
best, even when it comes to hacking.