Technology & Science

Stricter voicemail security cuts cellphone hacking

With sensational headlines about the News of the World phone hacking scandal coming out of Britain, many may wonder how private voicemails were accessed and if such a thing could still happen today.

Forced use of passwords makes it harder to snoop into accounts

With sensational headlines about the News of the World phone hacking scandal coming out of Britain, many may wonder how private voicemails were accessed a few years ago and if such a thing could still happen today.

Phone security in the U.K. and Canada has improved since private investigators were allegedly paid to hack into the voicemail accounts of Milly Dowler, a 13-year old schoolgirl who was murdered in 2002; the families of the victims of the July 7, 2005, London transit bombing attacks and the families of British soldiers killed in Iraq.

News of the World has also been accused of targetting the voicemail accounts of celebrities and politicians.

In the half-decade since most of the phone hacking allegedly occurred, cellphone companies began to more strictly enforce voicemail security.

Much of the alleged voicemail hacking that occurred in the U.K. simply could not happen today. At the time of Milly Dowler's kidnapping and murder, many British wireless carriers used default passwords that customers never bothered to change or allowed the password feature to be bypassed entirely.

But now, major cellphone companies in Canada and the U.K. force all customers to input a secret password before they can access their voicemail.

"Wireless carriers have certainly come a long way from the days when voicemail could be accessed without a password," said mobile security expert Sahba Kazerooni, director of professional services at Toronto-based security consulting firm Security Compass.

Still, it is difficult to ensure customers follow cellphone companies' advice to use more secure passwords instead of ones that might be easy for a would-be hacker to guess, such as a date of birth, a street address or the last four digits of a person's telephone number.

Onus on phone users

According to Kazerooni, "the types of vulnerabilities that remain are ones that are much more difficult to mitigate," since the onus is on customers to choose adequate passwords.

The limiting of passwords to a range between 0-9 and not allowing the inclusion of letters or special characters also "makes guessing of brute forcing of passwords easier," he said.

Newer technologies also present threats to mobile security. While noting that there is no apparent trend similar to the News of the World hacking scandal in Canada, Dave Black of the RCMP's technical security branch told that the rise of the smartphone means there are more opportunities for hackers to go after the "computers connected to our hip pocket."

"As computers they contain a lot of data, so that makes them increasingly attractive," he said.

For example, Kazerooni pointed to the increasingly used visual voicemail technology, a smartphone feature that transcribes audio voicemail messages into text, likening it to e-mail.

"Information that's left on voicemail is often sensitive in nature, since the assumption is that only the intended recipient can hear it," he said. "People often have the habit of leaving SIN or credit card numbers on a voicemail message."

'Like putting it in a sealed letter'

The threat is similar to sending e-mail, he said, where anyone who has access to an email account can see the private information.

"Transcribing that information and sending it over e-mail is like putting it in a sealed envelope and dropping it in a mailbox," said Kazerooni.

The security expert has a few recommendations for wireless carriers, including "enforcing long and complex passwords, and requiring users to change their password on a regular basis."