Voicemail spying shows phone network weak spots
The voicemail tampering scandal engulfing Rupert Murdoch's News of the World tabloid demonstrates not only the vulnerability of phone networks, but also the fallibility of the people who help maintain them.
The British tabloid is accused of breaking into voicemail accounts of various celebrities and dignitaries —and even crime victims and their families— in a relentless hunt for scoops.
Those accused of hacking on behalf of Murdoch's publication were alleged to have employed a variety of ruses. Glenn Mulcaire, the private investigator at the center of the phone hacking scandal, once targeted members of Britain's royal household by duping phone operators into handing over their personal codes. Those PIN codes in turn allowed him and tabloid journalist Clive Goodman to listen in on the royal family's voicemails.
Many of the methods that phone hackers use are surprisingly low-tech.
"Pretexting" is a common technique for fooling company representatives into giving up a customer's private account information. A pretexting scheme works like this: A hacker calls up the telephone company pretending to be his victim. An agent asks for personal information, such as mother's maiden name or a pass code, to determine the person's identity. The customer service rep then surrenders call logs or passwords if the information is convincing enough.
Perhaps the most famous example of pretexting emerged in 2006 when it was revealed that Hewlett-Packard Co. was spying on journalists and its own board members by hiring private investigators to retrieve their phone logs. The practice was already illegal in the U.S., but was common in the world of private investigations because prosecutions were rare. After the HP debacle, new federal legislation clarified the penalties. Anyone found guilty of pretexting in the U.S. could face up to 10 years in prison.
Knowing bits of key information —such as a Social Security number, names of family members on the accounts — can help a hacker establish credibility in pretexting attacks. Having access to the target's e-mail account can be valuable as well.
In other cases in Britain, all journalists had to do was dial directly into victims' phones and enter a default or easy-to-remember password, such as "1111," to gain access to their voicemails.
The News of the World fiasco has led to prison terms for an investigator and a former reporter for the tabloid, caused several major companies to pull advertising. It is complicating Murdoch's attempt at a multibillion-pound (dollar) takeover of British Sky Broadcasting, which some in government now insist should be blocked because of the hacking incident.
Authorities say tabloid staffers may have interfered with police investigations by hacking into the cellphone of a 13-year-old girl who was eventually found murdered. The staffers are also being investigated on allegations of tampering with phones of victims of the July 7, 2005, terrorist attacks in London, which killed 52 people.
Just as many people are surprised by how easy it is to hack into someone's Internet e-mail account — the "forgot my password" feature is reviled by many security professionals— it may be surprising as well that phone accounts aren't much safer.
Unlike an ATM withdrawal that requires a bank card and a PIN code, voicemail typically only requires a PIN code.
Today, we simply store too much information and don't take enough advantage of technologies such as voice recognition, for instance, that could better secure voicemail, said Mark Rasch, director of cybersecurity and privacy consulting for Computer Sciences Corp.
"The four-digit PIN will someday die, but I can't tell you when," Rasch said. "Businesses still like it, and people like it because it's easy and easy to remember. But it's only easy and easy to remember if you use the same PIN for everything — and once you do that, if you've compromised it one place, you've compromised everywhere."
If all else fails, hackers can sometimes purchase phone information. Britain's Guardian newspaper has reported allegations that other investigators paid bribes to obtain information from Britain's police database, the drivers' licensing agency, and cell phone companies.
The phone numbers and passwords were obtained in industrial quantities. Last year Scotland Yard said that some 4,000 names, 3,000 cell phone numbers and nearly 100 passwords had been found in Mulcaire's notes when he was arrested.
Raphael G. Satter reported from London.