Careless talk costs companies and consumers (page 1 of 2)

The Belgian-based IT security consultancy, ScanIT, says it was able to exploit voicemail systems in Europe and Asia using simple tools and software readily available on the Internet.

ScanIT tests voicemail systems and exchanges for telecoms companies who want to investigate how hackers gain entry to their networks, following a year of attacks that have cost the industry millions of dollars worldwide.

"When a hacker breaches someone's voicemail account they can make international calls that are charged back to customers," David Michaux, ScanIT's managing director explains.

"These hackers range from amateur "script kiddies" - programmers who operate from a home or bedroom computer - to organised gangs that comb businesses telephone exchanges looking for security "loopholes." When they identify a security hole they divert premium airtime from that company to other providers who sell the airtime on through international call shops."

There are a number of ways hackers enter users' accounts.
A favoured method is to guess the pin code, often the default number issued by the phone company at the point of purchase.

The hacker then records a message that responds affirmatively to an automated operator that calls the person's home phone seeking approval for third-party billing of a long-distance call.

In September last year, Verizon, an American telecom company, advised its customers to protect themselves against this growing phenomenon.

Speaking at the time, John Lewandowski, Verizon's security manager, warned: "Voicemail hackers currently operating out of the Far East and elsewhere are believed to be responsible for huge long-distance bills charged to US home-phone lines, businesses and government agencies."

More recently, another US telco giant, AT&T, warned its customers to be vigilant of hackers using the same trick.

The company advises customers to always change the default password provided by the voicemail vendor; to choose a complex voicemail password at least six digits long; not to use obvious passwords such as an address, birth date or phone number; to change a voicemail password often; to check the announcement your phone gives regularly to ensure the greeting is indeed yours; and to disable auto-attendant, call-forwarding and out paging capabilities of voicemail if these features are not used.

In other words, all of the usual precautions we never bother to read, much less observe, in the directions that come with a new phone.

AT&T has seemingly run out of patience with what it sees as a lack of security co-operation on the customers' side, despite please through the press for them to take more care over their pin codes.

Last month, the company refused to come to the rescue of a San Francisco-based graphic artist who it says owes $12,000 in long-distance charges that were rung up by a hacker.

The hacker apparently changed the customer's voicemail message to accept third-party billed calls to Saudi Arabia and the Philippines. The customer had not changed her voicemail security code from the default issued when she bought the phone.

"It is the responsibility of the customer to secure their voicemail system,'' said Gordon Diamond, a spokesman for AT&T in San Francisco.

But flaws remain within the providers' systems too and it is unfair to put the blame squarely onto the consumer, says Michaux.

"At AT&T, the automated system always asks the same questions and waits a set interval for a response, making it fairly easy for a hacker to synchronise his fraudulent voicemail message," says Michaux.

But in some cases the onus of responsibility clearly lies with the customer.