Businesses and private voicemail users risk being held to ransom by hackers if they do not address security weaknesses in their systems, a leading security consultancy has warned.
The Belgian-based IT security consultancy, ScanIT, says it was able to exploit voicemail systems in Europe and Asia using simple tools and software readily available on the Internet.
ScanIT tests voicemail systems and exchanges for telecoms companies who want to investigate how hackers gain entry to their networks, following a year of attacks that have cost the industry millions of dollars worldwide.
"When a hacker breaches someone's voicemail account they can make international calls that are charged back to customers," David Michaux, ScanIT's managing director explains.
"These hackers range from amateur "script kiddies" – programmers who operate from a home or bedroom computer - to organised gangs that comb businesses telephone exchanges looking for security "loopholes." When they identify a security hole they divert premium airtime from that company to other providers who sell the airtime on through international call shops."
There are a number of ways hackers enter users' accounts.
A favoured method is to guess the pin code, often the default number issued by the phone company at the point of purchase.
The hacker then records a message that responds affirmatively to an automated operator that calls the person's home phone seeking approval for third-party billing of a long-distance call.
In September last year, Verizon, an American telecom company, advised its customers to protect themselves against this growing phenomenon.
Speaking at the time, John Lewandowski, Verizon's security manager, warned: "Voicemail hackers currently operating out of the Far East and elsewhere are believed to be responsible for huge long-distance bills charged to US home-phone lines, businesses and government agencies."
More recently, another US telco giant, AT&T, warned its customers to be vigilant of hackers using the same trick.
The company advises customers to always change the default password provided by the voicemail vendor; to choose a complex voicemail password at least six digits long; not to use obvious passwords such as an address, birth date or phone number; to change a voicemail password often; to check the announcement your phone gives regularly to ensure the greeting is indeed yours; and to disable auto-attendant, call-forwarding and out paging capabilities of voicemail if these features are not used.
In other words, all of the usual precautions we never bother to read, much less observe, in the directions that come with a new phone.
AT&T has seemingly run out of patience with what it sees as a lack of security co-operation on the customers' side, despite please through the press for them to take more care over their pin codes.
Last month, the company refused to come to the rescue of a San Francisco-based graphic artist who it says owes $12,000 in long-distance charges that were rung up by a hacker.
The hacker apparently changed the customer's voicemail message to accept third-party billed calls to Saudi Arabia and the Philippines. The customer had not changed her voicemail security code from the default issued when she bought the phone.
"It is the responsibility of the customer to secure their voicemail system,'' said Gordon Diamond, a spokesman for AT&T in San Francisco.
But flaws remain within the providers' systems too and it is unfair to put the blame squarely onto the consumer, says Michaux.
"At AT&T, the automated system always asks the same questions and waits a set interval for a response, making it fairly easy for a hacker to synchronise his fraudulent voicemail message," says Michaux.
But in some cases the onus of responsibility clearly lies with the customer. Generic pin codes are a gift to hackers and are readily available over the Internet.
In the UK, Orange's voicemail code is 1111; O2/BTCellnet's default is 8705 and T-Mobile's is 1210.
Vodafone even encourages customers to use pin codes made up from their birthdays - information that could easily be garnered from the Internet and often the second code a hacker will try after a default pin code.
However, it's not just organised criminals that pose a threat to user's voicemail boxes.
James Hipwell, the former Daily Mirror "City Slicker," who now works for celebrity PR guru Max Clifford, said last October that journalists regularly breached the voicemail boxes of those in the public eye for stories.
"There are many stories every week - mainly show business - that couldn't have been got by any other means," he told the Media Guardian.
"It's underhand and it's not encouraged but it is common practice and everyone does it."
The trend of voicemail hacking is growing over fixed lines as well as over mobile phone networks…
Dublin-based telecoms management company, Soft-ex, says an organised gang used a succession of fixed-line PBX exchanges to re-route tens of thousands of euros of international calls to India, Pakistan and Africa from a house in England last year.
The owners of each of exchange system involved had to foot substantial carrier bills, including one for €75,000, which had been run up over a single weekend.
The fraudsters threw the final exchange it used over to Dublin - a favoured trick of hackers used to give the impression they are somewhere other than their real location - and hence a local company, Soft-ex, was called in to trace them.
Ken Francis, Managing Director of soft-ex, says voicemail is just one of the entry points fraudsters use to breach users' accounts.
"Dealing with security threats solely on the providers' side amounts to building a Maginot Line against an army of hackers that will simply march around it and come in through the back – which, as history proves in this case is a customer leaving their pin codes as default. However, providers should ensure they have attained the strongest possible level of security for customers too."
Again, AT&T experienced the theft of $30,000 worth of unauthorised calls through a customer - the East Palo Alto City Hall phone system - over five days in July last year.
Almost a year later the question of who should pay the bill remains in dispute between customer and provider.
"A good security balance can only be obtained if both the service provider has ensured their system's external access points have been secured; and, the end-user is security conscious about their pin number," Michaux said.
ScanIT provides a range of security and penetration testing solutions to mobile and fixed line PBX telecoms companies across the world.