Who, What, Why: Can phone hackers still access messages?
- 6 July 2011
- From the section Magazine
The News of the World phone hacking scandal has prompted an emergency debate in Parliament, but how were voicemails illicitly accessed and could it still happen?
When mobile phones were analogue, would-be snoopers could listen in using scanners. When mobile phones became digital, this option largely disappeared. But by then another way of snooping on people's private lives had presented itself - hacking into voicemail.
Mobile voicemail was introduced during the mid-1980s with users dialling a number, such as 121, to retrieve their messages. Because of poor network coverage, short battery life and people needing to listen to messages while abroad, mobile operators offered customers the chance to access messages remotely from another phone.
To do this customers would either ring their mobile number or a generic remote access number and, when they got through to a voicemail greeting, press a key such as * or # and enter a personal identification number (Pin).
For many years the mobile phones came with a default four-digit Pin such as 1234, 0000 or 3333. In theory customers were expected to change their Pin, but in practice very few people did so.
This presented tabloid journalists and private investigators with a golden opportunity. They could simply ring the number and if the caller didn't answer, enter the default Pin and access the person's messages.
Another ruse was to change the voicemail Pin from the default to prevent other journalists having access to it.
Prominent hack victims were Sienna Miller, the publicist Max Clifford and Professional Footballers Association chief Gordon Taylor.
But today hacking is not the simple business it once was. The networks scrapped default passwords years ago. A Vodafone spokeswoman says the company stopped using 3333 in around 2003. Even those who had been using the default for years were forced to choose a new Pin.
And since the jailing of Clive Goodman and Glenn Mulcaire in 2006 for accessing Prince William's messages to royal aides, most phone operators have ensured the Pin can only be altered from the mobile phone in question.
"We made changes when police began to investigate," says Andrew Cocks, an O2 spokesman.
"If a customer does not choose a Pin, they will not be able to remotely access any of their voicemails." Operators can send warning texts to phones if someone repeatedly tries to access voicemail with a wrong Pin.
But is it safe enough? Carsten Maple, professor of applicable computing at the University of Bedfordshire, says there are still inherent weaknesses. Many people choose their date of birth as the Pin, which makes it easy for journalists to guess.
With some phones - O2 and T-Mobile in the UK - a hacker's main avenue would involve calling the victim's mobile and hope that they didn't answer.
But some networks - Vodafone, Orange and 3 - provide a standard number for customers to ring. They then enter their mobile phone number and a password. O2 does offer a remote access number that can go straight to the inbox without the phone ringing, but it is unique to each user, unlike Orange, Vodafone and 3.
"To access their voicemail from another mobile device they must use a Pin number," an Orange spokesman says. "Customers receive a text alert highlighting any Pin number changes."
The risk is greater with operators with a generic remote access number, Maple argues, because there is no chance that the owner will pick up - the number goes straight to their inbox. If they have managed to steal or guess the Pin then they have an easier route into the person's messages, Maple says.
"Security has been tightened but I don't think it's enough."
The answer is to drop remote access to voicemail altogether, he suggests.
Few people use it so why exacerbate the risk of hacking by allowing it, he asks. But not all mobile operators give people the chance to turn off the remote access.
Simply switching this function off would make phones safer from determined hackers intent on digging around one's voicemail, he says.