Mobile phones began with basic features and built on these to bring us what we have today – a computer built around a phone. For the purpose of this discussion, “basic features” are phone calls, voicemail, and SMS. Much has been written about security and SMS, but you see little about the security of voicemail, unless you count the News International phone hacking scandal. This type of hacking involves a method known as pretexting, whereby the hacker calls a customer service representative and impersonates their victim using personal details in order to gain passwords into voicemail, email, etc.

Not something that the average person can do and nor should they try, considering that today pretexting can get you 10 years in prison. But what if it wasn’t that hard and little to no work was needed to gain access to voicemail? What about your voicemail?

One of the many beautiful things about a mobile phone is that in order to hear your voicemail, you usually have to push a button. You were likely advised by an SMS message that you had a missed call and from whom, etc. Gone are the days of bulky machines at home or the next huge technological advancement- calling a carrier phone number, punching in a few more digits and being forced to listen to your messages sequentially. Now, we can see a whole menu of who called, when and in any order we wish to play them back. That is, as long as we are doing this from our mobile phone.

Of course, from where else would we check our voicemail? Sometimes we might forget our mobile phone (a thought that strikes terror in many) and will want to check messages (remotely). Depending on the make, model and carrier, you can call a central toll-free number that asks for your cell number and password. Another approach is simply calling your own mobile number and pressing “*” or “#” during your voicemail message which interrupts the greeting and ask for a password. Note that you aren’t prompted for a password when calling from your mobile, so the added security required when calling from another phone is an excellent feature. The downsides are a) do you remember your password and b) do you even have one? Likely the staff at the store that sold you the phone set this up with you or in your excitement, you just left it as the default – not a good idea. Search on the Internet for your phone type and default voicemail password and you may be surprised to find this is what you have been using – but if you never typed in (remote access), then you wouldn’t know it!

By using the mobile phone feature to access voicemail, keying in the password was never required. This “set it once and forget it” complacency has led many of us to put our guard down and not put the same emphasis on the voicemail password as we do our phone locking PIN or desktop computer password. That little tidbit is not lost on attackers who can leverage default or non-existent voicemail passwords to their advantage. So what can you do? Fortunately you have several choices: disable/never use voicemail in the first place or set a strong voicemail password that you change occasionally. Most of us prefer to get a message so disabling voicemail is not a very popular option. Changing passwords on your voicemail can also be a little tricky, as the application will ask you first to type in your old password, something you may not know. Carefully review the procedures for your phone type before starting this process.

Knowing what is happening regarding the access to your voicemail is also an important although often neglected critical piece of information. Not all services send you notifications that suspicious activity is occurring with voicemail access attempts yet, but this should be something all providers offer. You’ll know something is not right when messages you haven’t already heard are either flagged as not new or there is an increase in the number of your callers telling you they left a message that you never received.

The News International scandal broke two years ago, but the risk to all mobile users’ voicemail is still prevalent if we don’t take the proper steps. Blog posts covered the topic back in 2011, but it never hurts to reiterate the steps you should take to avoid becoming a victim.

About the Author:

John Ceraolo is the chief security officer at 3Cinteractive where he directs the organization’s enterprise risk management, business continuity, and information security. Ceraolo has been leading security initiatives within global organizations for over 20 years.