So the news this week is filled with ever-changing horror about how various reporters in the Murdoch's News Corp. "hacked" into the cell phone voice mail accounts of prominent Britons. How did News of The World reporters actually hack cell phones and should you be concerned that it could happen to you?
Questions abound about News Corp. and journalistic ethics. The media punditry on the Web is having a field day going after Rupert Murdoch and his son James and the News Corp. empire and the British Parliament is making them testify today concerning exactly what happened at NoW. Outside of the circus that News Corp. has become in the last week, phone-hacking is an alarming issue, no matter who has committed the crime. Turns out, it is not that hard to do.
The hacking was minimal at best: apparently, reporters asked their shift editor to make calls using a phone spoofing service to the cell of the intended victim. These services can be set up to use any specified caller ID, so once a mobile number is known, it is easy to obtain your voicemail. This is because most cell phones allow immediate access to your voicemail from your own calling number without any password or PIN number. Three of the four US cellular carriers operate this way - only Verizon requires all subscribers to use a PIN on their voicemail accounts.
In the past, many of us guarded our cell numbers for financial reasons: plans cost a lot for few minutes. But as cell plans got more generous with their minutes, and as more carriers made mobile-to-mobile minutes "free," more of us have given out our cell numbers on our business cards and in our email signatures.
So what is involved with spoofing your cell number? The market is huge, and the number of sites that offer this "service" seem somewhat like walking past the part of town where merchandise is offered for sale on blankets along the sidewalk. Basically, you sign up for a service (there are some free ones around, too). Next, you dial an access number for the service and then enter the number you want to call and then the caller id number you want to be displayed. Most services have simple voice prompts. When your call is completed, your party will see the caller ID that you entered, rather than the "real" calling number of your phone.
Once someone accesses your voicemail, there is really no way you can know it, unless they delete your messages. Most services have a way to mark a message as unread after it has been listened to.
If you want to know more about caller ID spoofing, check out this Web site which has a nice historical perspective.
Skype Out has had for a long time the ability to adjust its caller ID, but it goes through a series of checks to make sure that you at least own (or have in your possession at the time) the mobile phone number that you give it for this service.
The moral of the story: If you care about your voicemail security, use a PIN. And preferably not 1234 or 2000 or something that is easily guessed.