UK operators say voicemail weaknesses fixed

Operators are taking steps to reassure customers their voicemail systems are secure amid the phone hacking scandal

As the phone hacking saga continues to grip the U.K., mobile operators contend that spying on someone's voicemail messages wouldn't be possible today as several weaknesses in the systems have been eliminated.

Reporters and private investigators working for the News of the World tabloid, owned by Rupert Murdoch's News Corp., are accused of repeatedly illegally accessed the voicemail messages of more than 4,000 people -- from royal family members to an abducted and later murdered 13-year-old girl in 2002 -- for information for news stories.

The phone hacking scandal has rocked the U.K., with the arrest of a top adviser to Prime Minister David Cameron and two senior officials at Scotland Yard resigning so far. Murdoch, his son James, and Rebekah Brooks -- formerly chief executive of News International and editor of the now-shuttered News of the World tabloid -- were due to answer questions in Parliament on Tuesday.

The voicemail spying has been termed "phone hacking" but actually involved a series of nontechnical simple tricks crafted around the previously lax security controls for voicemail accounts.

In the U.K., private investigators and journalists allegedly gained access to voicemail accounts for famous people often by dialing an operator's dedicated voicemail line and then trying the default 4-digit Personal Identification Number (PIN) assigned to the account. That was highly successful since few of the victims changed the default PIN. And if they did change it, there was always the possibility of tricking -- or bribing -- a customer service representative at the operator into resetting the PIN to the default value.

Other ways accounts may have been accessed include successfully spoofing the victim's phone number. Many voicemail accounts are configured so that a PIN is not required if a person calls from their own telephone. Access could then be immediately gained if a number is successfully spoofed, although the practice is illegal in the U.K.

Compared to the early 2000s, operators have made it more difficult for the so-called hacking.

By default, at least four of the five major operators in the U.K. -- Three, T-Mobile, Vodafone and O2 -- block access to voicemail from anything other than the subscriber's own phone. To enable access from other devices, the subscriber must first set a PIN by dialing in from their own phone, closing off one of the major security errors that enabled mass hacking in the U.K.

Vodafone, Orange and T-Mobile also do not allow their subscribers to set lazy PINs, such as "1111" and "5678," again taking away more low-hanging fruit.

Vodafone will also lock out a person from their voicemail if the subscriber enters an incorrect code three times, preventing a "brute force" style of attack where PIN combinations are repeatedly tried. The subscriber then has to contact Vodafone's customer service representative, who will send out a new randomly generated four-digit PIN by SMS.

Customer service representatives at Three, Vodafone and O2 do not have access to voicemail PINs and can merely reset them. That prevents a spy from trying to bribe someone on the inside for the PIN.

Number spoofing is also unlikely to work. In the U.S., [[xref:|it is possible to use a call spoofing service |Is Your Voicemail Wide Open? — Krebs on Security]] that would allow access to a voicemail account if the PIN is not enabled.

That would not work on O2's network however, said Andrew Cocks, spokesman for Telefónica UK Limited, which runs O2. Cocks said O2's voicemail platform does not "trust" off- network caller ID systems. If it senses one, it forces the entry of a PIN to access the voicemail, he said.

But there are still some inherent weaknesses in the systems that would be difficult to eliminate without doing away with voicemail completely.

Identity theft remains a huge problem across any industry that handles personal data. Using methods such as digging through garbage for mail, hacking personal computers and other subterfuge, an identity thief seeks to collect as much information as possible on a victim for person gain, which could include trying to obtain credit cards or loans in another person's name.

The identity theft risk applies to voicemail since if someone forgets their PIN, the person would need to contact an operator's call center to reset it. To ensure the subscriber's identity, representatives ask personal or account questions, such as the first line of their address, birthdate or other information.

A recent call to O2's customer service found that the representative asked the subscriber's name and security password on the account. If that information is correctly provided by the snoop, O2 will reset the voicemail PIN for devices that are not smartphones to a temporary default password of "8705," advising the customer to change it.

That weakness would be difficult to overcome, since it depends more on the personal security practices of the subscriber in how they handle -- or in some cases, mishandle -- their own personal data.

Send news tips and comments to

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitymobile securityo2Access control and authenticationVodafone Groupthreeorangedata protectionT-Mobile International

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?