We have written a short article on what is meant by phone hacking, and some simple precautions that can reduce the risk of data theft or reputational damage arising as a result of phone hacking or theft.
Recent incidents of “phone hacking” were as simple as calling a mobile number, and breaking into unsecured voicemail accounts secured with default passwords (PIN’’s). The good news is that most new phones don’’t ship with default PIN’’s any more, but this doesn’’t always help secure your phone.
Three simple tips will help you reduce the likelihood and impact of voicemail hacking;
1. Delete voicemails when you have listened to them
2. Try not to record sensitive conversations using voicemail, and encourage others not to leave them for you
3. Secure your voicemail accounts by changing your PIN’’s at regular intervals, and by keeping the PIN’’s secret
Voicemail security is limited by the number of digits in the PIN and three other things that have been known to happen to your phone and the associated accounts.
1. Your Telephone provider does not ship the device with a default PIN
2. Your Telephone provider does not set up the phone to automatically text you if an incorrect PIN is tried, or take some other precautionary measure such as disabling voicemail after a specified number of attempts.
3. The call centres who manage resetting passwords etc. for your mobile phones etc. do not require adequate identity validation before they reset your voicemail PIN’’s etc. It is not unheard of for a call centre operative to reset a voicemail PIN on request without verifying whether the caller is actually the account holder.
The above potential issues can be checked out quite easily, either by checking the documentation with the phone, or by actually trying incorrect PIN’’s or ringing the call centre to see if they actually carry out the security checks before resetting your voicemail PIN.
While the recent exploits highlighted voicemail security, it is also good practice to consider the following potential issues with mobile device security, most of which arise due to the fact that our mobile phones are now more akin to portable computers with a built in modem, but without the rudimentary security controls that we take for granted on our corporate PC’’s and IT systems;
1 The encryption used to secure communications between the phones and the access points (APN’’s) provided by Vodafone et. al. is known to be “crackable”. However this needs a high degree of opportunity (you need to be close to your intended victim) and skill to achieve.
2. You can be traced by the GPS signal on your phone, again the risk of local phone hacking once someone knows your location using GPS is low.
3. Bluetooth hacking on certain phones, resulting in people manipulating phone settings, number in memory and dialling number using the compromised devices.
4. Wi-Fi hacking for users who have either connected to open networks or those networks which have poor encryption.
5. Honey Pot Attacks – this is where unscrupulous hackers set up a WiFi access point which has a network sniffer set up and configured to record all traffic passing over it, including passwords, emails, and other non-encrypted network sessions.
6. Many mobile phones use email sessions that does not use secure protocols that are options as part of most email provider configurations. It is then relatively simple to intercept network sessions on badly configured wifi networks, potentially resulting in unauthorised disclosure of personal or business information assets
However, losing your phone and not encrypting the data on it is the biggest risk, if you don’’t take sensible precautions such as encrypting your phone and setting it to wipe on unsuccessful decryption attempts, then it would not take long for data on a lost or stolen device to be in the hands of criminals, business competitors or other threat sources.