Mobile phone hacking - how the News of the World got the gossip

For a lot of the last month or so, the tabloid ‘phone-hacking’ scandal has been dominating the headlines in Great Britain and in much of the rest of the world.

What was the scandal?
It started when journalists from the News of the World newspaper were found to have hired people to ‘hack’ into celebrities’ mobile phone voicemail services to hear their private messages. The journalists then took to doing the hacking themselves.

The scandal deepened when it was alleged that people working for the News of the World hacked into the voicemail of then-missing teenager Amanda Dowler in 2002, and even deleted some of the voicemail messages that had been left for her.

The problem may not be limited to the News of the World, however. Other newspapers and journalists have also been accused of doing similar things, so it may have been a not-unusual tabloid tactic until relatively recently.

What’s missing in a lot of the coverage is quite an important question: how is it that so many people found it easy to access other people’s messages?

We’re going to take a look at just how easy it is (or was) to hack into a voicemail account and we’ll provide you with some tips for securing your voicemail.

What is phone hacking?
The term hacker originally meant a computer expert but these days it is commonly used to describe people who break into others’ computers. Now it’s also used to describe those who do the same to mobile phones.

When someone says the word ‘hacker’ it might conjure up an image of a techno-wizard doing all sorts of trickery. When it comes to phone hacking, however, this can be very far from the truth.

The allegations against the News of the World date back several years to the early 2000s, and the technology has changed a lot since then.

Both then and now, users needed a Pin to access their voicemail. The personal identification number would allow them to listen to their voicemail messages from another phone.

The Pin was only required if you were calling for your voicemail messages from a different phone or network.

For many people, though, this wasn’t made clear because if they dialled the voicemail number from their own phone, it would automatically put them through to their voicemail box. Because few people accessed their voicemail boxes otherwise, most people weren’t even aware their mailbox came with a Pin.

The networks set default Pins for everyone, with the idea being that people would change it to something unique. If they didn’t, the default Pin was all that was required to get into a voicemail box. Because few people changed them or knew about them, mailbox hacking in these days was surprisingly simple.

What happens now?
Things have changed since those days. The mobile phone companies got rid of those default Pins years ago and now, in order to get access to their voicemail messages, users have to choose their own Pins.

We asked the major mobile operators to tell us how they currently run the security for their voicemail systems.

Orange said that in order to access voicemail remotely, a personalised number must have been chosen by the user. The company also said that ‘easy-to-guess’ Pins that contain repeated numbers (such as 2222) or consecutive numbers (5678) cannot be used.

The Three network allows for a Pin up to eight digits long. Users are asked to select their own when they first set up access to their voicemail boxes. Remote access to voicemail from another phone isn’t possible until a Pin has been set up.

Vodafone said that in order to get access to voicemail messages using another phone, users need to call a specific number (07836 121 121) and then follow the steps to set up a Pin.

With those safeguards in place, how would a hacker get access to Sienna Miller’s voicemail messages now? They could still call the phone number and hope it is either engaged or it isn’t answered, then try and guess the Pin to gain access, though they are now harder to guess.

One complicating factor is that, if you have had your phone for a long time and have never set your own Pin (or you kept the default one) you may still have the default one on your voicemail box.

T-Mobile, for instance, told us that it “did repeatedly communicate the importance of having unique Pin numbers for voicemail systems and we hope that this, when coupled with the individual’s responsibility, would ensure that Pin numbers were changed regularly”, but it has not forced those older customers to switch from the default Pin.

On other networks it is made much easier by the presence of a generic voicemail number (as on Vodafone) that asks the hacker to enter the phone number and Pin. The issue being, both methods require that the hacker knows, or can guess, the Pin.

Our verdict
The fact is that whenever voicemails can be accessed remotely, there will be a danger that hackers can either guess or illegally obtain the Pin for access.

One answer would be to stop remote voicemail access altogether (so you can only access your mailbox from your own phone) but when we asked about this, T-Mobile told us: “[Remote voicemail] is still valued by customers who use it, and we don’t have any plans to stop offering the service.”

One rather drastic answer is to turn your voicemail service off completely, but otherwise the best thing to do is just to set as hard-to-guess a Pin as possible. If you don’t know how, contact your network for more information.