How phone hacking works (and other lessons from the News Corp. scandal)

The News Corp. scandal brings to light a sometimes overlooked threat to the public at large.
Written by Tuan Nguyen, Contributor

Anyone who's paid attention to the news lately has likely been bombarded with round-the-clock-updates on the phone hacking scandal that has ensnared Ruport Murdoch's News Corp empire.

But if you looked past the melodrama being played out before the entire world, or even beyond the often-discussed concerns over press ethics and journalists' unsavory ties to government officials, the unfolding scandal brings to light, in my opinion, an equally disturbing (if not worse) threat to the public at large: phone hacking.

How did the reporters do it? And since just about everyone these days has a voicemail enabled cell phone, how vulnerable are we?

Before we get to these questions, here's a brief rundown in case anyone needs to get up to speed:

The crisis, which erupted earlier this month, has revealed that employees at the company's British tabloid News of the World illegally accessed and tampered with the voicemail accounts of  terrorist victims, deceased British soldiers and Milly Dowler, a 13-year-old girl who was murdered in 2002. There also has been allegations suggesting that the illegal activity was not just an isolated case of a few rogue staffers misbehaving, but an elaborate and covert operation involving senior executives at News Corp., Scotland Yard and even the Prime Minister David Cameron.

The investigation is still ongoing so a more comprehensive picture of what transpired will take shape as more details come to light. But what we do know, at least in a technological sense, is that there are essentially three main tactics the intruders likely used to access private voicemail accounts, according to an in-depth report published by the popular tech blog Gizmodo. And to give you a well-informed idea of how this whole shady business of phone hacking works, here are the quick and dirty blueprints of these methods:

Tactic #1

1. The phone company provides an external number customers can use to access their inbox.
2. The service gives access to the caller dailing in if it recognizes that the customer is calling in from an approved phone number, like their cell phone.
3. The loophole in this system is that the service makes this determination by reading the incoming caller ID.
4. Crooks can easily spoof a user's Caller ID using Voice Over IP and some software.

Tactic #2

1. Most of the time, the service offers an additional barrier of protection by requiring that the person calling in enter a four digit password.
2. The problem is that users are initially given a default password, which they can change once they access the system.
3. Typically, the default password is the last four digits of the person's phone number.
4. Customers often don't take the extra step to create a personalized password. Hackers know this and are more than happy to take advantage what can amount to be a serious lapse in judgement.

Tactic #3

1. For the sake of convenience, another way users can often access their voice mailbox is by dialing their own number and entering a secure password.
2. Hackers, too, have a way of mimicking this sequence, but it requires that they first have somebody occupy the user's phone line.
3. While the line is being held up, a call to that number -- with the correct spoofed caller ID --  goes directly to voice mail .
4. To get past the security password barrier, hackers would sometimes reset the code by calling the provider's customer service department and successfully impersonating the user.

The report also highlights one of the major reasons why voicemail in particular has become such an easy target for hackers. It's a scheme that can be pulled off repeatedly without rousing any sort of suspicion; no one knows if a message has been accessed if the hacker remembers to categorize the accessed recordings as new, a feature that's also used with email.

Although there isn't a 100 percent foolproof way to protect against such transgressions, most instances of phone hacking can be prevented simply by activating a personal security code that no one else knows. Steven Rambam, an investigator and director of Pallorium, Inc., told Gizmodo that "90 percent voicemail-specific problems can be prevented if strong passwords are put into place."

To fortify security measures, companies can also require more stringent criteria to verify the identity of customers requesting sensitive information, says SPP Blue security expert Hemanshu Nigam, in an interview with the Washington Post.

If as a society we learn anything from this, it's that the more barriers put in the place, the more we can deter the bad guys from making us targets.

Major hat tip: Gizmodo

Related on SmartPlanet:

Learn more about crime fighting tech:

This post was originally published on Smartplanet.com

Editorial standards