AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability
from the caller-id-spoofing dept
Many mobile phones’ voicemail systems have worked on the basis of checking the caller ID of the incoming caller — and if it matched the number of the voicemail box, it would automatically push the caller through to the admin interface. The idea was that if the owner of the box was calling, he or she shouldn’t have to put in the passcode to get to the messages. The only problem with this was that, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile such voicemail attacks, many mobile operators urged customers to change their voicemail preferences to require a passcode, no matter what. Still, there were some operations out there, that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.
That seems a bit strange, and the article is woefully short on details, unfortunately. Pretty much anything is hackable given certain circumstances, and it always seems a bit odd to totally blame a hacking victim for being hacked. So it would be good to know why T-Mobile and AT&T, in particular, were fined in this case. Did they not even allow passcodes to be enabled for those who wanted to avoid this potential hack?
Comments on “AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability”
Maybe it's the sim cards?
Since both AT&T and T-Mobile are SIM-based operators, I wouldn’t be surprised if they were more (or exclusively) susceptible to these sorts of attacks. Verizon and Sprint both authenticate all kinds of information (possibly including identity for voicemail) based on the phone’s ESN. It’s possible that it’s much more difficult to spoof an ESN, or even get your hands on it.
This is also why stolen Sprint / Verizon phones have little to no value on the black market, where ATT phones fetch a nice premium. Slip in a SIM card and you’re free to go, no matter who the device came from. Verizon / Sprint track phones based on ESN and owner, so you can’t activate a phone that’s been reported stolen.
Re: Maybe it's the sim cards?
I could be wrong, but I am going to say it anyway. I believe that AT&T and T-Mobile both use the ESN for the same purposes. The problem is that customers do not report the ESN as belonging to them. so when their phone is stolen it can not be tracked. However if as the customer you follow the rules of your agreement with said company and register the ESN can be tracked.
Re: Re: Maybe it's the sim cards?
(addressing the theft/esn issue and i dunno what this has to do with anything, but here we go) and there’s also the fact that these companies don’t tell their customers what to do when they sell their old mobiles on ebay or craigstlist. they just tell them not to sell them and expect people to be out the cost of the old phone when they buy a new one. they aren’t told about how to clear the esn and other information off of the phone before they sell it EVEN WHEN THEY REGISTER A NEW MOBILE ON THEIR ACCOUNTS. i bought a sprint blackberry on craigslist once…i could have just continued using the phone exactly as it was and have all of the use billed to the previous owner. it had their full address/phone book still on it, tons of personal information, a few hundred texts containing personal info on people other than the seller…granted, sprint is unlike other providers in that their customer service is a pile of smelly elephant assholes and it’s all operated by people who barely speak english and simply use a piece of software to tell them exactly how to interact with customers…but…c’mon.
Re: Re: Maybe it's the sim cards?
I work for at&t in sales, and I don’t think this is the case. As far as I know, there is no way to remotely kill a stolen phone, aside from using special executive work programs like Good. Its best to contact ATT as soon as possible after your phone is stolen and have them put a hold on the account, killing the SIM card.
Re: Maybe it's the sim cards?
Nah, it’s really easy to pull a phone’s IMEI. On any handset, just type *#06# for instance, and it’ll cough it up. You don’t even need to pop the battery out to look for it. I don’t think would be a good idea to authenticate based on this number.
Re: Re: Maybe it's the sim cards?
How easy is it to get another phone to report that as its own number?
Re: Re: Re: Maybe it's the sim cards?
My Linksys VoIP box can set CallerID to whatever I want. I guess this should work.
misleading about their susceptibility to the hack
Microsoft next, then Google, then xxxx, etc…
Nice precedence to set…
Ever notice...
Ever notice how AT*Ts logo looks like the Death Star from Star Wars? No coincidence there, now is there?
odd
I’ve been a T-Mobile customer for a good while now and it’s always asked me to enter a 6 digit pass code to check my voicemail.
odd
Once upon a time, the default on T-mobile was no passcode, although you could set one if you chose to. Now, T-mobile makes you set a passcode, with the option to not have one if you choose.
It’s kinda like when Microsoft included a firewall in Windows XP but left it off by default, then turned around and made it on by default in SP2.
I have been using T-mobile for a few years now. I like not having a passcode set. I have no interesting voicemails, so I’m not worried about someone hacking them. LOL
The real problem is the CID is insecure
The real problem is the CID is insecure and can be spoofed. That’s the only problem and the problem that needs fixing.
The telcos made an insecure system and they should be prohibited from delivering calling party data that is not correct. If there were a fine for delivering false Caller ID data they would have to either secure those systems or stop selling Caller ID at all. Either solution would be appropriate.
Cingular/ATT statement
I’m late to the comment party for this story, but here goes:
I remember reading a statement from Cingular/AT&T that their voicemail always required a passcode–which was totally incorrect as, at that time and now, I was able to get into my voicemail without entering a passcode.