Hack AT&T Voicemail With Android

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

Placing blame

[SilverHatHacker]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

Re:Placing blame

[JaZz0r]

Caller ID spoofing is nothing new. It can be done from a number of [spoofcard.com] different [telespoof.com] services [spooftel.com]. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

Re:Placing blame

[PopeRatzo]

You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

Yes, but if the story were to mention that, it wouldn't work as FUD.

Re:

[Anonymous Coward]

+1, this is NOT an included feature of Android. You have to download an application in order to accomplish this. And, if i'm not mistaken, blackberry and iphones both have access to such apps.

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame. Call spoofing has been around since before

Re:

[Bert64]

Don't complain to the developers or the spoofing services...

Complain to the telco that uses something as insecure as CLI to authenticate you.

The spoofing services are doing you a favor by educating people about how easy it is to spoof CLI. Would you rather be totally naive and completely trusting when you get a call from your banks number and a guy with a nigerian accent cheerfully takes down your account details?

Re:Placing blame

[pushing-robot]

Yeah, this is how I always understood voicemail to work. Blame users for not having proper passwords, and blame phone companies for being hopelessly inept at security. Caller ID is useless for authentication; it dates to the early 1970s, when AT&T still assumed the entire phone network was trusted (and thus black/blue boxes were becoming the rage).

Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

Re:

[QuantumRiff]

does it have to be on ATT's network? What if I spoof the Caller ID of my home phone using asterisk? (or something else?)

Re:

[mjwx]

Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

I dont see why Google should do anything about the applications. Nothing has violated Google's TOS here. They are violating AT&T's TOS so let AT&T be the bad guys and ban the violators from their networks.

years old vulnerability

[SuperBanana]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. [slashdot.org] Carriers have known about the issue for half a decade or more.

The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

Re:years old vulnerability

[nxtw]

Holy shit, that post looks familiar.

Re:Placing blame

[eyeota]

ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.

Re:

[Kirijini]

No Bell in the right mind accepts ANI from their customer

Bell? what is this "Bell" stuff you're talking about? All the baby bells have been gobbled up. AT&T and Verizon are all that's left... [jerrykang.net]

Re:

[AHuxley]

Encryption is expensive per chip or via backhaul or bites into some business plan.
Rust belt hardware been allowed to rest in place until they are at a price point to replace it?
Or the admins need or want some easy billing/helping/connecting system that can be worked with to get a solution rather than 'trust me with your password to fix this" dead end
Other ideas are third party outsourced billing or phone taps?

Re:

[Stupendoussteve]

Who is blaming Android? Tone of the article is negative towards AT&T, not towards Android. It just happens that apps to do this are easy to come by for Android.

Re:

[rjch]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

The article isn't blaming Android for this - the finger is pointed at AT&T for such lax security. The only reason Android is referenced is that there happen to be apps available to spoof caller ID from them.

In Australia, we don't have this problem because caller ID spoofing of any kind is not allowed and is actively blocked from any landline or mobile service - if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset

Re:

[MichaelSmith]

if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset to a default.

I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

Re:

[rjch]

I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

On all Australian services I've worked with (and as a former Asterisk engineer, I've worked with a few) if you try to present a number that does not belong to the service (or within the number range assigned to that service - provided you've paid for the privilege) then the default number will be presented.

Re:

[MichaelSmith]

I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

On all Australian services I've worked with (and as a former Asterisk engineer, I've worked with a few) if you try to present a number that does not belong to the service (or within the number range assigned to that service - provided you've paid for the privilege) then the default number will be presented.

Thats what I mean. You can still pretend to be another number on the same service.

Re:

[sjames]

It is absolutely positively NOT how voicemail is supposed to work but Android isn't the blame.

AT&T knows very well that caller-id is worthless for authentication AND it has access to the much more authoritative ANI (which cannot be spoofed so easily).

I wouldn't blame the customers either. If you mistakenly believe that AT&T has a single grain of common sense, you might imagine they DO use ANI (I'll bet the manual reads "from your phone only" rather than "from any phone that sends your number in it's

Re:

[mjwx]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerised system. The fact that you're spoofing it using an Android app is irrelevant.

You see this is how AT&T is trying to discredit android. Locking down the handsets is bad enough but now they're trying to say "OMG, they're out of the walled garden, it's terrible and look at all the damage they are doing !!110NE11!

Re:

[ArsenneLupin]

if you don't put a password on it, you're just as much to blame

Do you lock the door to each room in your house?
No, you don't need to, you just lock the front door (and other exterior doors).

Same thing here: customers (and apparently the telco too) believed that caller-id was protection enough, so no password is needed.

The real scandal here is why isn't caller-id unspoofable? If this hack would only be possible from professional equipment or from PABX'es connected via a trunk line, I might understand.

But accessible from every handset? The designers of such system mu

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Any other phone?

[reaper]

Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

Re:

[nobodyman]

I agree that it's not Google's fault, but I think the point is that Android lowers the bar for someone attempting this. Configuring asterisk to spoof caller ID and retrieving voicemail is possible, but relatively few have the proficiency to do this. Any idiot can buy an Android phone.

Re:

[jothar hillpeople]

I did this on a Verizon Droid using a spoof app, to a Verizon number. Not on purpose- i was trying to goof on a friend by having his phone ring with his own number. Then i got the voicemail prompt, and i hung up.

So what's new?

[Anonymous Coward]

This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

Re:

[DarthBart]

Its not specifically "VOIP" that lets you do it. It's the fact that most telcos will just pass along the Calling Party Number handed to them on the ISDN setup message, as rightly they should. If I purchase a PRI from a telco to say, share between businesses in an office complex, and get assigned a block of 10 DIDs, when I place an outgoing call on the circuit, how does the telco know what CID to set for the business placing the call.

Now, granted, there is ANI, which is often set to the main "Bill-To Num

Re:

[AK Marc]

how does the telco know what CID to set for the business placing the call.

How about they don't set the CID, but strip it if the number handed to them isn't authorized on that line? That would fix the problem in most cases.

Re:

[pipedwho]

Its not specifically "VOIP" that lets you do it. It's the fact that most telcos will just pass along the Calling Party Number handed to them on the ISDN setup message, as rightly they should. If I purchase a PRI from a telco to say, share between businesses in an office complex, and get assigned a block of 10 DIDs, when I place an outgoing call on the circuit, how does the telco know what CID to set for the business placing the call.

It should also be the responsibility of the up line provider to make sure that the advertised caller IDs are either blank or valid before passing them on. If an advertised caller ID isn't a subset of the valid subscribed numbers for its respective down line segment, then it should either be blanked or invalidated.

Not just Android

[agent_vee]

My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.

Voicemail shoud only accept the users phone...

[s0litaire]

...IMEI rather than phone No.

As well as a password.

If you get a new phone! all you need to do is link your new IMEI and remove the old one. It's more secure and pushes things up a notch legal-wise if someone tries to spoof a IMEI!!

Re:

[mjwx]

...IMEI rather than phone No.

What if I change phones? My old phone breaks and I buy the $40 special from JB HiFi.

I have to call the phone companies customer disservice line and get my new IMEI assigned to my voicemail account and hope they dont screw it up in the six to eight weeks it takes them to do anything.

A better solution is to enforce voicemail passwords. They already make you set a message before activating it, adding a requirement for a 4 digit min numerical password should be trivial.

iPhone makes you enter password on setup

[SuperKendall]

Is the default really no password for most AT&T phones? I seem to recall part of the iPhone setup requiring you to enter a vmail password.

Re:

[FSWKU]

AT&T should make setting up a password the first thing you do on your voicemail. Set it initially to say, the last 4 digits of your account #, then change it from there. The current process is as follows:

1. Press 2 for Administrative Options
2. Press 1 for Passwords
3. Press 1 to set a password
4. Set your password
5. Get dumped back to the main menu
6. Press 2 for Administrative Options
7. Press 1 for Passwords
8. Press 2 to turn your password on

AT&T hardware has the same loophole

[tompaulco]

I had an AT&T answering machine which you could access remotely. I, of course, had set the pin. However, someone still managed to get in and hack it and changed my greeting to something about sucking male genitalia. I was not amused. I ended up disabling the remote access completely since apparently any old idiot can call in and figure out how to get into the menus.

slashdot worthy?

[ZeroNullVoid]

please tell me this is slashdot worthy?

I see this post as the same thing as saying one of the following:

You can hack into a car by throwing your android phone really hard at a window.
There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
Hack the airwaves, play music on your android.

...what?

[Urza9814]

AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.

But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.

Something similar was true in the UK too

[choco]

I haven't tried for a couple of years, but accessing voicemail by spoofing CLI certainly used to work on at least two UK mobile networks (N.B. I tested it using my own accounts).

Many people are not aware how easy it can be to spoof CLI in the UK.

How many?

[ScrewMaster]

How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?

Answer: none. Nobody knows Washington better than AT&T.

Re:passwords..

[Lehk228]

without a password voicemail should only accept connections from the owners phone.

Re:

[quetwo]

and how would things like roaming work? I'm sure there are lots of cases when you are not on your own carrier's network (even if it says it on your phone's screen).....

Re:

[omnichad]

The same way that the roaming tower knows whom to bill for carrying the call. They can easily use ANI or SIM details to verify the identity - caller ID is just an info service, not a security mechanism.

Re:

[shutdown -p now]

and how would things like roaming work?

I would imagine in roughly the same way they use to determine whom to charge for roaming?

I mean, funny how they don't get these kinds of things wrong when it comes to billing, eh?

Re:passwords..

[X0563511]

It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...

Re:

[Anonymous Coward]

> If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.

Validation based on ANI (this is not the same as Caller ID) i

Re:

[MichaelSmith]

Similar problem with default wifi router passwords. If the default password was set to the serial number of the device, hacking would be more difficult. Not perfect, but better. For a mobile phone the voicemail password could be part of the IMEI. Then you can set what you want. Not sure about land lines. Maybe something from the subscribers personal information? Their date of birth for example.

Re:

[mlts]

Even that isn't really secure. If someone can spoof ANI requests, they can just keep calling until they go through all 4 digits, perhaps more digits if they feel like it. I don't think voice mail systems have a lockout/time delay if someone is trying to guess the PIN.

In reality, the best way a cellular provider could handle this would be to have the protocol (GSM, etc) have a private key on the SIM card, and when the VM system is called, do a challenge/response (signing a timestamp + nonce value for examp

Re:

[sjames]

But in this case, it's an AT&T voicemail on the AT&T network being called from an AT&T customer account. If they can figure out who to bill for minutes, they can figure out what phone is calling. If they CAN'T, it's time to just shut the network off and call it a day.

Re:passwords..

[markov_chain]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

Because that's not how vmail is used

[SuperKendall]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar?

Because most people expect to be able to check voicemail even when the phone is not working or with them. People WANT a number they can call, from anywhere, and check voicemail.

Re:

[pipedwho]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar?

Because most people expect to be able to check voicemail even when the phone is not working or with them. People WANT a number they can call, from anywhere, and check voicemail.

'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

In fact, most people I know hardly ever bother to even check their voice mail - they rely purely on SMS and their phone's 'recent missed calls' list. If their phone stopped working or wasn't available, access to voice mail would be the least of their problems.

Re:

[PopeRatzo]

'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

So then, just require a password when calling from any phone besides the cellular phone to which the voice mail account is associated.

This is hardly an insurmountable technical issue. There's no reason you couldn't just have calls from the cell phone access the voice mail directly, but if you

Re:

[pipedwho]

I completely agree with this. For those that want the additional 'universal voice mail access' service, let them enable it separately and force it to require a valid password/PIN.

Re:

[Khyber]

"Did you read the bit about caller ID spoofing?"

Totally fucking irrelevant. You know what identifies you on a cellular system more than any other fucking thing? The MAC of the phone you registered to the damned service. Unless they got some new boneheaded system in place I'm not aware of, the MAC of every damned phone it printed right behind the fucking battery.

Re:

[LBt1st]

You'd think the phone company could use better methods to determine this. As other people have pointed out, they don't use Call ID to handle billing. Why should voicemail be any different?

Re:passwords..

[tomhudson]

1-2-3-4-5

Local police station used that, a guy spent months messing around with informants, cops girlfriends (awkward when you can hear both the girlfriend and the wife leaving messages for the same cop), etc.

Arrested, charged, convicted, probation ... does it again!

The cops never changed the password.

Re:

[mrsteveman1]

Really? You think the caller ID spoofing is the problem here?

Re:Ha!

[X0563511]

I like how you forget the first sentence by the time you move on to the second.

Allow me to repeat him:

Passwords People, they are not just for Game shows.

Re:

[icebike]

My first line somehow escape your attention?

Re:

[mrsteveman1]

No it didn't. The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.

Re:

[icebike]

Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.

Re:Ha!

[mrsteveman1]

So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?

Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.

Re:Ha!

[fuzzyfuzzyfungus]

One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?

Precisely

[baileydau]

callerid is not the same as the ANI number on the call. The ANI is what is used to bill.

I think that was exactly the GPs point.

If they used the ANI rather than the caller ID, there wouldn't be a problem.

Re:

[ElKry]

And yet, they are at fault anyway. Just because a lot of people do something doesn't mean their responsibility is automatically waived.

Re:

[Aeternitas827]

Wait...so you mean to tell me, the consumer is absolved of every bit of fault, and it lies with the carrier, by not opting to use (in this case) security options that are available to them? It's not as if they have no idea that the password to their voicemail exists, it's the second thing you have to enter when you first dial your voicemail to set it up. To put it another way, what you're insinuating is that the following is a valid chain of logic:

1: I set a password...
2: I'm never asked for my password.

Re:

[ciscoguy01]

You call your own voicemail from your own cellphone, the operator of your own network is *supposed* to know who you are. It's just not too much to ask.
Making you use a password to call your own voicemail from your own phone, well, if that's the only security the telcos have they are very lacking.
I am not going to give the telcos a pass on the security of your own phone and your own voicemail, calling from their own network. They need to secure all that.
If their system is so lame they don't know wh

Re:

[Bert64]

But MOST systems don't use the CLI (a field which is trivially set) to determine what number you're calling from...
There are other systems used for identifying a caller, like ANI which gets routed between telcos but doesn't get shown to end users, this is used for billing of network termination charges etc.

And surely if someone is calling their own number, then the call never has to leave the operators network so they *know* where its from. I can't access my voicemail even from my own phone when i'm roaming

Re:

[rfuilrez]

The IMEI number changes with the phone. So, if I took my SIM card out, and put it in another phone BAM new IMEI number.

Re:

[ciscoguy01]

The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.

The fault is the telcos (of which ATT is the biggest and oldest one) who years ago designed an insecure caller ID system. It's been known that the system is insecure for *years* now, and there has been no move to fix it. Not a single effort by anyone.
The solution is to make delivery of caller ID data that is not true and correct just

Re:

[BlueBoxSW.com]

I would have been funnier if you started your comment with the word "Really?"...

Re:

[AK Marc]

I think caller ID spoofing is fraud and should be prosecuted as a criminal charge, and those phone companies that allow CID spoofing should be charged as conspirators.

Re:

[mlts]

Then it will just move offshore to sleazy sites in Elbonia offering to spoof IDs... then demanding more money or else they will text the spoofed ID about who was wanting to hack them.

What is needed is a two fold attack against this:

1: As the parent poster suggests, a law against spoofing caller ID to gain unauthorized access. This should fall under computer trespassing statutes.

2: A technological solution: ANI, checking ESN/IMEI codes, a private key stored on the SIM card. Perhaps the next generation o

Re:

[AK Marc]

Then it will just move offshore to sleazy sites in Elbonia offering to spoof IDs...

Can you spoof CID internationally? If so, then it would be a simple check to see if it's coming in as a number that it can't be coming in as (just like all good network admins have RFC 1918 addresses blocked incoming to their network).

As the parent poster suggests, a law against spoofing caller ID to gain unauthorized access.

Defining "spoofing" with the common and non-technical use of the word spoofing, all spoofing sh

Re:

[Bert64]

Can you spoof CID internationally?

Yes and no, some international links dont pass CLI at all, and some operators try to be clever and stamp the country code of where your coming from in front of the number you send (because some cli systems only send the number in local format without the international code)

Re:

[Bert64]

This is only a problem for AT&T, other networks don't have a problem... It's an insecure implementation on the part of AT&T and they need to fix it - like everyone else has.

Attempting to gain unauthorized access is already illegal, wether you do so by spoofing CLI or by breaking down the door with an axe.

If you make spoofing CLI illegal then you won't stop people doing it, you will just decrease the instances of it being done to a small group of hardened criminals.. That way the general public will

Re:

[poetmatt]

it's not even restricted to android.

Re:

[jeppster]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

Re:They Deserve It

[victorhooi]

heya,

Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.

I think what he's referring to is that, well, you have to take responsibility for securing your belongings.

It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.

It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.

Cheers,
Victor

Re:

[nobodyman]

I think most people would agree with you in the abstract, but keep in mind that the majority of mobile phone owners don't even know that such a thing is even possible. We know better so we use passwords. The thing is, AT&T also knows better, and they have the ability to mitigate the risk, but are doing nothing. Shouldn't they be held at least partially responsible?

Re:

[cgenman]

Why should you lock your voicemail if the only phone that is supposed to have access to it is your own?

If someone is spoofing your phone to your phone company, there are much bigger problems. It isn't impossible, but phone cloning is much harder to do now than in the early days of drive-by number stealing. These days the phone companies have pretty solid ways of knowing who you are for billing and other purposes. Yet they use caller-ID to determine voicemail access? That's just a bad implementation.

Re:

[mjwx]

It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

The Police dont have to care but they still have to act on any information (I.E. they find your stuff or the car park had CCTV security insta

Re:

[MobileTatsu-NJG]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that.

I think for his logic to be interpreted correctly, you only deserved it if you left your house unlocked all the time.

Re:

[pipedwho]

Think on the bright side, at least the door jamb and locks weren't damaged during the 'break and enter'.

Re:

[blackicye]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

This is more akin to your locksmith knowing that your door was left unlockable every night and not informing you that he wasn't able to make it such that you could actually lock your door before you go to bed.

Re:

[mjwx]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

If your wife regally forgets to lock your house door then yes, yes you did deserve to get robbed.

By the same token if you don't put a password on important information stores then it's your own fault when someone just walks in a takes/modifies/deletes your info.

Re:They Deserve It

[DavidD_CA]

How many people even know to put a password on their cellphone voicemail?

I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

Re:

[Urza9814]

What carrier are you on? On Verizon (at least when I got my phone), it won't let you do _anything_ with your voicemail until you've set a password. This kind of 'hack' has been around for many, many years. Any carrier that doesn't require a voicemail password is being _extremely_ negligent.

Re:

[DavidD_CA]

I used AT&T voicemail (now I have a third-party voicemail service).

And I don't recall ever having to set a password, let alone dial my password every time I'd check my voicemail.

Re:

[mlts]

T-Mobile forces you to set a PIN, but leaves it up to you if you want it enabled when calling in on your own phone.

Re:

[pavon]

Same here with both Verizon and T-Mobile.

Who cares?

[Stiletto]

Who cares about locking down their voicemail? What is a "hacker" going to do to me with my voicemail messages? Should I be afraid that Mr. Hacker knows that my wife is picking up cereal and eggs at Safeway this afternoon? Or that my buddy wants to go out for beer after work?

As Steve Jobs once said, "This is a non-issue."

Re:

[ColdWetDog]

Who cares about locking down their voicemail? What is a "hacker" going to do to me with my voicemail messages?

Dear Mr. / Ms. Politico: I talked to my boss and he's cool with the plan. We will wire you your 1 million dollars into the account of your choice, you just have to push our bill through. Let me know what you want to do.

Thanks,
Your local lobbyist

Or somesuch similar conversation. Not everybody's life is as boring as ours is.

Re:Who cares?

[wembley fraggle]

I had heard of a scam wherein hackers change your outgoing voicemail message to be "I accept the charges", and then call you collect from one of those strange high-priced calling codes. Effectively, you end up responsible for a huge phone bill, some percentage of which goes to the hackers.

This could be one of those urban legends too- it's late and I'm too tired to confirm it right now, but one can at least see how this isn't necessarily a non-issue.

Re:

[PinkyGigglebrain]

A couple things I could think of off the top of my head that might make this an issue for you if somebody hacked your VM;
Lock you out of your VM for laughs. Sure, no biggie to fix but a hassle.
Plant some messages on your phone and then attract the attention of the police by calling someone I knew was being monitored by the DEA and spoofing your number to them. Have fun deneying that you don't know "Jose" or anything about a drug deal
Change your message to something threatening against the Pres., VP or PM

Re:

[Nirvelli]

Most people have no idea they can access their voicemail from other phones. Most people only know that when their cell phone says "you have a message" then they can push the special button and check it and that's it. They think, "The only time somebody can listen to my voicemail is if they steal my phone."
Why would they ever think to put on a password? As far as they know, there's absolutely no reason to. They probably don't even know you can have a password on it.

Re:

[sjames]

Since it's SUPPOSED to only be accessible from your own phone, IT IS NOT THE USER'S FAULT!

Most people would naturally believe that THE PHONE COMPANY knows what number you're calling from. Apparently, AT&T only gives a flip about that when it comes to billing.

Re:

[MichaelSmith]

I am posting anon because I am a convicted hacker on probation.

So you expect that posting anonymous will prevent the police from identifying you? You can't be a very good "hacker" if you believe that.

Re:

[MichaelSmith]

Slashdot doesn't log IPs, so there is nothing that can be identified by the police.

So how do ACs get banned?

Re:

[TheVelvetFlamebait]

It's kind of sad how many situations this cut-and-paste troll is appropriate.