Lawmaker urges Sprint, T-Moble to bolster voicemail security

Share this article:
Sen. Barbara Boxer is urging that telecommunications companies Sprint Nextel and T-Mobile improve voicemail security in light of the ongoing U.K. scandal accusing Rupert Murdoch's media empire of phone hacking.

Boxer, D-Calif., on Thursday sent letters to the CEOs of Sprint and T-Mobile asking that immediate action be taken to fix what she called a “serious” vulnerability that could be leveraged by an attacker to gain access to users' voicemail accounts.

In the U.K., reporters at Murdoch's now-defunct News of the World stand accused of employing people to break into the voicemails of thousands of people. Citing security experts, Boxer said that both Sprint and T-Mobile users are vulnerable to similar attacks because the companies do not require customers to enter a personal identification number (PIN) when accessing voicemail from their own phone.

By spoofing the caller ID information using freely available tools, an attacker can make it appear as if they are calling from a victim's phone, allowing them to access voicemail without being prompted for a PIN, Boxer said.

“Right now, the voicemail accounts of Sprint customers are at risk of being hacked because of your company's security policies,” Boxer wrote in her letter to Sprint CEO Dan Hesse.

When Sprint users first establish service, they are required to select whether they wish to enable a PIN bypass option, Boxer said.

Sprint, in a statement sent to SCMagazineUS.com on Thursday, said its default voicemail setting does require customers to use a passcode for accessing voicemail messages.

“We strongly encourage the customer to continue using the passcode,” Sprint said in its statement.  “If the customer chooses to skip the passcode, they are warned with strong language that the voicemail account will be vulnerable to unauthorized access.”

In her letter, Boxer acknowledged that the company recommends against bypassing the PIN, but said customers are not warned about voicemail-hacking techniques.

In contrast, Boxer said, Verizon Wireless always requires subscribers to enter a PIN to access their voicemail. Too, AT&T recently announced that it would change its default settings for new subscribers, requiring them to enter a PIN.  

A representative from T-Mobile did not immediately have a comment when contacted by SCMagazineUS.com on Thursday.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.