Optus and Virgin Mobile make it easy for hackers to access customers' voicemail remotely as they do not require issued PINs to be changed, warn security experts.
The security experts say telcos should require rather than prompt customers to change their voicemail PIN, especially given the hacking scandal plaguing News Corp's News of the World newspaper, where reporters allegedly gained access to prominent people's voicemail.
Advertisement: Story continues below
If a telco-issued PIN is left unchanged it can allow anyone to guess what it is, which can be "trivial" in some cases, according to one security expert, especially if the PIN issued by a telco is derived from a customer's telephone number.Optus, Virgin Mobile, Telstra and Vodafone all allow for access to their voicemail service from any telephone by calling a remote access number and entering a phone number and its PIN.
On Telstra and Vodafone a customer's PIN must be changed before remote access is allowed, according to spokespeople from both companies. But for Virgin Mobile and Optus the opposite is the case.
On Optus, when first setting up voicemail access on a fixed-line or mobile service, a customer is prompted to change their PIN but is not required to do so, according to a company spokesman.
"Customers are given the choice and are prompted to change their PIN...," the Optus spokesman said.
"Optus encourages its customers to contact customer care immediately if they feel as though their security has been compromised."
On Virgin, it too prompts customers to change their PIN, but, like Optus, does not require it.
A Virgin Mobile spokeswoman said each customer was issued with "a specific PIN".
"We emphasise they should change this as soon as possible to a number that is secure and familiar to them," the Virgin spokeswoman said. "This change can be made by calling customer service. Assuming the customer can correctly verify his account, the PIN can be changed, with immediate effect, over the phone."
The default issued PIN for Optus customers is the last four digits of their number for both fixed-line and mobile customers. It is understood Virgin Mobile PINs also relate to a customer's number.
If a Telstra customer does not change their PIN on their mobile or fixed-line service they can continue to access voicemail without a unique PIN directly from the phone they are using, according to Telstra spokesman Craig Middleton. But to access it remotely "you cannot use the default PIN".
"To access MessageBank remotely you must set up a unique PIN ... first," Middleton said. "If you attempt to use the default PIN remotely it will tell you you can't and [that] you have to set up a new PIN."
Vodafone said the first time a customer accessed its voicemail service they had "to set a PIN between 4 and 10 digits. The PIN can't contain sequential numbers or include double digits".
James Turner, an Australian security analyst at IBRS, said leaving passwords or PINs as the default on any system had "been an issue for quite some time".
He said telcos should not allow issued PINs to stay permanent and should instead require their customers to change their PIN when first accessing their voicemail.
“There's not much point in putting a password on a system if a, everyone knows what it is, and b, it never changes," Turner said
Security expert as Sophos, Paul Ducklin, said that although default PINs were "much more convenient", they were an "unnecessary evil" that no product or service should have.
Mr Ducklin said that default PINs were "trivial" to guess, especially if the PIN derived from the telephone number it was attached to like with Optus and Virgin Mobile PINs.
Read more: http://www.theage.com.au/technology/security/vulnerable-voicemail-telcoissued-pins-insecure-20110708-1h5yz.html#ixzz1RU6XZDuS
No comments:
Post a Comment