U.K. News of the World voicemail hacking scandal could happen in Canada

John Size
Daily BrewJuly 12, 2011

Do you have a cellphone? Of course you do. Do you use voicemail on it? We all do. And we should all be scared.

You don't have to have an aversion to yellow journalism to feel a chill now that the scandal-plagued News of the World tabloid has ceased publishing.

The British paper's final undoing, revelations reporters systematically tried to hack into the cellphone accounts of members of the royal family, government officials, dead soldiers and even the family of a teenaged murder victim to get scoops on them, isn't limited to Fleet Street journalistic excess.

Anyone with a mobile phone or smartphone - pretty much everybody, these days - is at risk if the wannabe-hacker is sufficiently motivated and skilled. It can happen just as easily in Canada as it did in the U.K.

The reason is simple. The average voicemail account, like the average email account, online bank account or virtually any other authenticated-access Internet resource, depends on shockingly weak security processes even a rank amateur hacker can easily bypass.

In fact, the only thing that keeps a criminal from rifling through your most private voicemail messages is a password that violates every security standard in existence and probably hasn't changed in years. If ever.

"Hacking is very real and dangerous," says Jack Gold, founder and principal analyst at J.Gold Associates. "It's not just a technical issue — it's a human one."

Gold says vendors often make it all too easy for hackers to get what they want.

"Most of this type of hacking is due to someone impersonating you and calling your host - voicemail, email, bank, whatever - and being a good enough imposter that they convince the other party to give them access. That really is the weak spot."

While there are other technical weak spots built into the average service offering, Gold says they're typically more difficult to hack through. It's the human side of the security equation that represents our collective soft underbelly, and as long as service providers and carriers take a lowest-common-denominator approach to security, things won't improve much, if at all.

The signs are everywhere. Vendors design and deploy online services that require only one factor - typically a password - to authenticate. They assign weak default passwords, like "password" or "1234" and then fail to require users to change them.

They don't implement other forms of authentication, such as tokens or biometrics, in the misguided belief such tactics would be too difficult for most users. They leave well-documented back-door accesses in place for hackers to exploit. They capture too much personal data in the first place, and then fail to control it properly over time.

"We truly have no way of knowing how much of our past data, information and content is still being held out there somewhere," says Gold. "In theory, the companies may have some policies on keeping things for a period of time and deleting them, but who really knows?"

There's plenty of blame to go around, of course. End-users - both consumers and business types - do themselves no favours by failing to educate themselves on security best practices. They don't challenge service providers to tighten security because they either can't be bothered to take the time, or they don't want to be inconvenienced by tougher rules.

They continue to use the default administrative passwords, or they use passwords that anyone with even a glancing knowledge of their personal lives would find easy to guess. Between pets, kids and mothers' maiden names, we make it staggeringly easy for someone to gain access to virtually any online account. Even if a hacker doesn't know us directly, a quick tour through our Facebook, Twitter or LinkedIn profile should be enough to kickstart a successful attack.

In examining the News of the World hacking scandal, one thing becomes abundantly clear.

If the phone carriers in question had enforced tougher security practices such as multifactor authentication, encryption and tokenization - and if the purported victims themselves hadn't been so content to simply accept the inadequate default security measures that came with their accounts - none of this would have been an issue.

The journalists of questionable morals would have simply run up against a tougher wall, and would have gone back to their editors empty-handed.

(AFP Photo)