ALTOM: Most phone hacking is a low-tech, fast-talking scam

It seems as if this column has become devoted primarily to cell phones lately. But at the risk of seeming rut-bound, given the events of the past couple of months with News of the World and Rupert Murdock, I just couldn’t pass up the opportunity to write about phone hacking.

I have to admit that I was hoping the hackers had used some truly exciting, fit-for-TV techniques that involved long, scrolling columns of green numbers on a computer screen. But it turns out most of the hacks were simple examples of social engineering.

“Social engineering” is a fancy term for a kind of fast-talking scam that’s often pulled on unwary people in positions to know things they shouldn’t talk about, but often spill quite happily. It’s astonishing how good hackers are at worming things out of people. That’s how most of the phone hacking for News of the World was done. All you need to get into even the biggest celebrity’s voice mail is that person’s personal identification number. You undoubtedly have PINs in your life for everything from cell phone voice mail to your bank’s ATMs. So do celebrities, police, and famous crime victims. Once you have the PIN, you have the keys to the voice-mail kingdom.

So how to acquire the PIN? You call up one office after another that might help you, often pretending to be the cell phone’s owner or their manager. You might think the company officials being targeted are shrewd enough to detect the fraud and hang up, and often they are, but hackers are persistent and eventually find somebody who will have pity on a poor, over-stressed celebrity customer who’s forgotten his PIN.

Technology occasionally helps the hacker here, because most people don’t like to punch in PINs all the time, so many carriers permit a setting of “no PIN” for voice mail, relying on the identification of the phone itself to be a secure block against hacking. Of course, it isn’t. In fact, the exact opposite is true.

Many phones send the PIN automatically when the faraway voice-mail server is called. The latter convenience can be exploited by using two crooks: One calls the target cell phone, and the other calls the voice-mail line. When the two are electronically connected, the voice-mail line gets its PIN automatically from the phone, whereupon the miscreant holding it hangs up and the two crooks huddle over the now-exposed voice mails.

So the immense damage done to the News of the World was straight out of the Security 101 playbook, which is actually how most hacking is conducted. Why spend weeks picking electronic locks when you can just talk obliviously helpful employees into lending you their keys?

I was frankly disappointed in how pedestrian the techniques were, but there are other hackers who use more exciting methods. The key to those is to mimic the target phone’s identification code that’s sent by the phone to the network. You might think that anything broadcast like that could be easily intercepted, but phone companies aren’t stupid; they encrypt everything. Still, it’s possible to “spoof” the ID if you’re motivated enough. And if you’re hacking into the prime minister’s phone for salable information, that’s probably a lot of motivation. Cracking your local auto mechanic’s cell phone, by contrast, might not be worth all the trouble.

In the main, that’s what security winds up being about: being just secure enough to frustrate the kind of people who might want to hack you. Your cell phone is probably no more secure than those of millions of others, but being part of a herd allows predators to overlook individuals. Few of us are important enough to warrant social engineering or spoofing. There is some security in obscurity.

Experts caution us about securing our phones, changing our PINs regularly, locking up after ourselves to the point that it’s hard to even move around in our devices. In the teeth of all that good advice, it’s sometimes hard to admit that much of it seems like overkill.

Anybody who wants to sit through my typical voice mail is welcome to it.

Identity theft is undoubtedly an enormous problem waiting to happen. It can ruin your credit and make your life into a close facsimile of Hades. But somebody hacking my phone is far down my list of worries. I hate to admit it, but it’s true. And with the News of the World gone, I don’t have to worry about them doing it, at least.

Then again, it’s about time to change my PIN, isn’t it?•

__________

Altom is a consultant specializing in pairing businesses with appropriate technology. His column appears every other week. He can be reached at taltom@ibj.com.