AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability

from the caller-id-spoofing dept

Many mobile phones’ voicemail systems have worked on the basis of checking the caller ID of the incoming caller — and if it matched the number of the voicemail box, it would automatically push the caller through to the admin interface. The idea was that if the owner of the box was calling, he or she shouldn’t have to put in the passcode to get to the messages. The only problem with this was that, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile such voicemail attacks, many mobile operators urged customers to change their voicemail preferences to require a passcode, no matter what. Still, there were some operations out there, that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.

That seems a bit strange, and the article is woefully short on details, unfortunately. Pretty much anything is hackable given certain circumstances, and it always seems a bit odd to totally blame a hacking victim for being hacked. So it would be good to know why T-Mobile and AT&T, in particular, were fined in this case. Did they not even allow passcodes to be enabled for those who wanted to avoid this potential hack?

Filed Under: ,
Companies: at&t, t-mobile

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability”

Subscribe: RSS Leave a comment
Brad says:

Maybe it's the sim cards?

Since both AT&T and T-Mobile are SIM-based operators, I wouldn’t be surprised if they were more (or exclusively) susceptible to these sorts of attacks. Verizon and Sprint both authenticate all kinds of information (possibly including identity for voicemail) based on the phone’s ESN. It’s possible that it’s much more difficult to spoof an ESN, or even get your hands on it.

This is also why stolen Sprint / Verizon phones have little to no value on the black market, where ATT phones fetch a nice premium. Slip in a SIM card and you’re free to go, no matter who the device came from. Verizon / Sprint track phones based on ESN and owner, so you can’t activate a phone that’s been reported stolen.

OneDisciple says:

Re: Maybe it's the sim cards?

I could be wrong, but I am going to say it anyway. I believe that AT&T and T-Mobile both use the ESN for the same purposes. The problem is that customers do not report the ESN as belonging to them. so when their phone is stolen it can not be tracked. However if as the customer you follow the rules of your agreement with said company and register the ESN can be tracked.

Jeff (user link) says:

Re: Re: Maybe it's the sim cards?

(addressing the theft/esn issue and i dunno what this has to do with anything, but here we go) and there’s also the fact that these companies don’t tell their customers what to do when they sell their old mobiles on ebay or craigstlist. they just tell them not to sell them and expect people to be out the cost of the old phone when they buy a new one. they aren’t told about how to clear the esn and other information off of the phone before they sell it EVEN WHEN THEY REGISTER A NEW MOBILE ON THEIR ACCOUNTS. i bought a sprint blackberry on craigslist once…i could have just continued using the phone exactly as it was and have all of the use billed to the previous owner. it had their full address/phone book still on it, tons of personal information, a few hundred texts containing personal info on people other than the seller…granted, sprint is unlike other providers in that their customer service is a pile of smelly elephant assholes and it’s all operated by people who barely speak english and simply use a piece of software to tell them exactly how to interact with customers…but…c’mon.

billybob. says:

Re: Re: Maybe it's the sim cards?

I work for at&t in sales, and I don’t think this is the case. As far as I know, there is no way to remotely kill a stolen phone, aside from using special executive work programs like Good. Its best to contact ATT as soon as possible after your phone is stolen and have them put a hold on the account, killing the SIM card.

Jasen (profile) says:


Once upon a time, the default on T-mobile was no passcode, although you could set one if you chose to. Now, T-mobile makes you set a passcode, with the option to not have one if you choose.

It’s kinda like when Microsoft included a firewall in Windows XP but left it off by default, then turned around and made it on by default in SP2.

I have been using T-mobile for a few years now. I like not having a passcode set. I have no interesting voicemails, so I’m not worried about someone hacking them. LOL

Steevo says:

The real problem is the CID is insecure

The real problem is the CID is insecure and can be spoofed. That’s the only problem and the problem that needs fixing.

The telcos made an insecure system and they should be prohibited from delivering calling party data that is not correct. If there were a fine for delivering false Caller ID data they would have to either secure those systems or stop selling Caller ID at all. Either solution would be appropriate.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...