T-Mobile Voice Mail Hacking 

T-Mobile has had a rash of security problems over the past month or so. It started with a cracker in California who had access to over 16.3 million customer service records, including those of the Secret Service agents that were assigned to help track him down. It sounds like something from a movie, but it happened.

It didn't get any better for the carrier when just a few days ago someone jacked the contents of Paris Hilton's cell phone and posted her address book, notes, and pictures to the net (where they are still circulating...) A high profile case like this doesn't look very good, especially when you're using her image in your ads.

And finally, this item from Gizmodo, where some sort of phone phreak has figured out how to access anyone's voicemail. He demonstrated this by hacking the author's voicemail in 20 minutes - from a pay phone in a Mexican restaurant. He gives details on how to avoid getting hacked - basically setting a password that is asked for even when calling from your own phone:
Dial your T-Mobile voicemail from your mobile phone. If you don’t know your PIN number, you can set a new one by doing the following: Access your ‘personal options’ by pressing 4. ‘Modify your personal preferences’ by pressing 4, again. Then ‘modify your password’ by pressing 1. Set a new PIN and write it down somewhere secure, if necessary.

After you reset your pin, press the * key to go back to the ‘personal options’ menu (or press 4 from the main menu if you already knew your PIN). Once you have accessed the ‘personal options’ menu you will then press 8 which will enable password authentication when calling from your own mobile phone. Although entering your password every single time you call your voicemail can be a bit of a nuisance, a few seconds of your time is a small price to pay for the security of your voicemail system.
I've been a T-Mobile subscriber for two years now. I've generally been very happy with their service, but man - if this keeps up I'm going to need to find another provider. This stuff is beginning to look like pattern of lax security on their part. Which is kind of funny, since they actually have my name spelled wrong on my account, and getting it changed has been an exercise in futility - multiple faxes of passports, driver's licenses, social security cards - all not good enough to make a simple name change. It would probably be easier to just hack their servers. (Just kidding!)


Posted: Wed - February 23, 2005 at 09:22 PM