AT&T increases voice mail security

Password meant to deter hackers

August 06, 2011|By Hiawatha Bray, Globe Staff

AT&T Inc. is changing the default method by which cellular customers check their voice mail, after reports that the company’s policies made messages more vulnerable to hackers than on other cellphone carriers.

The giant telecommunications company said yesterday it will start requiring users to enter a password to access their voice mails from their own cellphones. Until now, AT&T users calling from their own phones would immediately get access to their voice mails without entering a password.

“We wish that we did not have to make this change,’’ wrote AT&T’s chief privacy officer Bob Quinn in a posting on the company’s public policy blog. But Quinn said that easily available Internet technology makes it easy for criminals to gain access to unprotected cellular voice mailboxes.

When customers calling from their own phones do not have to type in a password to enter voice mail, criminals can access their messages by using “caller ID spoofing’’ websites to make malicious calls that appear to come from a victim’s own cellphone. A story in the Globe last month showed how easily a hacker could gain access to voice mail messages not protected by passwords through that method. Last month, Federal Trade Commission chairman Jon Leibowitz urged cellphone companies to require password protection on voice mail systems.

AT&T already allowed users to add password protection to their voice mails, but that feature was normally switched off, requiring a customer to choose that protection. Now AT&T will adopt the opposite approach. Password protection will be automatically turned on for new subscribers or for existing customers who order additional lines. And starting early next year, AT&T will apply password protection whenever a customer renews his service contract or gets a phone upgrade. “Over a transition period, all of our customers will ultimately have the default setting on their voice mail turned to Password Protect,’’ wrote Quinn.

Customers who prefer instant access to their voice mails can still choose to switch off password protection.

The policy shift means that three of the nation’s top four wireless carriers now automatically request a password before giving customers access to their voice mails. Sprint Nextel Corp. uses a password by default but lets customers switch it off. Verizon Wireless requires the use of a password at all times. Only T-Mobile USA still leaves password protection switched off by default. AT&T has struck a deal to acquire T-Mobile for $39 billion, pending approval from federal regulators.

Peter Swire, a law professor at Ohio State University who specializes in telecommunications privacy issues, said that Americans had paid little attention to the menace of voice mail hacking. But recent news reports that British journalists working for newspapers owned by Rupert Murdoch’s News Corp. broke into the voice mails of celebrities and crime victims spawned outrage on both sides of the Atlantic. “It taught people in England that voice mail was being hacked at a high rate,’’ said Swire. “I think AT&T saw the Murdoch problems and they saw how easy it was to break into their system.’’

Hiawatha Bray can be reached at bray@globe.com.