Visit other sites in the Know Your Cell network
Voicemail is still very, very broken
Zach Epstein
Caller ID spoofing gives anyone access to your voicemail messages, but protective measures can be taken
If you have any interest in keeping your voicemail messages private, disable the PIN-bypass feature immediately
Published on May 4, 2010
More than half a decade ago, it was discovered that voicemail was broken.
Nearly all cellular carriers give you the option to forgo having to input a PIN when retrieving voicemail from your cell phone. As convenient as this option is, it also gives anyone and everyone access to your voicemail box.
How? Using any one of hundreds of VoIP or PBX services, an unscrupulous person can simply configure the service to spoof your caller ID. Then, by calling your cell phone number, he or she will gain access to your voicemail box just as if you were calling from your own cell phone.
It's called caller ID spoofing and it couldn't be easier to do.
Beyond the obvious privacy issues, this exploit can also be used to lock you out of your voicemail box. The unscrupulous party can simply enter your voicemail box, change your PIN and then set the service to always require a PIN, even when calling from the cell phone tied to the number.
The House recently passed the Truth in Caller ID Act of 2010, which will soon become law. This, in theory, will prevent any and all telcos from providing caller ID spoofing services, but we've all played this game countless times before.
In reality, this law will spark an endless game of cat and mouse. It will also mean that those who still want to take advantage of spoofing will use off-shore telcos that provide the service -- and there are plenty.
In short, the Truth in Caller ID Act of 2010 will not protect your voicemail.
Some VoIP services that provide caller ID spoofing services have security measures in place to prevent unauthorized access to voicemail. Skype, for example, requires users to verify a cell phone number via SMS before it can be configured as a caller ID number. Many VoIP and PBX services do not employ similar security measures, however.
What is the moral of the story? Voicemail is broken. It has been broken for quite some time and it won't be fixed any time soon. If you have even the slightest desire to keep your messages private, disable the PIN-bypass feature from within your voicemail settings.
Contact Zach Epstein via email or follow @zacharye on Twitter
