Though banks are expected to have layers of authentication, phone companies
"Many people would be surprised to learn just how easy it is to 'hack' into someone's voicemail," Brian Krebs wrote Monday on his "Krebs on Security" blog. The "poorly-kept secret" is that many wireless providers grant access based on the phone number they read from caller ID, which is easily spoofed, he wrote. A caller ID number can be spoofed with tools available for free online.
An attacker would call the phone while spoofing the victim's number. If that call goes to voicemail, it is possible to then access stored messages instead of leaving a message. Krebs wrote that he tested this by pressing the # button at the voicemail prompt when calling his wife's iPhone on AT&T while spoofing the iPhone's number via the website spooftel.com.
Though he tested it with just one carrier, Krebs wrote that the same method would likely work on others. Many carriers provide the option to protect voicemail accounts with a PIN, but only Verizon Wireless requires it, Krebs wrote, citing a recent article from The Boston Globe.
Krebs advised his readers to set a PIN, but one commenter on his blog suggested that this may be futile. "When people are required to set a PIN, they often choose '1234' or '1111' anyway," instead of choosing one that would be hard for an attacker to guess, the commenter wrote.
