For companies that can be broken if their security breaks (anything from email providers to cell phone providers) headlines like "Phone Hacking Scandal" should garner special attention. The latest "phone hacking" scandal involving allegations that reporters at News of the World listened to or tampered with voice mails of, potentially, over 10,000 victims, has left many in shock and wonderment. But, as with any crisis, we can use this as an opportunity to take a moment to pause and consider what we can learn from it.
The word "hack" implies that a highly technical break-in into a security system occurred, as in the case of the recent CIA breach. What appears to have happened in the phone hacking scandal is really not a 'hack' at all, carried out by highly technical criminals.
Reporters, allegedly, used some pretty simple tactics, exploiting voice mail procedures by using them in the way they were supposed to be used. When a customer purchases a new cell phone, a default password is set up for accessing voice mail. Often, it's a simple 4-digit number such as "1111" or "0000" or the last 4 digits of the customer's cell number. Unfortunately, most people don't personalize these passwords once they have the phone. Hence, a stranger can call a cell phone and when the subject doesn't answer, they can simply put in the standard password for the carrier and gain immediate access to voice mails. Here is some more info on just how all this can happen.
Unfortunately, this isn't the only way people can get into voice mails. Social engineering, a term now used to denote unethical or illegal practices involving impersonation and manipulation, is a very effective means by which people can gain access to voice mails or information. So instead of hacking into a secure system, the bad guy can simply call the cell carrier's support center, impersonate an actual cell phone customer, and obtain the password for the voice mail. The customer never knows this happened.
And herein lies an opportunity for cell carriers to pause and consider what types of security mechanisms are in place to thwart the social engineer. For example, consider providing any customer who calls a temporary one-time-use password that forces a password change once it is used. Then text and email the customer to inform them of what just occurred in case it was a social engineer who got through all the mechanisms already in place. Also, consider whether two-part security, security that involves what a customer knows and what a customer has, can work for you. With two-part security, a customer would need to provide info to the customer service rep to recover/replace a forgotten password, and then would have to have the cell phone in hand where the reset info is sent. A social engineer who succeeds in one part ends up getting only half the info needed to succeed. Finally, consider whether the default passwords freeze if they are not changed within a certain period of time from purchase.
Each company will have to weigh everything from customer experience to ease of use to adoption rates when determining what type of security works best for their user base. Note that many carriers have been working towards these goals and should be commended for their work.
The ability to convert challenges to opportunities can be a major asset for a forward thinking, security conscious company. So, take heed of the latest events in the news and pause to reflect on what more can be done to protect the most valuable asset any company has -- the trust of its customers.
Follow Hemanshu Nigam on Twitter: www.twitter.com/hemanshunigam