Phone hacking has been around for a long time (or phone 'phreaking' as it used to be called in the pre-Internet era), and while there were only a few simple scams it didn’t make front page news. So, what’s changed? Today all information is money to someone. Celebrity news sells as does political news.
How easy is it to hack a phone or voicemail? Unfortunately for most people, just a little bit too easy mainly due to the fact that people don’t set PIN numbers to secure access. We are back to the same old problem, that a voicemail service comes with a default PIN and the user doesn’t change it either because they are too lazy to do so, or it is too difficult.
There are other ways to hack phones, from the relatively simple ‘bluejacking’ and ‘bluesnarfing’, where you take control through an unsecured Bluetooth connection through to number spoofing, SIM card duplication and specialist hardware. The method chosen all depends on how serious the hacker is and how much the information on the device is worth.
Hacking a phone can now bring more rewards to the cybercriminal as there is often more valuable information stored on a phone than there is in voicemail. Contact lists, email, web browsing history, in fact much of the good stuff on a laptop is now also on the phone as well.
From a corporate perspective, being aware of the risks associated with mobile phones is a start. Setting security and usage policies should be high on the agenda to make them as secure as laptops are within the organisation.
Passwords/PINs should be on the devices themselves (as well as on services such as voicemail) and these should be changed from time to time.
Ensure that phones are backed up regularly.
Ensure that any removable media (and the phone itself) is encrypted.
Consider installing an anti-malware/security application.
Look at a remote wipe/kill software to be absolutely sure that a lost phone doesn’t become a data leak incident.
Finally, when it comes to sensitive business transactions, remember the problem of eavesdroppers. Find somewhere private for a discussion, and consider whether your mobile phone is secure enough for the information you are about to convey.
Guy Bunker, Jericho Forum board member