Voice Mail

The remote access feature of voice mail makes it vulnerable to monitoring. You do not need to be in your office to receive your voice mail. You can call from home or any other location, dial a password to identify yourself, and hear your messages. The problem is that any other person calling the same number and using the same password can also retrieve your messages.

The password is usually easy to guess, because few people take the trouble to protect their voice mail with a unique password. They do not change the default password that comes with the system when it is installed. This is often the last four digits of the telephone number or the employee's extension number followed by the pound sign. People who do change the password often use an easily guessed password such as their first or last name or date of birth.

bullet  Any current or former employee who knows the voice mail phone number and can guess your password can listen to your voice mail. In many cases, that will make no difference as your voice mail contains no information that requires protection. Here are a couple examples of cases where it did make a difference, however.

Michael Gallagher, a reporter for the Cincinnati Enquirer, stole voice mail messages from Chiquita Brands International, Inc., the banana company, and used them as the principal source for an 18-page series of articles that exposed the company's business practices. He allegedly stole thousands of voice mail messages with the help of three current or former Chiquita employees. The reporter pleaded guilty in September 1998 to two felony charges -- unlawful interception of communications and unauthorized access to computer systems, and the newspaper agreed to pay Chiquita more than $10 million in damages. 1

In another case, John Hebel, a disgruntled former employee of Standard Duplicating Machines Corp. (Standard) of Andover, MA, regularly broke into the voice mail system of his former employer as part of a scheme to make unauthorized use of the company's sales leads and confidential marketing information.2 Hebel was a field sales manager who worked out of his home in Ballwin, MO. After being terminated by Standard, he went to work for a competitor as its Midwest Regional Manager.

Hebel developed a scheme to defraud his former employer by gaining unauthorized access to its voice mail system. By virtue of his prior employment at Standard, Hebel knew the telephone number for accessing Standard's voice mail system from remote locations. He knew that the "default" password for a particular voice mailbox would be the employee's telephone extension plus the pound sign, and that virtually no Standard employees had utilized unique passwords to protect their voice mail boxes. Hebel also knew which Standard executives and employees were likely to receive sales leads and other confidential marketing information in their individual voice mail boxes.

Over the course of a year, Hebel stole information from Standard's voice mail system on several hundred occasions. Standard eventually learned of Hebel’s activity through an unsolicited phone call from a customer who had been solicited by Hebel after leaving a message on Standard’s voice mail system. The FBI arrested Hebel for wire fraud, and he was sentenced in March 1997 to two years probation.

Related Topic: Voice Mail is Vulnerable in Spy Stories provides more detail on the Hebel case.

References:
1. "Reporter Pleads Guilty to Felony Charges in Chiquita Matter," The Wall Street Journal, Sept. 25, 1998, p. B4.
2. FBI Director Louis Freeh, Statement before the Senate Select Committee on Intelligence, January 28, 1998. Also PR Newswire, Former Sales Manager Charged in Voice Mail Scam, November 5, 1996.

 

<-- PrevNext -->
SECURITY BRIEFING TABLE OF CONTENTS