[September 02, 2011] Boxer Urges T-Mobile, Sprint to Improve Customer Voicemail Security Tweet Sep 02, 2011 (Congressional Documents and Publications/ContentWorks via COMTEX) -- September 1, 2011 Contact: Zachary Coile or Andy Stone (202) 224-8120 BOXER URGES T-MOBILE, SPRINT TO IMPROVE CUSTOMER VOICEMAIL SECURITY Threat of Illegal Hacking Is Heightened By Lax Voicemail Security Policies Washington, D.C. - U.S. Senator Barbara Boxer (D-CA) today called on two U.S. wireless companies - T-Mobile and Sprint Nextel - to improve voicemail security procedures for customers in light of concerns http://articles.boston.com/2011-07-13/business/297699781voice-mail-password-caller-id-spoofing that consumers' voicemail accounts could be vulnerable to the type of illegal hacking recently uncovered in the United Kingdom. According to security experts, because neither T-Mobile nor Sprint Nextel requires customers to enter a personal identification number (PIN) when accessing voicemail from their own device, personal and confidential information can be easily accessed through the use of freely available tools that "spoof" caller ID information. In her letter to Philipp Humm, CEO and President of T-Mobile, Senator Boxer wrote, "As recently as July of this year, a T-Mobile spokesperson confirmed that your voicemail system is vulnerable to this form of hacking. Although T-Mobile recommends in the small-print on its website that its customers enable PIN protection, the default choice is one that leaves consumers vulnerable. It is unlikely that most T-Mobile subscribers realize how easy it is for a hacker to break into their voicemail." Senator Boxer's letters come in light of the revelation that thousands of British citizens' voicemail accounts may have been hacked by employees of the newspaper News of the World, a British subsidiary of the American company News Corporation. While the U.S. Department of Justice investigates whether any American citizens had their voicemail illegally hacked by News Corporation employees, T-Mobile and Sprint can take immediate steps to provide greater protection for their customers against hacking. Verizon Wireless has always required subscribers to enter a PIN to access their voicemail. AT&T recently announced that the default setting for new subscribers will require them to enter a PIN to help protect customers' voicemail security. The full text of Senator Boxer's letter to T-Mobile is below. The Senator's letter to Sprint Nextel CEO Dan Hesse can be accessed at http://boxer.senate.gov/en/press/related/Sprint09012011.pdf. September 1, 2011 Philipp Humm, CEO and President T-Mobile USA 12920-South East 38th Street Bellevue, WA 98006 Dear Mr. Humm: I write to request that you take immediate action to remedy a significant vulnerability in voicemail security protections available to T-Mobile customers. Right now, the voicemail accounts of T-Mobile customers are at risk of being hacked because of your company's security policies. Earlier this year British police discovered that the voicemails of thousands of British citizens were hacked by the newspaper News of the World, a British subsidiary of the American company News Corporation. While we wait for the U.S. Department of Justice to conclude its investigation into whether News Corporation employees hacked the voicemail accounts of American citizens, T-Mobile can take immediate steps to implement simple changes to its security systems that can help prevent future voicemail hacking from occurring in our country. According to security experts, several U.S. wireless carriers including T-Mobile are vulnerable to a hacking technique that anyone, regardless of technical skill, can use to break into voicemail accounts. This hacking technique exploits the fact that T-Mobile does not require subscribers to enter their personal identification (PIN) number when they call their voicemail from their own phone. By "spoofing" the caller ID information using freely available tools, hackers can access T-Mobile voicemail subscribers' accounts without being prompted for a PIN. As recently as July of this year, a T-Mobile spokesperson confirmed that your voicemail system is vulnerable to this form of hacking. Although T-Mobile recommends in the small-print on its website that its customers enable PIN protection, the default choice is one that leaves consumers vulnerable. It is unlikely that most T-Mobile subscribers realize how easy it is for a hacker to break into their voicemail. In contrast, Verizon Wireless has always required subscribers to enter a PIN to access their voicemail, no matter the phone they are calling from. Similarly, AT&T recently announced that it too would be making strong security the default option for all new subscribers. At a time when Americans are greatly concerned about the safety of the information they store on their computers and on their phones, it is time to make the security the default. I urge T-Mobile to implement stronger voicemail security features immediately. Sincerely, Barbara Boxer United States Senator [ Back To TMCnet.com's Homepage ]