Phone hacking: Are you safe?

Not using a pin number for mobile phone voicemail makes it vulnerable to hackers. Photo / Thinkstock

Voicemail messages can be hacked in New Zealand with nothing more than a cellphone number, a $5 calling card and common software such as Skype.

Telecom says nothing can be done to stop "ID spoof" hacking on its network, other than urging customers choosing unique passwords to protect their messages.

But many cellphone owners do not use voicemail passwords at all, because of the inconvenience of entering a four-digit code every time they want to listen to messages.

In Britain, the News of the World tabloid newspaper was closed after revelations of a phone hacking scandal which has thrown Rupert Murdoch's media empire into turmoil.

The tabloid paid a private investigator to hack into voicemail messages, by using the default pin code or making an educated guess based on personal details like birth dates.

But Weekend Herald inquiries have found a more sophisticated - but simple - method called "ID spoofing".

It's the same method a teenager accidently stumbled on in 2005 and used to hack into the voicemails of prominent people, including former Auckland City Mayor Dick Hubbard.

Amateur hackers can buy credits on-line for as little as $5. By using Voice over internet Protocol software such as Skype, a hacker can fool a voicemail system into thinking they are calling from the phone they are trying to break into.

If the phone owner has not set up the voicemail to require a password when called from their own mobile, a hacker can get straight into the system and listen to messages at will.

The chief executive of the Telecommunications Users Association of New Zealand, Paul Brislen, said voicemail hacking was "ridiculously easy" to do.

Questioned about "ID spoofing", a Telecom spokeswoman said customers had two layers of protection.

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes.

"We also advise customers to choose unique pin numbers that can not easily be guessed."

Telecom customers can choose to make voicemails password-protected, but Vodafone makes a pin code compulsory for checking messages from other phones.

A Vodafone spokesman also said Skype could not be used to "spoof" the network into thinking the caller was trying to access voicemail.

This was because the system looked for other qualifiers to verify the validity of the call.

But Vodafone is still vulnerable to voicemail hacking if customers use easily guessed pin numbers, such as birth dates.

2degrees spokesman Michael Bouliane said the network did not require customers to set up a voicemail pin number, although they were given the option to do so.

Figures from Craigs Investments Partners show that at the end of last year, New Zealand had 5,235,000 active mobile phones - more than one for every person in the country.

About 2.46 million used the Vodafone network, 2.2 million used Telecom and 575,000 used 2degrees.

Private investigator Danny Toresen said people tended to use easy-to-remember passwords for multiple accounts, such as Trade Me, email, bank and phone.

"People don't have time to remember unique passwords for every single thing. So there's a real danger in that."