Talk:Phone hacking

Terminology
Per the discussion at Talk:News of the World phone hacking affair‎, "--AwaisMughal (talk) 15:38, 13 July 2020 (UTC)phone hackinghttps://tips4hacking.com/" is the WP:COMMONNAME in the media.-- ♦Ian Ma c M♦  (talk to me) 13:00, 7 July 2011 (UTC)

Common phone codes
Daniel Amitay's research was widely cited on the web. It is uncontroversial that some people routinely choose obvious PINs (1234 etc), and the use of the dreaded word "blog" does not necessarily mean that it is incorrect, as the population sample taken by Amitay (204,508 passcodes) is large enough to be statistically signficant. Amitay's research is cited here in The Wall Street Journal. Apple took Amitay's research so seriously that it pulled his app from the App Store and accused him of password harvesting, as this CNET story shows.-- ♦Ian Ma c M♦  (talk to me) 06:46, 8 July 2011 (UTC)

204,508 Rustymcelwee (talk) 19:23, 11 September 2017 (UTC)

Fake base stations
It is possible to set up a fake GSM base station subsystem and use it for phone hacking, as discussed here and here. However, since there is little evidence that this has been used as a technique in real life and has not picked up much media coverage, it is not mentioned in the article.-- ♦Ian Ma c M♦  (talk to me) 11:01, 9 July 2011 (UTC)

Possible incorrect/misleading sentence
"During the early days of mobile phone technology, mobile phones allowed access to voicemail messages via a landline telephone, requiring the entry of a Personal Identification Number (PIN) to listen to the messages."

The beginning of that sentence, "During the early days of mobile phone technology", isn't very accurate to the rest of the sentence. Mobile phones STILL allow access via a landline phone, and this sentence makes it sound like it was only possible "during the early days". The rest of the paragraph, which talks about default PINs and caller ID spoofing, is talking about things that happened back then, so maybe one of those sentences should start like that? Bkid My talk/Contribs 06:17, 17 July 2011 (UTC)
 * ✅ The wording was slightly misleading. The point made in the BBC citation is that during the early years, battery life and network coverage on mobile phones were poor, making remote voicemail retrieval essential. Today it is much less essential, and some security experts say that there should be an option to turn it off altogether, which is a feature not available on some networks.-- ♦Ian Ma c M♦  (talk to me) 06:26, 17 July 2011 (UTC)
 * Thanks. Glad I wasn't the only one who thought it sounded a bit off. Bkid My talk/Contribs 16:06, 19 July 2011 (UTC)

GSM cracking
The website SOS Technology is commercial and not a secondary reliable source. Governments can tap any phone call if desired, but phone hacking relates to activity by non-government agencies. There is a similar website here. It is hard to prove whether this technique has fallen into the wrong hands, and it is not one of the common techniques used by journalists and private detectives. 64 bit encryption would be considered weak nowadays because of the risk of brute-force attack, and encryption today is usually 128 or 256 bits to avoid this risk.-- ♦Ian Ma c M♦  (talk to me) 09:44, 24 July 2011 (UTC)

Resource
Lax Security Exposes Voice Mail to Hacking, Study Says by KEVIN J. O'BRIEN published New York Times December 25, 2011

99.190.86.5 (talk) 06:47, 28 December 2011 (UTC)


 * Added, thanks for pointing this out.-- ♦Ian Ma c M♦  (talk to me) 07:28, 28 December 2011 (UTC)

potential resource?
Seen on Talk:Smartphone from Popular Mechanics; http://www.popularmechanics.com/technology/gadgets/news/tracking-software-caught-snooping-on-millions-of-smartphone-users-6606335 "Tracking Software Caught Snooping on Millions of Smartphones", "Security researcher Trevor Eckhart has discovered what appears to be a flagrant new intrusion into smartphone users’ privacy: Monitoring software by a company called Carrier IQ that comes automatically installed on Android, Blackberry, and other smartphones, records every interaction a user has with the device, and then beams that information off the phone." by Glenn Derene December 1, 2011 12:00 PM

99.181.153.29 (talk) 05:36, 29 December 2011 (UTC)


 * This is a privacy issue but not quite phone hacking. It has been known for a long time that the location of mobile phones can be tracked by governments, mainly by multilateration, or possibly by GPS. Similar concerns were raised about software on the iPhone in April 2011. This is more suitable for the article mobile phone tracking.-- ♦Ian Ma c M♦  (talk to me) 08:21, 29 December 2011 (UTC)

Article issues
This article is factually incorrect and misleading over a number of key details over which I have been reverted. It needs attention from subject matter experts in the field of:
 * Cryptography (e.g. why the non-use of random numbers by telcos when generating users' default PINs is an issue, and how simple it is to brute force them)
 * Telecoms (e.g. to explain why the handset PIN has nothing to do with the mailbox PIN that is being attacked, and how CallerID can be spoofed)
 * Computer security (e.g. to explain why hacking won't be "prevented" by limiting users' ability to select a few simple PINs like 0000 or 1234) Socrates2008 ( Talk ) 09:07, 25 July 2012 (UTC)


 * As ever, the article is limited to what the sources say. Most mobile phone PINs are four numbers (the same as an ATM PIN), but this is not in the BBC source cited. I did alter the article to make clear that the four digit PIN is issued by the telco rather than the handset manufacturer, and copyedit the part about choosing insecure PINs. If you read through the version of the article that was tagged, both of these issues were addressed. The article is about phone hacking rather than PIN code security as a whole, and the issue of how PIN codes are used is dealt with in more detail in that article.-- ♦Ian Ma c M♦  (talk to me) 09:33, 25 July 2012 (UTC)
 * The sources need improving - here are some suggestions that comply with WP:RS       Socrates2008 ( Talk ) 09:50, 25 July 2012 (UTC)


 * The source at says "Passwords and passcodes are notoriously easily guessed and voicemail passcodes are certainly no different", which is broadly correct, although it does not make a direct comparison with ATM cash machine PINs. The Kevin Mitnick CNET cite is already in the article. There are always going to be difficulties in maintaining good security with a four digit PIN (we are not talking 128 or 256 bit AES here), but most of the News of the World hacking in the 2000s is believed to have involved the default PIN method, which has now been abolished by many mobile phone companies.-- ♦Ian Ma c  M♦  (talk to me) 10:11, 25 July 2012 (UTC)


 * An explanation of Entropy (information theory) is beyond the scope of this article, although anyone should be able to see why choosing numbers such as "1234" for a PIN code is a bad idea, because it so easy to guess. ATMs will swallow the card after three wrong entries, and I believe that many mobile phones will need to be reset if incorrect PINs are repeatedly entered. Systems like these cannot be brute forced by going through all of the 10,000 possibilities (0000-9999).-- ♦Ian Ma c M♦  (talk to me) 10:26, 25 July 2012 (UTC)


 * Here are a few of the items that I have concerns about:
 * "...mobile phones have allowed access to voicemail messages via a landline telephone..." - not true; it's the telco's voicemail system at the backend, not the mobile handset that facilitates this.
 * "As many mobile phone companies used a default PIN that was rarely changed by the owner, it was easy for a person who knew the phone number and the default PIN to access the voicemail messages" - imples that all telcos used the same pin for all accounts. Many used derivates of the phone number, that were unique to each subscriber, but still trivial to guess.  Also past tense suggests that this attack is no longer possible when it still is (albeit not in the UK).
 * "To prevent the choosing of insecure PINs, some mobile phone companies disallow the use of consecutive or repeat digits in PIN codes". There are plenty other weak 4-digit PINs (e.g. the date series starting 1901-2012) that render quick results before attackers have to resort to brute force attacks (which will statistically reveal the answer anyway after only half the possibilities in the keyspace have been checked)
 * "Social engineering may be used to reset the PIN code to the factory default" The VM PIN is unrelated to the handset, so there's no "factory" involved, just a call centre.
 * Article does not highlight that the blame lies with telcos in the first instance for not implementing "secure by design" principles until the UK scandal erupted. e.g. not using randomly generated PINs, not forcing password changes on first use, not using stronger user authentication to frustrate social engineering attacks aimed at getting PINs reset to default, allowing VM access from the handset without requiring a PIN (and thereby allowing callerID spoofing), and allowing subscribers to believe that their default PINs were secret and random like banking PINs, and allowing short (4-digit) PINs that can easily be brute-forced or guessed. Many subscribers only ever used their mobile to access VM, and consequently may never be aware that the mailbox can be accessed from another phone, that there's a PIN for such landline access, what that PIN is or if it has been reset to default by a third party who has been able to impersonate them to a telco.   Net result is that no special hacking "skills" are required to access someone's voicemail - to use an analogy, the key is left in the front door (or at best, under the mat). Socrates2008 ( Talk ) 11:00, 25 July 2012 (UTC)


 * I agree that it is pretty scandalous that telcos went through much of the 2000s with the default PIN system, even though it is absurdly insecure. The same is true of allowing voicemail access without a PIN code, apparently because some people do not like entering them each time they access voicemail. The problem seems to have been striking a balance between security and making the system easy to use, and coming down too heavily in favour of making the system easy to use. Many people who owned mobile phones in the 2000s never realised how easy it would be for a malicious person to access the voicemail, with the resulting scandal that has occurred. The telcos could have done more to predict and prevent this, but specific criticism in this area would need a source.-- ♦Ian Ma c M♦  (talk to me) 11:11, 25 July 2012 (UTC)
 * Refs are not hard to find - link #7 above to begin with... Socrates2008 ( Talk ) 11:20, 25 July 2012 (UTC)
 * This was added. Caller ID spoofing is more of a problem in the USA, and is not supposed to work on UK networks.-- ♦Ian Ma c M♦  (talk to me) 11:59, 25 July 2012 (UTC)

mobileiron.com
This is clearly not a WP:RS because it is a website about a commercial product. Although I accept that it has not been added to promote the company, sources need to be secondary.-- ♦Ian Ma c M♦  (talk to me) 18:02, 26 July 2012 (UTC)
 * They are authorative wrt to the capabilities of their own product. Found a better ref, so little point discussing further.  Cheers Socrates2008 ( Talk ) 08:30, 27 July 2012 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified 3 external links on Phone hacking. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20131110182623/http://news.cnet.com/FBI-taps-cell-phone-mic-as-eavesdropping-tool/2100-1029_3-6140191.html to http://news.cnet.com/FBI-taps-cell-phone-mic-as-eavesdropping-tool/2100-1029_3-6140191.html
 * Added archive https://web.archive.org/web/20110825102123/http://blogs.abcnews.com/theblotter/2006/12/can_you_hear_me.html to http://blogs.abcnews.com/theblotter/2006/12/can_you_hear_me.html
 * Added archive https://web.archive.org/web/20131103193709/http://www.theregister.co.uk/2007/06/26/cell_hack_geek_spook_stalk/ to http://www.theregister.co.uk/2007/06/26/cell_hack_geek_spook_stalk/

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 19:02, 22 May 2017 (UTC)