Voicemail Security Recommendation for Users
It is recognized that most mobile users are not particularly concerned about, or have any great need for, Voicemail security. However, it is important that you fully understand the security risks associated with the use of Voicemail services, how you could be exposed to those risks and what you can do to protect yourselves. The below advice to all customers and the necessary enablers is in place and on offer for those mobile users that wish to enhance their protection levels. In that regard, the guidance that follows may be useful and informative for our subscribers.
Choosing PINs
Users can choose a PIN that is longer than 4 digits. The PIN should not be one that can be easily guessed. When choosing a PIN the following should be avoided:
- Repeated numbers (e.g. 1111)
- Sequential numbers (e.g. 2345)
- Patterns related to the keypad on mobile devices (e.g. 2580)
- Dates of birth (e.g. 2812 for the 28th of December or 1279 for December 1979) as these can often be found on social networking or other Internet sites.
- PINs that are used for other purposes such as banking.
Changing PINs
Users that are concerned about protecting sensitive information that may be contained in messages left in their Voicemail should regularly change their PIN as this represents good security practice. Quite aside from routine PIN changes, mobile users should immediately change their Voicemail PIN if they believe it may have been observed or compromised by a third party in any way. This can be done by either calling customer care line 100 (prepaid) / 200 (postpaid) or by calling the voicemail 132 and following the voice prompts to change the PIN.
Alert to Compromise
If somebody unauthorized has listened to your Voicemail messages that person has the option to delete or keep the messages. If messages are retained the Voicemail service will generally indicate that the mobile user has “one saved message” rather than “one new message”. If a mobile user hears the first announcement, followed by a message that it has heard for the first time this could indicate mailbox compromise. Consequently, users should listen carefully and take note of whether messages they are hearing for the first time are classified as new or old/saved.
Leaving Sensitive Information in Voice Messages
As has been highlighted above, Voicemail systems can be compromised so anybody prompted to leave a Voicemail message for a mobile user should exercise caution in terms of the contents of the message to be left. Those leaving messages should refrain from leaving sensitive information such as credit card details etc. in Voicemail messages.
Overheard Calls
Users should always be conscious of where they are and who may be listening in the vicinity when they make or receive telephone calls, be they to mobile or other telephone users. Calls made from, or received in, public places such as airport lounges and railway stations can be easily overheard and have the potential to divulge much more sensitive information than what could be gleaned from a brief Voicemail message.
Call Back Risks
Users should be careful when replying to Voicemail messages as systems that allow users to call numbers from which messages originated can be targeted by those seeking to profit from phishing or premium rate call scams. Users should be aware that calling premium rate calls can result in significant call costs and calls from these numbers should not be returned unless the user is satisfied that the message and caller is genuine. Increased Value of Voicemail Boxes
Mobile users should be aware that Voicemail systems may be part of two-factor authentication schemes (where one-time PINs are read by a computer) or account recovery procedures, all of which increases the value of a Voicemail account and thereby also the motivation for attackers. If users provided their mobile phone number to a service which might use that number for purposes such as two-factor authentication or account recovery, users should be careful to protect their Voicemail account adequately, e.g. by setting a PIN which is longer than the default PIN length.