Talk:Phone hacking

Editing of this page by new or unregistered users is currently disabled until January 2, 2025 at 06:26 UTC.
See the protection policy and protection log for more details. If you cannot edit this page and you wish to make a change, you can request unprotection, log in, or create an account.

This is the talk page for discussing improvements to the Phone hacking article.
This is not a forum for general discussion of the article's subject.

Put new text under old text. Click here to start a new topic.
New to Wikipedia? Welcome! Learn to edit; get help.

Article policies

Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL

Computer Security: Computing Mid‑importance

This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles

Mid

This article has been rated as Mid-importance on the project's importance scale.

This article is supported by WikiProject Computing.

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Crime and Criminal Biography Mid‑importance

	This article is within the scope of WikiProject Crime and Criminal Biography, a collaborative effort to improve the coverage of Crime and Criminal Biography articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Crime and Criminal BiographyWikipedia:WikiProject Crime and Criminal BiographyTemplate:WikiProject Crime and Criminal BiographyCrime-related articles
Mid	This article has been rated as Mid-importance on the project's importance scale.

Cryptography: Computer science Mid‑importance

	This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles
Mid	This article has been rated as Mid-importance on the importance scale.
	This article is supported by WikiProject Computer science (assessed as Mid-importance).

Telecommunications Mid‑importance

	Telecommunication portal This article is within the scope of WikiProject Telecommunications, a collaborative effort to improve the coverage of Telecommunications on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.TelecommunicationsWikipedia:WikiProject TelecommunicationsTemplate:WikiProject TelecommunicationsTelecommunications articles
Mid	This article has been rated as Mid-importance on the project's importance scale.

Terminology

Per the discussion at Talk:News of the World phone hacking affair‎, "--AwaisMughal (talk) 15:38, 13 July 2020 (UTC)phone hackinghttps://tips4hacking.com/" is the WP:COMMONNAME in the media.--♦IanMacM♦ ^{(talk to me)} 13:00, 7 July 2011 (UTC)[reply]

Common phone codes

Daniel Amitay's research was widely cited on the web. It is uncontroversial that some people routinely choose obvious PINs (1234 etc), and the use of the dreaded word "blog" does not necessarily mean that it is incorrect, as the population sample taken by Amitay (204,508 passcodes) is large enough to be statistically signficant. Amitay's research is cited here in The Wall Street Journal. Apple took Amitay's research so seriously that it pulled his app from the App Store and accused him of password harvesting, as this CNET story shows.--♦IanMacM♦ ^{(talk to me)} 06:46, 8 July 2011 (UTC)[reply]

204,508 Rustymcelwee (talk) 19:23, 11 September 2017 (UTC)[reply]

Fake base stations

It is possible to set up a fake GSM base station subsystem and use it for phone hacking, as discussed here and here. However, since there is little evidence that this has been used as a technique in real life and has not picked up much media coverage, it is not mentioned in the article.--♦IanMacM♦ ^{(talk to me)} 11:01, 9 July 2011 (UTC)[reply]

Possible incorrect/misleading sentence

"During the early days of mobile phone technology, mobile phones allowed access to voicemail messages via a landline telephone, requiring the entry of a Personal Identification Number (PIN) to listen to the messages."

The beginning of that sentence, "During the early days of mobile phone technology", isn't very accurate to the rest of the sentence. Mobile phones STILL allow access via a landline phone, and this sentence makes it sound like it was only possible "during the early days". The rest of the paragraph, which talks about default PINs and caller ID spoofing, is talking about things that happened back then, so maybe one of those sentences should start like that? Bkid ^{My talk}/_Contribs 06:17, 17 July 2011 (UTC)[reply]

Done The wording was slightly misleading. The point made in the BBC citation is that during the early years, battery life and network coverage on mobile phones were poor, making remote voicemail retrieval essential. Today it is much less essential, and some security experts say that there should be an option to turn it off altogether, which is a feature not available on some networks.--♦IanMacM♦ ^{(talk to me)} 06:26, 17 July 2011 (UTC)[reply]

Thanks. Glad I wasn't the only one who thought it sounded a bit off. Bkid ^{My talk}/_Contribs 16:06, 19 July 2011 (UTC)[reply]

GSM cracking

The website SOS Technology is commercial and not a secondary reliable source. Governments can tap any phone call if desired, but phone hacking relates to activity by non-government agencies. There is a similar website here. It is hard to prove whether this technique has fallen into the wrong hands, and it is not one of the common techniques used by journalists and private detectives. 64 bit encryption would be considered weak nowadays because of the risk of brute-force attack, and encryption today is usually 128 or 256 bits to avoid this risk.--♦IanMacM♦ ^{(talk to me)} 09:44, 24 July 2011 (UTC)[reply]

Resource

Lax Security Exposes Voice Mail to Hacking, Study Says by KEVIN J. O'BRIEN published New York Times December 25, 2011

99.190.86.5 (talk) 06:47, 28 December 2011 (UTC)[reply]

Added, thanks for pointing this out.--♦IanMacM♦ ^{(talk to me)} 07:28, 28 December 2011 (UTC)[reply]

potential resource?

Seen on Talk:Smartphone from Popular Mechanics; http://www.popularmechanics.com/technology/gadgets/news/tracking-software-caught-snooping-on-millions-of-smartphone-users-6606335 "Tracking Software Caught Snooping on Millions of Smartphones", "Security researcher Trevor Eckhart has discovered what appears to be a flagrant new intrusion into smartphone users’ privacy: Monitoring software by a company called Carrier IQ that comes automatically installed on Android, Blackberry, and other smartphones, records every interaction a user has with the device, and then beams that information off the phone." by Glenn Derene December 1, 2011 12:00 PM

99.181.153.29 (talk) 05:36, 29 December 2011 (UTC)[reply]

This is a privacy issue but not quite phone hacking. It has been known for a long time that the location of mobile phones can be tracked by governments, mainly by multilateration, or possibly by GPS. Similar concerns were raised about software on the iPhone in April 2011.[1] This is more suitable for the article mobile phone tracking.--♦IanMacM♦ ^{(talk to me)} 08:21, 29 December 2011 (UTC)[reply]

Article issues

This article is factually incorrect and misleading over a number of key details over which I have been reverted. It needs attention from subject matter experts in the field of:

Cryptography (e.g. why the non-use of random numbers by telcos when generating users' default PINs is an issue, and how simple it is to brute force them)
Telecoms (e.g. to explain why the handset PIN has nothing to do with the mailbox PIN that is being attacked, and how CallerID can be spoofed)
Computer security (e.g. to explain why hacking won't be "prevented" by limiting users' ability to select a few simple PINs like 0000 or 1234) Socrates2008 (Talk) 09:07, 25 July 2012 (UTC)[reply]

As ever, the article is limited to what the sources say. Most mobile phone PINs are four numbers (the same as an ATM PIN), but this is not in the BBC source cited. I did alter the article to make clear that the four digit PIN is issued by the telco rather than the handset manufacturer, and copyedit the part about choosing insecure PINs. If you read through the version of the article that was tagged, both of these issues were addressed. The article is about phone hacking rather than PIN code security as a whole, and the issue of how PIN codes are used is dealt with in more detail in that article.--♦IanMacM♦ ^{(talk to me)} 09:33, 25 July 2012 (UTC)[reply]

The sources need improving - here are some suggestions that comply with WP:RS [2] [3] [4] [5] [6] [7] Socrates2008 (Talk) 09:50, 25 July 2012 (UTC)[reply]

The source at [8] says "Passwords and passcodes are notoriously easily guessed and voicemail passcodes are certainly no different", which is broadly correct, although it does not make a direct comparison with ATM cash machine PINs. The Kevin Mitnick CNET cite is already in the article. There are always going to be difficulties in maintaining good security with a four digit PIN (we are not talking 128 or 256 bit AES here), but most of the News of the World hacking in the 2000s is believed to have involved the default PIN method, which has now been abolished by many mobile phone companies.--♦IanMacM♦ ^{(talk to me)} 10:11, 25 July 2012 (UTC)[reply]

An explanation of Entropy (information theory) is beyond the scope of this article, although anyone should be able to see why choosing numbers such as "1234" for a PIN code is a bad idea, because it so easy to guess. ATMs will swallow the card after three wrong entries, and I believe that many mobile phones will need to be reset if incorrect PINs are repeatedly entered. Systems like these cannot be brute forced by going through all of the 10,000 possibilities (0000-9999).--♦IanMacM♦ ^{(talk to me)} 10:26, 25 July 2012 (UTC)[reply]

Here are a few of the items that I have concerns about:

"...mobile phones have allowed access to voicemail messages via a landline telephone..." - not true; it's the telco's voicemail system at the backend, not the mobile handset that facilitates this.
"As many mobile phone companies used a default PIN that was rarely changed by the owner, it was easy for a person who knew the phone number and the default PIN to access the voicemail messages" - imples that all telcos used the same pin for all accounts. Many used derivates of the phone number, that were unique to each subscriber, but still trivial to guess. Also past tense suggests that this attack is no longer possible when it still is (albeit not in the UK).
"To prevent the choosing of insecure PINs, some mobile phone companies disallow the use of consecutive or repeat digits in PIN codes". There are plenty other weak 4-digit PINs (e.g. the date series starting 1901-2012) that render quick results before attackers have to resort to brute force attacks (which will statistically reveal the answer anyway after only half the possibilities in the keyspace have been checked)
"Social engineering may be used to reset the PIN code to the factory default" The VM PIN is unrelated to the handset, so there's no "factory" involved, just a call centre.
Article does not highlight that the blame lies with telcos in the first instance for not implementing "secure by design" principles until the UK scandal erupted. e.g. not using randomly generated PINs, not forcing password changes on first use, not using stronger user authentication to frustrate social engineering attacks aimed at getting PINs reset to default, allowing VM access from the handset without requiring a PIN (and thereby allowing callerID spoofing), and allowing subscribers to believe that their default PINs were secret and random like banking PINs, and allowing short (4-digit) PINs that can easily be brute-forced or guessed. Many subscribers only ever used their mobile to access VM, and consequently may never be aware that the mailbox can be accessed from another phone, that there's a PIN for such landline access, what that PIN is or if it has been reset to default by a third party who has been able to impersonate them to a telco. Net result is that no special hacking "skills" are required to access someone's voicemail - to use an analogy, the key is left in the front door (or at best, under the mat). Socrates2008 (Talk) 11:00, 25 July 2012 (UTC)[reply]

I agree that it is pretty scandalous that telcos went through much of the 2000s with the default PIN system, even though it is absurdly insecure. The same is true of allowing voicemail access without a PIN code, apparently because some people do not like entering them each time they access voicemail. The problem seems to have been striking a balance between security and making the system easy to use, and coming down too heavily in favour of making the system easy to use. Many people who owned mobile phones in the 2000s never realised how easy it would be for a malicious person to access the voicemail, with the resulting scandal that has occurred. The telcos could have done more to predict and prevent this, but specific criticism in this area would need a source.--♦IanMacM♦ ^{(talk to me)} 11:11, 25 July 2012 (UTC)[reply]

Refs are not hard to find - link #7 above to begin with... Socrates2008 (Talk) 11:20, 25 July 2012 (UTC)[reply]

This was added. Caller ID spoofing is more of a problem in the USA, and is not supposed to work on UK networks.[9]--♦IanMacM♦ ^{(talk to me)} 11:59, 25 July 2012 (UTC)[reply]

mobileiron.com

This is clearly not a WP:RS because it is a website about a commercial product. Although I accept that it has not been added to promote the company, sources need to be secondary.--♦IanMacM♦ ^{(talk to me)} 18:02, 26 July 2012 (UTC)[reply]

They are authorative wrt to the capabilities of their own product. Found a better ref, so little point discussing further. Cheers Socrates2008 (Talk) 08:30, 27 July 2012 (UTC)[reply]

External links modified

Hello fellow Wikipedians,

I have just modified 3 external links on Phone hacking. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 19:02, 22 May 2017 (UTC)[reply]