July 22, 2011 -- The phone hacking scandal that led to the demise of News of the World and put News Corp. CEO Rupert Murdoch in the hot seat highlights just how easy it is for predators to break into cell phones.
Your phone can be hacked two ways: "hacking into your cellphone as you're on the phone or hacking into your voicemail," says Mark Rasch, director of cybersecurity and a privacy consulting at Computer Sciences Corp.
The first method -- breaking into your phone while you're talking on it -- is difficult, says Rasch. A hacker would need to hack into your cell phone provider or corrupt an employee who works for the company to listen in on a conversation.
The second method -- breaking into voice mail -- is not so tough. It involves installing a program that would allow the hacker to capture and intercept phone calls. "It is very easy to do, and that's typically because voicemail is secured with a short four digit number. It can be hacked, spoofed, guessed and social engineered," says Rasch.
What makes it so easy? Blame yourself. Most people choose simplistic passwords that are easy for hackers to guess. "The most common pass code is the last four digits of your phone number," says Rasch.
"People want something easy to remember and easy to type at 75 miles per hour with a cup of coffee in the hand and the cell phone in the other," says Rasch."They'll pick the same pin number for ATM, cell phone and a dozen other things. It's just human nature."
To avoid these pitfalls, some say passwords should be automated or randomly selected.
"You shouldn't be able to pick your password or pass code," says Daniel Amitay, an iPhone developer. "It should be randomized. The problem with pass codes and passwords is people pick them."
Amitay created the Big Brother application that installed a screen to allow consumers to add an additional layer for password protection. It used the Big Brother Camera security to record common user pass codes and found the 10 most common pass codes used by iPhone users. In additon to 1234 and 0000, the other most common pass codes were 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998.
All eyes have been trained on News Corp. in recent weeks, following allegations that the now-defunct News of the World hacked the phones of more than 4,000 politicians, crime victims and celebrities.
But at the center of the firestorm was Milly Dowler, a 13-year-old murder victim whose cell phone was hacked by journalists on the hunt for a big scoop. When the teenager disappeared in early 2002, reporters allegedly listened to the dead girl's voicemail and deleted messages on the system, tainting the investigation and creating false hope among the victim's family members that she might still be alive.
While it's unclear exactly how the reporters gained access to Milly Dowler's voicemail, one lesson emerges: It wasn't too hard.
Social engineering -- the art of getting people to inadvertently divulge information through seemingly innocuous questions -- is one way, and it's as simple as going on a website and tricking a system or individual. For example, Christopher Soghoian, a fellow at the Center for Applied Cypersecurity Research, in a quick email shared a website called phonegangster.com. The website can send visitors directly to a voicemail account, where they can insert a pass code by spoofing a phone number.
"If I can trick the system into thinking I'm calling from your phone, I don't even need the pin number," says Rasch.
Pretexting, the practice of getting personal information by using deceptive tactics, is another method for obtaining phone records. In 2006, Hewlett Packard brought "pretexting" into the limelight after it was revealed the company used it to obtain the phone records of journalists and board members.
As smartphone usage continues to grow, consumers must consider new ways to stay safe.
Tracey Hawkins, at safety and Security Source, offered critical tips for smartphone users:
Disable your bluetooth. If enabled, it's like leaving your phone open, as Bluetooth is an open connection.
Beware of public Wi-Fi. Wi-Fi is not secure, because it opens an account to anyone. Malware and spyware can infect a phone in the exact same way they infect a computer. If you get an SMS text, don't click on it -- like Bluetooth, it opens your phone and makes your account vulnerable.
Create better passwords. A group of computer programmers compiled a list of the Top 500 Worst Passwords of All Time. The soon-to-be updated list is an example of how predictable passwords or pass codes can be. "Approximately one out of every nine people uses at least one password on the list," according to What's My Pass.
"Create reasonably difficult pin numbers, consider more secure forms of communication, delete voicemail messages you don't need any more," says Rasch.
While there's no application to keep your phone from harm, the growing usage of apps makes your pin codes ever more vulnerable.
"We're downloading a bunch of applications," says Rasch. "When was the last time you downloaded something to your home phone? You don't. It's just a phone."
A smartphone, which is basically a mini-portable computer, has programs that can be hacked just like a laptop or a desktop.
"You're running programs that could cause security problems," says Rasch. The three most important words for passcode and password safety is to "mix it up," he says. Make sure your passwords are "not the same thing, not four consecutive numbers, no pin numbers and don't' keep all your voicemails forever."