Hijacking online accounts through voicemail

Probably no one uses voicemail these days, yet many mobile subscribers have the service and it’s still in good working order.
But don’t think for a second, just because you don’t use it no one else does. Recently security researchers demonstrated how hackers can compromise online accounts by cracking voicemail systems.

Most operators allow access to your voice mailbox not only from your phone but also from an external phone number which is protected with a PIN that is often far from secure because a lot of subscribers use default codes set by the operator like simple 1111 or 1234.

Moreover, even if the subscriber bothers to change the PIN, the probability of it being guessed is still fairly high: As another research shows, when it comes to thinking up PINs, people are even less inventive than they are with passwords.

Second, many users opt for easy-to-remember strings of four identical digits or combinations such as 1234, 9876, 2580 (the middle vertical row on the phone keypad), and the ones beginning with 19xx.
Remember everything can be hacked, If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

Because WhatsApp’s is very popular among consumers, businesses, and government agencies, hackers will always keep looking for opportunities to do potential scams
WhatsApp had become one of the main communication channels, which is used for sensitive conversations ranging from confidential corporate and government information to criminal incrimination.

To make things even worse there is no need enter all combinations manually because the job can be done by a script that calls the voicemail number and enters different combinations in tone mode.
You might think, “There’s nothing valuable in my voicemail.” but it is not true.
Here is how hackers can hijack your PayPal and WhatsApp accounts using your voicemail.

Many of the largest online services offer the option to call you on the phone number specified in your profile in order to supply a verification code that can be used to change your password.
If a hacker breaks your voicemail PIN and waits until the victim’s phone is turned off or out of range. Then they simply initiate a password reset in the online service and select as the verification option a call that will go straight to voicemail.

Other online services use a slightly different verification process which redials the phone number that is associated with the account and prompts the user to enter the numbers displayed on the password reset page as verification. This security measure can also be removed with the help of a simple trick that involves setting the voicemail greeting message to a recording of the keypad tones that correspond to the digits in the reset code.

Keep in mind that those are just a couple of examples, many more services use an automated voice call to verify a password reset or to transmit a one-time two-factor authentication code.

If you want to be more cyber-secured fallow this simple steps:
• if you don’t use voicemail, disable it;
• If you need it, use a secure PIN that must be longer than four digits.
• Don’t post your phone number to your online social accounts.
• Do not associate your phone number with an online service f it’s not needed for a precondition or used for a two-factor authentication system.
• If you need a two-factor authentication don’t use your phone, ideally is to use an app like Google Authenticator or a hardware device such as YubiKey.

We would continue to monitor this cyber problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.