The recent settlement between Prince Harry and Rupert Murdoch’s newspaper group (Wednesday, 22nd Jan 2025) emphasised the need for greater security for users accessing mobile voicemails.
It appears that private investigators working for The Sun were able to dial into common voicemail access numbers provided by phone companies. Armed with the subjects’ mobile numbers and their often all-too-guessable “PINs,” they could listen to and often record their voicemails to obtain information that would later be turned into ill-gotten news stories.
Often the PINs were extremely simple (the telecom companies assuming that savvy phone users would change the “starter” PIN they were issued with such as 0000, 1234 or the last four digits of the mobile number) – however some tech friends suspect that even if users had changed them, they may only have opted for easily guessed simplistic PINs, such as their birth year (and why should the onus of introducing complexity fall entirely on them?).
How much better, then, if users of mobile accounts didn’t have to devise secure passwords (vulnerable to traditional threats like phishing, interception or capture) but instead could use one-time passcodes (OTPs), which would be different each time? In other words, by designing systems using the latest technologies, telecoms providers could, at a stroke, build in an element of ‘security by design’, rendering customers’ voicemails safe from the ears and recording machines of private eyes while saving certain media groups from the temptation to break privacy rules?
This argument could be extended to many other sectors of the online and telecommunications worlds, such as access codes for bank accounts. My own bank uses randomly selected characters from a four digit ‘PIN’, and a few characters from an ‘incremental password’, which always worries me in case a man-in-the-middle attacker can capture what I type in, and could then ask for the operation to be repeated, hoping to glean further characters. Again, why not make the whole thing ‘fresh’ every time, so there isn’t a fixed code to be captured? Greater security could so easily be designed in.
Using OTPs instead of fixed PINs would significantly reduce or even prevent unauthorised access for the following four reasons:-
1. Eliminate reliance on weak or default PINs:
- Many users fail to change the default PINs (e.g., “0000” or “1234”) they’re given or choose weak ones that are easy to guess.
- OTPs eliminate this vulnerability by requiring a unique, dynamically generated code for each login attempt.
2. Reduce the impact of stolen or shared credentials:
- Fixed PINs can be obtained through social engineering, phishing, or brute-force attacks.
- OTPs delivered securely (in our case via Shayype) would render attempting to intercept credentials pointless.
3. Prevent automated hacking techniques:
- In the past, hackers or journalists may have used software to repeatedly try numerous PIN combinations.
- OTPs would thwart such attacks since the characters would change for each access attempt and cannot be re-used.
4. Dynamic authentication discourages complacency:
- Fixed PIN systems rely on users updating their PINs periodically, but many fail to do so.
- An OTP system such as Shayype would introduce an element of security by design without requiring user action.
The reader may wonder if OTPs delivered in the form of “verification codes” sent to users’ phones may be the answer. However delivering codes via SMS or email has well-known disadvantages, such as the risk of codes falling into the wrong hands if the mobile accounts are taken over (through SIM swapping) allowing hackers to intercept the codes.
What we think
Replacing fixed PINs with one-time codes (via Shayype) would add a highly effective layer of security (by design) to prevent unauthorised voicemail access from journalists, “investigators” or hackers. Combined with additional security measures, it could render voicemail hacking nearly impossible.
Would this make Hugh Grant and Prince Harry happy?
We think so.
