Voice-mail systems are anything but secure

Published July 13, 1998|Updated Sept. 13, 2005

When voice-mail systems were still a novelty, experts advised leaving short, precise, anger-free messages. They said the system was vulnerable, and it was best to be concise and cool to avoid embarrassing sound bites.

The novelty has passed but not the vulnerability. Yet many businesses, especially sales-oriented companies with employees in many time zones, are using voice mail as a primary method of communication. Further, much like messages on the Internet, voice mail can be saved, copied, altered, stolen and transferred.

"Voice mail is immortal, and it can develop legs and end up all kinds of places," said Paul Saffo, research fellow at the Institute for the Future in Palo Alto, Calif. "People have learned that e-mail can come back later to haunt them, but they haven't learned that as quickly about voice mail. ... It isn't conversation that evaporates."

Chiquita Brands International Inc. learned this recently when more than 2,000 voice-mail messages among executives were used as a primary source in an 18-page Cincinnati Enquirer report that questioned the corporation's business practices.

In a 47-page lawsuit, Chiquita charged that reporter Mike Gallagher used past and present Chiquita employees to gain access to the voice-mail messages and raided the password-protected voice-mail boxes. The suit charges Gallagher, who has been fired, with defamation, trespass, conspiracy, fraud and violation of electronic communications and privacy laws.

The newspaper has retracted the series, agreed to pay Chiquita $10-million and has published a front-page apology to Chiquita over three days, saying that Gallagher improperly obtained the messages. The Hamilton County sheriff is investigating the case, and a special county prosecutor has been appointed to look into the matter.

Neither Gallagher nor his attorney, Patrick Hanley, could be reached for comment about the lawsuit.

Chiquita Brands president and CEO Steven Warshaw called Gallagher's alleged actions "an old-fashioned burglary. ... It's no different from breaking and entering."

Hackers of all types have delighted in breaking into voice-mail boxes since the technology became available. In 1990, two teenagers from Staten Island, N.Y., allegedly broke into a computerized mail system owned by International Data Group, changed recorded greetings to lewd messages, made bomb threats and erased customers' messages. Also that year, California hackers allegedly penetrated computer systems at Pacific Bell and one used by the U.S. Army to intercept phone information.

Even personal messages fall prey. Several years ago, an unknown New York woman left a voice-mail message describing her previous night's date on the machine of a male friend. In a matter of days, the message had been copied and forwarded like a verbal chain letter throughout the man's company and to hundreds of businesses across the country.

When companies rely heavily on voice mail to do business, Saffo said, it is common for one person to leave a long message detailing his thoughts and ideas. The recipient can tack on his response to the original message and send it back and also forward a copy to a third colleague. These extensive voice mails with additions and questions are copied and sent around like e-mails.

"Employees very quickly learn which culture is preferred and conform to it," Saffo said.

At Chiquita, a Cincinnati-based company that does business in many different time zones, the voice-mail system receives up to 12,500 new messages each week. As in many businesses, each employee's voice-mail box is protected by a personal password, and each employee chooses a password.

According to the company's lawsuit, there is no systemwide code to access multiple voice-mail boxes and no centralized list of employee passwords. No one has the authority to listen to, copy, or disseminate voice-mail messages without the employee's permission.

Makers of voice-mail equipment say breaking into systems and getting messages without inside help is difficult, but others say voice mail is vulnerable to predators. One publication even updates readers with new pointers on how to break in to various voice-mail systems, according to Jim Ross, an electronics security consultant in Sterling, Va.

Ross said vendors sell tape recordings of phone signaling tones that can be played over the phone to give voice-mail computers instructions that enable hackers to access files. He said it is possible for company employees to make tapes of messages or transmit them to an outside system from which tapes could be made.

"You'd have to know the name of your target and his phone number and the codes to punch in to access his messages," said Ross. "But getting those things isn't difficult."

Pete Bucter, director of corporate communications for Octel, the messaging division of Lucent Technologies, contends that it is rare for voice-mail systems to be attacked by outsiders without inside help.

Nonetheless, technology is moving ahead to make these systems more secure. Before long, says Bucter, systems will be programed to recognize a specific individual's voice so that punching in security codes won't be necessary.