Hacker News new | past | comments | ask | show | jobs | submit login
Compromising online accounts by cracking voicemail systems (martinvigo.com)
47 points by archimag0 on June 4, 2019 | hide | past | favorite | 9 comments

Maximum amount of digits I’ve ever seen for a cellular VM system is 11 (among the big public companies). I believe Sprint can handle up to 7, and Verizon allows up to 10. Of course these are digits with no more than 10 combinations for each slot instead of the 70+ alphanumeric offers.

I'm logged into Verizon Wireless and it won't let me go beyond 4 digits.

I saw this live at defcon and it was honestly my favorite talk of the whole con. VMB hacking was somewhat oldschool even in the nineties yet it’s even more powerful today.

If you get a chance, grab his talk from the defcon media server - well worth it.

What is this for? I feel like my voicemail box has nothing of value in it.

For things that require 2FA they will call or SMS but do they really leave a message if they call and you don't pick up?

He demos it working on several popular sites.

He said several sites use your voicemail for password reset

The number of people who need to access voicemail from any device except the phone itself is tiny.

Just disallow it by default.

Problem solved.

The phone network is not designed to be secure.

Stop papering over gaps and trying to use it as if it were.

I wonder how many people use the same PIN for their voicemail as for their bank accounts?

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact