PCMag.com explains the startling simplicity of the hack:
The alleged actions of the tabloid’s cell phone-hacking employees may beggar belief, Kevin Mahaffey, co-founder and CTO of mobile security firm Lookout, told PC Mag Wednesday. But their techniques for accessing other people’s private mail boxes were probably very simple.
The first big revelation in the scandal that made big news in the U.K. was the alleged hacking of 13-year-old Milly Dowler’s phone following her 2002 abduction by a private detective retained by News of the World. Dowler’s dead body was found six months after her abduction.
Given the timeframe, Mahaffey said a simple caller ID spoof would have allowed the private investigator, Glenn Mulcaire, to hack Dowler’s voice mail box. Accessing the voice mail’s on the victim’s phone may not have even required a PIN number back in 2002, Mahaffey said.
“Around that time period, a lot of voice mail systems used caller ID to identify if this is the phone number that owns this inbox, and you wouldn’t even have to use your password,” he said. “You would dial say, “*86,” and you’d get your inbox. If a person spoofed their caller ID, they’d get the messages that belong to you.
“That’s largely been fixed. I can’t speak to every single voice mail system in the world, but we worked with a lot of the network operators to fix that.”
Spoofing a caller ID was—and is—pretty easy, Mahaffey added.
“There are a lot of free applications that allow you to spoof a caller ID,” he said. “It’s not very hard to do at all. School kids can do it.”
Getting a person’s personal phone number to spoof could be accomplished by finding it in publicly available documents such as student listings, or these days, on social networking sites like Facebook. A bit of social engineering with real people who know or could access the number would accomplish the same thing, Mahaffey said.