March 16, 2006

Qwest Voice Mail setting is unsecured

I've had Qwest voice mail for a number of years now (probably around 10). I've always had it set to ring 4 times before going over to voice mail; 4 is a pretty reasonable number of rings IMHO.

Recently, the phone would ring 2 times and then go to voice mail, making for numerous missed calls (some of which were telemarketers, so i didn't mind THAT much). Obviously, someone or some interal Qwest system changed that value from 4 to 2 for me as I didn't even know how to change it.

I finally got tired of sprinting to the telephone to pick it up before 2 rings, so I searched Qwest for the answer on how to change this voice mail setting and came up with the answer.

So, I called 800-669-7676 per the instructions, entered in only my telephone number and chose the number of rings (2-8 is allowed). Reread the last sentence. Notice how I did NOT need to type in my account password, last 4 digits of my social or use my account code (as found on my monthly statement).

Just to be sure I didn't make sure I didn't 'miss' something, I tried again and again was able to change my voice mail settings w/o providing any real authentication credentials.

THE SYSTEM ALLOWS ANYONE TO CHANGE ANYONE ELSE'S VOICE MAIL SETTINGS!!!!!!!!!!!!

From a privacy/security standpoint, this annoyed me, so I called 800-669-7676 again, punched the zero key a whole bunch of times so I could actually talk to someone, and asked about this. The response I received is that since the number of rings for voice mail is a low priority thing, that "it is unnecessary" to secure it. I asked if the changes were logged (because I wanted to find out when my account got changed from 4 to 2 rings) but that information was unavailable. Ok, I grant you the value of the asset in question here (# of rings) is low, but it is just the premise here that is troubling:

1) Why can someone change my account settings w/o my authorization
and
2) what other systems does Qwest have that allow similiar changes?

One of my friends suggested how easy it would be to build a war dialer and randomly change people's voice mail rings daily. As I found out, 2 rings is akin to mini-DoS attack!

So, I'm hoping that if this information becomes public, it will cause a change at Qwest, and hopefully not spawn an epidemic of random voice mail ringer changes!

jk

3 comments:

Unknown said...

Did you try it from another phone to make sure you can actually do that?

Anonymous said...

I just changed my own and my Mothers, as she wanted hers changed for some time now and didn't know how. Both changed from my number, different last names etc, so it can be done by anyone from anywhere for anyone elses Qwest number no security, pin, or password needed.

Unknown said...

hey thanks, They changed the way my voicemail worked and it also bumped my rings down, but I couldn't find out how to change it back. Yours came up on a google search and am so happy to know I won't miss any more phone calls due to my lack of sprinting.
thanks again!
Rachel