Voicemail Hacking Leaves Ears Ringing

Voicemail can cost you. Just ask K.C. Hatcher, a San Francisco-based graphic artist.

AT&T; wants her to pay $12,000 in long-distance charges rung up by a hacker who apparently changed Hatcher’s voicemail message to accept third-party billed calls to Saudi Arabia and the Philippines.

“I am totally obsessing about this,” said Hatcher, whose normal long-distance bill runs $35 a month. “I’m getting married in June. I want to buy a house, and I’m worried that this fraud is going to ruin my credit.”

Such voicemail hacking is on the rise -- and phone customers are wrongly being held liable for it, according to San Francisco-based Consumer Action.

AT&T; acknowledges that the scamming has become all too common and that people rarely know they have been had until company fraud investigators alert them to unusual activity on their phones. But AT&T;, like some other long-distance providers, insists that consumers foot most of the bill.

“It is the responsibility of the customer to secure their voicemail system,” said Gordon Diamond, a spokesman for AT&T; in San Francisco.

Maureen Claridge, a San Francisco travel agent, doesn’t see it that way but has been unable to persuade AT&T; to let her off the hook. The company has sent her $8,000 long-distance bill -- generated by a voicemail hacker -- to a collection agent, Claridge said.

Linda Sherry of Consumer Action maintains that telephone companies are largely to blame.

Hackers take advantage of the voicemail offered by local phone companies -- including SBC Communications Inc., which provides the system Hatcher and Claridge use -- and long-distance companies’ voice-activated operator services.

What a hacker does is break into a person’s voicemail and record a message so that it will respond affirmatively to an automated operator that calls the person’s home phone seeking approval for third-party billing of a long-distance call.

Sherry noted that at AT&T;, the automated system always asks the same questions and waits a set interval for a response, making it fairly easy for a hacker to synchronize his fraudulent voicemail message.

“That AT&T; would permit third-party phone charges based only on the authority of a recorded message is beyond belief,” Sherry said. “Third-party billing should be allowed only when a real person answers the phone and is able to verify that they approve the charges.”

AT&T;’s Diamond countered that the company’s automated system is “fairly sophisticated,” adding: “If it was a live operator, I don’t know that it would turn out any differently.”

AT&T; suggests that consumers change their pass codes regularly; avoid pass codes that are intuitive, such as birth dates and addresses; and check their announcements to make sure they haven’t been changed.

Diamond said AT&T; works on a case-by-case basis with customers who believe they have been defrauded but doesn’t necessarily write off fraudulent charges.

MCI Communications also offers automated operator assistance and has a similar policy, spokeswoman Audrey Waters said. Sprint Corp. handles calls billed to a third party manually, which Sprint says has stymied this particular fraud.

Meanwhile, SBC said it recently changed its voicemail system so that default pass codes aren’t so easy to guess. The company says it has a policy of reversing charges when a consumer is willing to file a police report claiming fraud.