How to Keep Congregational Office Phones Safe from Hacking
The Rev. Ed Searl, minister of the Unitarian Church of Hinsdale, Ill., has advice for other congregations in the wake of a phone-hacking incident that could have cost his congregation $27,000: Use complex passwords.
On two days in November, one or more persons called into the congregation's phone system. Using sophisticated software that deciphered the voicemail system's passwords, the callers made hundreds of calls to Libya.
AT&T, the phone service provider, eventually noticed, but not before the congregation had a bill of $27,020 for the month, compared to a normal $300 to $400 bill. The phone company demanded payment, but then forgave the full amount when the story hit the news media.
Searl said he learned the calls could have been prevented if the congregational office had had more complex passwords on its various voicemail lines. Instead, the voicemail system was using the default passwords that were in place when the system was installed. (One AT&T website lists such a default password as 111111).
Searl said the most secure passwords have a combination of numbers plus letters and a symbol, such as an asterisk, "We were told that that combination is pretty failsafe." Phone system websites generally guide users in selecting good passwords.
"We didn’t know we had a password," said Searl. "It's built into most voicemail systems. Our codes were really simplistic. The software out there to crack simple codes is pretty strong. That's why a strong password is important." Once inside a system a hacker can then make calls from each extension number.
Congregations can also place a block on a phone system preventing any international calls. "That would have been a good thing for us to do," he said.
Searl said he learned that phone hacking is relatively common. "It's happening throughout our state." In the church's case most of the calls were one to three minutes in duration and involved data transmission rather than voice messages. They were made at times when no one was in the office. Police were contacted but they said solving the case would be difficult since the hacker could be anywhere in the world.
Searl said a former AT&T employee told him that hackers also break into systems and sell phone codes to third parties.
Searl recommends the following actions:
- Ask your phone company if it has liability insurance to cover hacking.
- Change voicemail passwords from their default settings.
- Block international calls.
- Notify the police if hacking occurs. The publicity that ensues will encourage phone service providers to cancel charges.
He cautioned that phone companies don't seem as alert as credit card companies are to fraudulent activity. "Credit card companies are pretty quick to call if they see unusual activity. That didn't happen with AT&T. I was just astonished they were not on top of this."
He said the phone company insisted on full payment until news media picked up the story. "It was fascinating to watch that happen."
He also heard from businesses that had been hacked. "It was good to learn that we were not in this alone. There was value in sharing experiences with others. The retired AT&T employee offered his help and an attorney called to offer his services pro bono if we wanted to fight this. So it was nice to know that people cared."
Read more tips on preventing phone hacking.