Phone hacking: How 3UK easily helps hackers get to work

I just received this email from a senior executive working in the mobile industry. Have a read. It is pretty shocking:

I’m stunned.

I just called 3UK *Business support* from a random landline and got the PIN on my voicemail changed, using just the info on my business card.

All they asked for was my mobile number and address/postcode. And what I’d like the PIN reset to, of course. How kind of them.

So anyone finding my business card, or a colleague’s phone, or a vendor/customer’s phone – with my name, my number and my place or work/address, CAN ACCESS MY VM.

And because the PIN is not needed when checking the VM from my mobile, I’d have no idea the PIN had changed until I tried to remotely access it. Which is never, so far.

My name is out there. I am ‘public’, I have a profile on social networks. Who I work for and the address/postcode is 15 seconds on Google away.

Fisher-Price security? More like zero security.

I then called O2 business. I have another phone with them, again on a business account. Completely, utterly different experience.

They insisted on the company details as well, but crucially, they required me to pass through a security procedure involving knowing the business account password, or detailed info like the last billing amount etc.

No matter how much I pleaded, making up a story about urgently needing access to just one VM, etc – no dice. They were adamant. No security, no PIN reset.

3UK, in topical parlance you come a News Of The World last to O2’s shining Guardian. Their CEO should be getting this process changed TODAY.

This comes from a highly technical-savvy mobile industry executive known to me personally.

Deary me.

What were 3UK Business Support thinking? I trust this is an isolated example and not par-for-the-course?

Update: I wrote some more on the wider issues.