Why you should have a voicemail PIN

I’m traveling in New England this week, and having reconciled myself to the fact that most travel SIM cards I’ve purchased in past result in no mobile service, I’ve just left my Canadian Virgin Mobile SIM in my phone, and I’m going without cellular data and limiting myself to texting (75 cents each) and not using the phone as a phone (at $1.45 a minute).

Yesterday I got a notification on my phone that I had voicemail waiting. I didn’t want to spent a couple of dollars to pick up a voicemail, so I called my own phone number from Skype, expecting that I’d be able to press “#” and enter a PIN to pick up my messages.

Except that I wasn’t prompted for a PIN at all: I was immediately dropped into the voicemail menu, and I was able to pick up my voicemail without authenticating at all.

At first I couldn’t figure out what had happened: did this mean that anyone could access my voicemail?

Then I realized that I’d set my Skype “Caller ID” number to the same number as my mobile number:

Skype Caller ID setting

So Virgin Mobile was simply looking at the Caller ID, thinking that I was calling myself, and dropping me into my voicemail without prompting for a PIN.

That’s a problem.

There’s a verification hoop that you need to jump through when you set up a Skype Caller ID number (Skype sends you an SMS with a code you need to enter, which verifies you own the number). But that’s not always the case with other voice-over-IP systems that aren’t Skype: in many cases you can set your Caller ID to an arbitrary telephone number.

All of which means that if I know your mobile number, and I set my Caller ID in a VOIP system to that number, and you don’t have a voicemail PIN, it’s possible, in theory, for me to access your voicemail.

So I recommend that you do what I’ve just done, which is to set up a PIN for my Virgin Mobile voicemail, and to ensure that the “skip PIN” option is turned off.