Turning security flaws into a money stream

You may have heard about T-Mobile’s security leaks in their voice mail system. Basically, spoofing caller ID was enough to listen to anyone’s voice mail.

Now, that’s a serious issue, and you’d expect that to turn into an expensive exercise for T-Mobile to enhance their system security.

It occured to me this morning that quite the opposite is true: this has turned into a cash cow for T-Mobile. Let me explain:

As long as you’re inside the T-Mobile network, they can identify you by your subscriber ID, and your voice mail is not vulnerable. Only in a roaming scenario, i.e. when you’re in a different country, this doesn’t work, and this is where they used to naiively rely on caller ID.

Here’s what they’re doing now: they start by giving you a 20 second explanation saying that you need to enter a PIN code to get access to your voice mail. If you don’t have one, they’ll send you an initial one via SMS. You then may change it in the menu of your voice mail to make it permanent.

Thus, the first call will probably take you 2 minutes to get into your voice mail, and successive ones will take 30 to 60 seconds, depending on how fast you are. Multiply that with the numbers of voice mail calls outside your home country and the standard price for international calls (roughly 1 Euro per minute), and you’re in for some serious numbers.

Nice job, T-Mobile…