Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!cs.utexas.edu!mailrus!accuvax.nwu.edu!nucsrl!telecom-request From: telecom@eecs.nwu.edu (TELECOM Moderator) Newsgroups: comp.dcom.telecom Subject: Long Distance Piracy Jolts Phone Bills Message-ID: <10946@accuvax.nwu.edu> Date: 16 Aug 90 03:51:44 GMT Sender: news@accuvax.nwu.edu Organization: TELECOM Digest Lines: 88 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 10, Issue 574, Message 2 of 7 An article of interest in the {Chicago Sun Times}, Monday, August 13 discussed phone phreaks who gain access to companies' outgoing phone lines via incoming 800 numbers tied into the PBX. Writer Lisa Holton discussed 'sophisticated thieves who take advantage of lax firms, casuing (the firm) to pay the piper.' In one notorious example from the not-to-distant past in Chicago, a company had been getting monthly bills for their long distance service of $2500 to $4000 per month. Then one month, the bill came and the total was $105,000. It was not a misprint. It seems in this case, on a Saturday between 8 AM and 8 PM, when no one was working, there had been several *thousand* internatinal calls placed through the company PBX. Someone had gotten a list of the valid PIN codes, then sold them to dozens of buyers, usually in immigrant neighborhoods, for $20-$30 each. Sometimes more than one person bought the same code number. According to Loren Proctor, Chicago area regional security manager for US Sprint, incidents like this are quite common, although not necessarily as outrageous. He said Sprint can often times detect a fraudulent pattern going on, but the company disclaims responsibility for fraud calls made through a company's own switch. Ms. Holton discussed three common techniques used by phreaks to obtain access codes: 1) Playing the numbers game: This is simply the brute force technique. Have your computer just keep trying number combinations until one or more work. Because many PINS are only four digits, it is just a matter of time -- a short time, really -- until valid codes are found. 2) Buttering up the company operator: The phreak calls up a company, and asks to be transferred to the sales department, or somewhere. He gets the department receptionist and says he made a mistake, could he please be transferred back to the operator. Now his call is on an inside line, so who else could the operator be talking to besides an employee? If the operator is busy, or not paying attention to who she is talking to, the phreak can talk her into giving him an outside line. Bingo, a three hour call to his mother somewhere. 3) Looking for codes in all the right places: In this example, thieves were hanging out at Port Authority Bus Terminal and at LaGuardia International Airport. They were using binoculars and telephoto lenses on cameras to watch people making 800 calls into their company PBX. These guys were writing down the 800 numbers and PIN codes, then giving them to partners up on 171st Street who would sell them for $20 each. They also watched for people to enter 950 numbers followed by codes and Sprint's 800 number, followed by codes. This went on for about 24 hours before Sprint caught on to what was happening. So, according to Ms. Holton's article, the experts give these tips to help prevent piracy of your long distance lines: 1) Change PINS as often as possible. If PINS change quite frequently, it will be more difficult to find one that's valid. 2) Give the PIN as many digits as possible. According to Mr. Proctor of Sprint, fourteen digit codes are now common with long distance carriers. The longer the PIN, the more difficult it is to learn by the brute force method. 3) Limit access to the PBX: Take an analysis of everyone who is using the phone system and WATS lines. Does the shipping clerk need the same access as the Chairman of the Board? Toll-restrict 900 numbers, as well as off-site 800 number access by time of day or day of week. Limit the number of calls a user can make in a single day. Some companies go so far as to pull the plug on the PBX after 6 PM, so that *no one* -- phreaks included -- can use the phone. 4) A device is available from Information Innovators in Virginia Beach, VA which is attached to the PBX via a PC. It will shut down an 800 line for a short period or indefinitly if it senses someone is making repeated efforts to break in or locate a valid PIN. None of this, of course, comes as anything new to TELECOM Digest readers, but I thought you would enjoy excerpts from the 'tutorial' given in the {Sun Times} for businesses plagued with phone abuse problems. Another reference is the August issue of {Teleconnect}, which has a lengthy story on this same topic. Patrick Townson