barry@arthur.uchicago.edu (06/07/89)
A friend recently showed me a "technique" for making free phone
calls from a payphone.
I don't want to promote this method---I just want to know what
how the phone hardware/software allows this to occur.
Let me try to describe it---it's difficult without visual aids,
but hopefully you will know what I am talking about.
step (1): get paper clip, and straighten it out.
step (2): puncture the metal cover that is underneath the
part of the phone you speak into---specifically, poke
it through the hole closest to where the cord connects
to the receiver.
step (3): insert paper clip into the puncture, and scratch the exposed
end against a metal surface while dialing your number.
[Note: I have not been able to do this succesfully myself---but a random
sampling of three payphones in the U of Chicago Science Library found
that all three had the tell-tale hole of step (2).]
So---How does it work? (And does it work?)
Thanks,
Barry Merriman
Grad Student, U of Chicago Math
barry@zaphod.uchicago.edujeffw@midas.STS.TEK.COM (Jeff Winslow) (06/08/89)
In article <3685@tank.uchicago.edu> barry@arthur.uchicago.edu () writes: >A friend recently showed me a "technique" for making free phone >calls from a payphone... >[Note: I have not been able to do this succesfully myself---but a random >sampling of three payphones in the U of Chicago Science Library found >that all three had the tell-tale hole of step (2).] One hypothesis which springs to mind is that your friend has had a lot of fun telling different people his story and watching them go around making holes in pay phones. Better be careful - maybe he makes his money collecting rewards for reporting phone vandalism. :-) Jeff Winslow
mesmo@portia.Stanford.EDU (Chris Johnson) (06/08/89)
Another interesting phone mini-hack: back in high school,
our pay phone could be dialed for free byy rapidly clicking
the hang-up toggle in the pulse-pattern of the number you
wished to dial.
Interesting & cheap, too. Haven't tried this in a while,
any ideas why pulse-dialing isn't disabled from touch tone
payphones (at least that one) ?
p.s. the phone company is your friend, don't do the preceding
illegal thing if you can avoid it.
--
==============================================================================
Chris M Johnson === mesmo@portia.stanford.edu === "Grad school sucks rocks"
"Imitation is the sincerest form of plagiarism" -- ALF
==============================================================================larry@kitty.UUCP (Larry Lippman) (06/10/89)
In article <3685@tank.uchicago.edu>, barry@arthur.uchicago.edu writes: > A friend recently showed me a "technique" for making free phone > calls from a payphone. > > I don't want to promote this method---I just want to know what > how the phone hardware/software allows this to occur. > > step (1): get paper clip, and straighten it out. > step (2): puncture the metal cover that is underneath the > part of the phone you speak into---specifically, poke > it through the hole closest to where the cord connects > to the receiver. > step (3): insert paper clip into the puncture, and scratch the exposed > end against a metal surface while dialing your number. > > [Note: I have not been able to do this succesfully myself---but a random > sampling of three payphones in the U of Chicago Science Library found > that all three had the tell-tale hole of step (2).] > > So---How does it work? (And does it work?) It is indeed possible for this to work under most circumstances where: (1) coin telephone is a "traditional" 1C2 or equivalent single-slot coin telephone set arranged for dial tone first (DTF) service; and (2) the central office (CO) apparatus is AT&T or Northern Telcom. In a DTF coin telephone the dial and talk circuit is enabled upon picking up the handset, without requiring any coin deposit. The user can proceed to dial a number forthwith. If the dialed number is a "free" call (such as operator, directory assistance, 911 or 800-number), the call can proceed with no coin. If the dialed number is a local call requiring a coin deposit, the user may be allowed to complete dialing of the entire number. The CO apparatus identifies the dialed prefix and verifies that it is a local call; it then tests for an "initial rate" coin deposit. If the initial rate deposit is made, the call completes; if there is no money or insufficient money, the call is routed to an intercept recorder which informs the user to hang up, deposit the initial rate, and dial again. The CO apparatus detects the deposit of the initial rate by means of a ground placed on the line by the coin telephone circuit. This ground is balanced between tip and ring, so that no hum (caused by longitudinal imbalance) is introduced into the talk and DTMF dialing circuit. The coin telephone contains a "totalizer" circuit, which is an electromechanical device (aided by some solid-state circuitry and relays) that counts the value of the deposited coins, and provides a contact closure when the initial rate is achieved. The above fraudulent call technique works by spoofing the ground placed on the line by the totalizer circutry in the coin telephone. While shorting one lead of the carbon transmitter to ground does not produce a balanced ground (thereby resulting in hum on the line), it will usually result in a condition which will permit DTMF dialing. Depending upon the particular CO apparatus, the ground needs to be present as soon as the first three digits of the call are dialed (if pre-translation is used), or within milliseconds of the last digit being dialed (if pre-translation is not used). Needless to say, the above technique results in damage to the carbon transmitter, and is therefore unlawful not only from the standpoint of the fraud itself, but from the standpoint of causing damage to the coin telephone. <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp. <> UUCP {allegra|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> TEL 716/688-1231 | 716/773-1700 {hplabs|utzoo|uunet}!/ \uniquex!larry <> FAX 716/741-9635 | 716/773-2488 "Have you hugged your cat today?"
larry@kitty.UUCP (Larry Lippman) (06/10/89)
In article <2803@portia.Stanford.EDU>, mesmo@portia.Stanford.EDU (Chris Johnson) writes: > Another interesting phone mini-hack: back in high school, > our pay phone could be dialed for free by rapidly clicking > the hang-up toggle in the pulse-pattern of the number you > wished to dial. This would only work in older multi-slot coin telephones arranged for for pre-pay service. Depositing a coin places a ground on the telephone pair (balanced between tip and ring), in addition to removing a short bridged across the dial pulsing contacts, therefore enabling the dial. Since a pre-pay coin telephone line is similar to a ground-start line, momemtarily grounding the line by piercing the handset cord or transmitter with a sharp object connected to the telephone housing will result in dial tone without the use of a coin. Since the dial is disabled without a coin, rapid switchhook operation can be used to create dialing pulses. While the above method of operation is also true for 1A-type and 1C-type single-slot coin telephones arranged for pre-pay operation, I do not believe it is possible to "pulse-dial" the switchhook on these style coin telephones due to its different mechanical design (obviously intentional!). > Interesting & cheap, too. Haven't tried this in a while, Since this method of fraud only applies to pre-pay coin telephones, which are becoming almost non-existant in most areas of the country, it isn't going to work on very many telephones. > any ideas why pulse-dialing isn't disabled from touch tone > payphones (at least that one) ? While it is possible to block rotary dialing in some ESS central office apparatus, there really is no need to do so with dial tone first (DTF) coin telephone service since the telephone user IS ALWAYS permitted to dial the initial call. > p.s. the phone company is your friend That's a debatable statement. :-) <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp. <> UUCP {allegra|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> TEL 716/688-1231 | 716/773-1700 {hplabs|utzoo|uunet}!/ \uniquex!larry <> FAX 716/741-9635 | 716/773-2488 "Have you hugged your cat today?"
bote@csense.UUCP (John Boteler) (06/10/89)
From article <3685@tank.uchicago.edu>, by barry@arthur.uchicago.edu: > > A friend recently showed me a "technique" for making free phone > calls from a payphone. This might work on coin stations connected to ground-start only service, but not on modern setups. Of course, it worked fine in "War Games" for David Lightman, but then... The older stations put the carbon transmitter directly across the phone pair and it modulated the current flowing through it; the paper clip gives you direct access to the phone pair. By shorting the carbon transmitter to ground, the CO is fooled into thinking either proper payment has been deposited or that an initial deposit has been made, depending on the class of service and the total amount required. Modern arrangements require both the ground-start pulse to validate the inital deposit and the tone signalling used to indicate the total amount deposited, so in most places it ain't as simple as you described. The joys of steppers... You didn't mention whether or not these phones are 3-slotters or 1-slotters. I am curious if there are any 3-slotters left in Chi-town. -- Bote uunet!cyclops!csense!bote {mimsy,sundc}!{prometheus,hqda-ai}!media!cyclops!csense!bote
rdsnyder@mit-amt (Ross D. Snyder) (06/11/89)
In article <3218@kitty.UUCP>, larry@kitty.UUCP (Larry Lippman) writes: > In article <2803@portia.Stanford.EDU>, mesmo@portia.Stanford.EDU (Chris Johnson) writes: > > Another interesting phone mini-hack: back in high school, > > our pay phone could be dialed for free by rapidly clicking > > the hang-up toggle in the pulse-pattern of the number you > > wished to dial. > > While the above method of operation is also true for 1A-type and > 1C-type single-slot coin telephones arranged for pre-pay operation, I > do not believe it is possible to "pulse-dial" the switchhook on these > style coin telephones due to its different mechanical design (obviously > intentional!). > That's right. The 1C-type, and probably the 1A-type, paystations have a mercury switch in the switchhook mechanism, so when you try to "switchhook dial," the mercury splashes all over the inside of the mercury switch. Also, since the single-slot DTF paystations are connected to ACTS (stands for some combination of automatic/automated coin toll/telephone service/system; telco personnel are so reliant on acronyms that even they usually don't know exactly what the acronyms stand for and will make something up if you ask.), even if you connect a lineman's butt-in test set across tip & ring and dial, you will only hear ACTS begging for money. > > any ideas why pulse-dialing isn't disabled from touch tone > > payphones (at least that one) ? > > While it is possible to block rotary dialing in some ESS central > office apparatus, there really is no need to do so with dial tone first (DTF) > coin telephone service since the telephone user IS ALWAYS permitted to dial > the initial call. Also, telcos like to keep pulse dialing enabled on all of there lines since most IRT's (installation and repair technicians) and especially cablemen, who are at risk of dropping their butt-in test set into a few feet of muddy water at the bottom of a manhole, prefer a more robust buttinski, such as the classic Western Electric 1013B which has no DTMF capability, to the cheesier all-electronic buttinskis that have appeared in the last few years. > <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp By the way, Larry, could I get a copy of your BSP's on the WECO 24V4 rptr that you mentioned a few months ago to someone interested in building a phone patch. I have several 24V4C's and need to know the batt & gnd connections. I tried sending e-mail, but got no reply. Thanks. -Ross
NU128880@NDSUVM1.BITNET (06/16/89)
The pulse-emulation method of dialing a telephone is often a useful thing to know. At my father's workplace, the company put a telephone lock on the office phone. The lock was basically a cover over the touch-tone keys and didn't allow dial access. They had put the lock on due to company abuses in long distance calls. My dad always used to the phone to call home to let my mom know when he would be in (a local charge). I taught him the pulse dialing method. No real fraud, no one is wiser, and that's all... Steve J. Frank nu128880@ndsuvm1
hughes@math.Berkeley.EDU (Eric Hughes) (06/17/89)
In article <3838@mit-amt>, rdsnyder@mit-amt (Ross D Snyder) writes: >Also, since the single-slot DTF paystations are connected to ACTS (stands for >some combination of automatic/automated coin toll/telephone service/system; >telco personnel are so reliant on acronyms that even they usually don't know >exactly what the acronyms stand for and will make something up if you ask.), ACTS stands for Automated Coin Toll Service. (The correct one out of eight choices ;-). Eric Hughes hughes@math.berkeley.edu ucbvax!math!hughes