commgrp@silver.bacs.indiana.edu (06/13/89)
In article <3685@tank.uchicago.edu>, barry@arthur.uchicago.edu writes: > A friend recently showed me a "technique" for making free phone > calls from a payphone... <description of grounding the microphone> } <excellent details from Larry Lippmann> During my highschool days it was possible to get a dial tone on a pay phone by peeling a spot of insulation from the handset cord and touching the bared wire to the phone's keyhole. Handset cords weren't armored then, nor were the handset caps screwed on by King Kong. I hadn't heard of the method of grounding the microphone by piercing the diaphragm, but even back then there were special pay-phone mikes which had louvered hard-metal covers so that a sharp object stuck through a hole in the mouthpiece grille would not damage the mike. A kid who lived near a telephone exchange used to dive their dumpster regularly. He recovered enough stuff to build his own neighborhood phone system. His best find was a coin mechanism from an old-style pay phone. Coins rolled down a ramp, then took different paths according to size and velocity. A magnet trapped steel slugs. Nickels and dimes hit cup-shaped bells, quarters hit a coiled-spring gong similar to a Seth-Thomas clock chime. There were two contact- microphones on the mechanism. Long-distance operators listened to the sounds and counted the money. My friend found that the coin/bell mechanism would make the desired sound effects when held near the mouthpiece. (It still cost 10 cents to activate the phone initially.) I once worked at a YMCA camp where the only phone was a pay unit. We discovered that a large pot from the kitchen made acceptable "quarter" sounds when struck. One guy made a long-distance call and "paid" for it by banging on the pot; after "depositing" the required amount, he continued to strike the pot. When the operator told him "That's enough money," he replied, "You've been such a good operator, I'm giving you a tip." "No! Stop! They don't give it to me!!" she said. Depositing coins in modern pay-phones triggers electronic tones, which supposedly can be faked with a simple device. "Phone Phreaking" was popular in the '70s but seems to have become passe. TPC (The Phone Company) prominently published claims of sophisticated countermeasures. Another kid-type phone hack which a friend from Chicago says they used do at O'Hare Airport: Put raw egg-white in the coin return, then observe from a distance-- Along comes Mr. Spiff businessman and makes a credit-card call, after which his coin is returned. He reaches for the coin, contacts nasty goo, goes "YUCK!!" and _leaves the money_! It doesn't work anymore, with electronic credit-card readers and phones which require no initial coin. -- Frank Reid W9MKV @ K9IU reid@gold.bacs.indiana.edu {inuxc,rutgers,uunet!uiucdcs,pur-ee}!iuvax!silver!commgrp
timk@egvideo.UUCP (Tim Kuehn) (06/14/89)
In article <7200036@silver> commgrp@silver.bacs.indiana.edu writes: ....details over various phone-phreaking exploits and measures deleted... >{inuxc,rutgers,uunet!uiucdcs,pur-ee}!iuvax!silver!commgrp Then there's the recent news story - apparently a pay phone at a New York airport wouldn't charge you for long distance calls out of the country (Seems there was an error in the charging software or something.) A good number of people were making using of this "free" facility to call their parents, relatives, etc. back home and talk - often for hours at a time. It was only discovered when someone was assaulted and on the way to the hospital when the police asked him what he was doing there at that time of the night (around 1 am) that it was found out. Apparently this had been going on for a number of months! +-----------------------------------------------------------------------------+ |Timothy D. Kuehn timk@egvideo | |TDK Consulting Services !watmath!egvideo!timk | |871 Victoria St. North, Suite 217A | |Kitchener, Ontario, Canada N2B 3S4 (519)-741-3623 | +-----------------------------------------------------------------------------+
larry@kitty.UUCP (Larry Lippman) (06/15/89)
In article <7200036@silver>, commgrp@silver.bacs.indiana.edu writes: > Depositing coins in modern pay-phones triggers electronic tones, which > supposedly can be faked with a simple device. In a single-slot coin telephone such as a 1C-type, when coins are deposited, contacts from the "totalizer" cause the coin signal oscillator to generate dual-tone signals corresponding to the value of the deposited coins. A nickel is one beep, a dime is two beeps at a rate between 5 and 8 pps, and a quarter is five beeps at a rate of between 12 and 17 pps. These coin signal tones may be detected by an appropriate receiver in the central office coin control trunk apparatus. The tones are also designed for aural identification by an operator. However, during the interval that the coin signal tones are generated, the speech network of the coin telephone is effectively shorted out by a relay contact from the totalizer. What this means is that an _experienced_ operator can ascertain if there is background station noise (from the handset transmitter) during the totalizer coin signal readout. While it may be possible to perpetrate fraud using a hand-held coin signal tone simulator held close to the handset transmitter, this act is not without risk of detection since it may still sound _different_ to an operator. > Another kid-type phone hack which a friend from Chicago says they used > do at O'Hare Airport: Put raw egg-white in the coin return, then > observe from a distance-- Along comes Mr. Spiff businessman and makes > a credit-card call, after which his coin is returned. He reaches for > the coin, contacts nasty goo, goes "YUCK!!" and _leaves the money_! > It doesn't work anymore, with electronic credit-card readers and > phones which require no initial coin. A lot of things don't work any more. In the older multi-slot coin telephones, using a special "tool" inserted from the coin return holder, it was possible to "stuff" the coin chute with cloth such that all returned coins were blocked. The perpetrator would stuff a coin telephone early in the morning, and then return at night to remove the stuffing and reap the fruits of his labor. :-) To sweeten the pot, the perpetrator might also cut a wire in the handset such that a victim making a call would NEVER have a chance to actually dial a call that would complete and collect the coin. During the day, the coin chute would fill with coins ready to be returned since the central office apparatus would consider all of the call attempts as being abandoned. There was even a more sophisticated scam which could easily be perpetrated in larger cities, such as New York, and which carried little risk of detection since the time spent in the target telephone booth was only a matter of seconds. In order to understand how this scam worked, it is necessary that I explain a few things about a coin telephone. First, the coin release lever ONLY works for rejected coins which get stuck in the coin chute mechanism; i.e., a "valid" nickel, dime or quarter passes through the coin chute, is identified, operates the totalizer contacts, and comes to rest in the coin "hopper", which is above the coin collect/refund relay. Once a coin passes to the hopper, it is held in limbo pending operation of the central office apparatus to either refund the coin, in which case it will come to rest in the coin return holder, or to collect the coin, in which case it will drop into the "bank" secured by the lower housing. What this means is that a valid coin deposit in a coin telephone whose central office pair is disconnected canNOT be returned to the user, no matter what. Operating the coin return lever in this case has no effect. The only way to return that coin(s) is to place -130 volts DC between the tip side of the telephone line and ground, which will operate the coin relay to a refund position. So, what a somewhat sophisticated perpetrator would do is target a coin telephone, identify the location of its pair at a cross-connect box some distance away (not that difficult, especially for an ex-telco employee), and lift the pair from the terminals. This effectively disconnects the coin telephone. So, all during the day, victims will go to the target coin telephone, deposit a dime, get no dial tone, hang up in disgust, and then get pissed off when they don't get their dime back. However, human nature being what it is, for a dime, almost no one will ever report the target telephone as being out of service. So, during the day, the coin hopper will fill with dimes, possibly accumulating several dollars worth at a "good" location. At night, the perpetrator will return to the cross box and restore the central office pair connection. As soon as this is done, the central office apparatus will detect ground on the line as caused by coins operating the hopper "trigger" switch, and assume that it is an abandoned call. The connected coin control trunk will then send the -130 volts across tip and ground to refund all of the coins in the coin hopper - which the perpetrator can scoop up in a matter of seconds. The central office coin control trunk has no idea that it is refunding more than one dime, and frankly could care less - it is doing the same job it would do if someone deposited one dime and hung up without ever dialing. The advantage of the above scam is that no damage is caused to the coin telephone, and that discovery is unlikely since even if trouble were reported, it is extremely improbable that a craftsperson would visit the subject telephone that same day. A prudent perpetrator will "rotate" their telephones so that the same telephone may only be hit one or two days per month. When a craftsperson does visit the offending telephone, they will find nothing wrong and will label the trouble ticket with the most common of all dispositions: NTF (No Trouble Found), and no one will be the wiser. Of course, the above only works on pre-pay coin telephones, which are virtually non-existant today except in some rural areas and in a few areas served by smaller independent telephone companies. I have freely posted the above information on the assumption that it can no longer be used to perpetrate any crime; I sure will be embarassed if someone proves my assumption wrong. :-) <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp. <> UUCP {allegra|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> TEL 716/688-1231 | 716/773-1700 {hplabs|utzoo|uunet}!/ \uniquex!larry <> FAX 716/741-9635 | 716/773-2488 "Have you hugged your cat today?"