telecom@eecs.nwu.edu (TELECOM Moderator) (08/16/90)
An article of interest in the {Chicago Sun Times}, Monday, August 13
discussed phone phreaks who gain access to companies' outgoing phone
lines via incoming 800 numbers tied into the PBX. Writer Lisa Holton
discussed 'sophisticated thieves who take advantage of lax firms,
casuing (the firm) to pay the piper.'
In one notorious example from the not-to-distant past in Chicago, a
company had been getting monthly bills for their long distance service
of $2500 to $4000 per month. Then one month, the bill came and the
total was $105,000. It was not a misprint.
It seems in this case, on a Saturday between 8 AM and 8 PM, when no
one was working, there had been several *thousand* internatinal calls
placed through the company PBX. Someone had gotten a list of the valid
PIN codes, then sold them to dozens of buyers, usually in immigrant
neighborhoods, for $20-$30 each. Sometimes more than one person bought
the same code number.
According to Loren Proctor, Chicago area regional security manager for
US Sprint, incidents like this are quite common, although not
necessarily as outrageous. He said Sprint can often times detect a
fraudulent pattern going on, but the company disclaims responsibility
for fraud calls made through a company's own switch.
Ms. Holton discussed three common techniques used by phreaks to obtain
access codes:
1) Playing the numbers game: This is simply the brute force
technique. Have your computer just keep trying number combinations
until one or more work. Because many PINS are only four digits, it is
just a matter of time -- a short time, really -- until valid codes are
found.
2) Buttering up the company operator: The phreak calls up a company,
and asks to be transferred to the sales department, or somewhere. He
gets the department receptionist and says he made a mistake, could he
please be transferred back to the operator. Now his call is on an
inside line, so who else could the operator be talking to besides an
employee? If the operator is busy, or not paying attention to who she
is talking to, the phreak can talk her into giving him an outside
line. Bingo, a three hour call to his mother somewhere.
3) Looking for codes in all the right places: In this example, thieves
were hanging out at Port Authority Bus Terminal and at LaGuardia
International Airport. They were using binoculars and telephoto lenses
on cameras to watch people making 800 calls into their company PBX.
These guys were writing down the 800 numbers and PIN codes, then
giving them to partners up on 171st Street who would sell them for $20
each. They also watched for people to enter 950 numbers followed by
codes and Sprint's 800 number, followed by codes. This went on for
about 24 hours before Sprint caught on to what was happening.
So, according to Ms. Holton's article, the experts give these tips to
help prevent piracy of your long distance lines:
1) Change PINS as often as possible. If PINS change quite frequently,
it will be more difficult to find one that's valid.
2) Give the PIN as many digits as possible. According to Mr. Proctor
of Sprint, fourteen digit codes are now common with long distance
carriers. The longer the PIN, the more difficult it is to learn by the
brute force method.
3) Limit access to the PBX: Take an analysis of everyone who is using
the phone system and WATS lines. Does the shipping clerk need the same
access as the Chairman of the Board? Toll-restrict 900 numbers, as
well as off-site 800 number access by time of day or day of week.
Limit the number of calls a user can make in a single day. Some
companies go so far as to pull the plug on the PBX after 6 PM, so that
*no one* -- phreaks included -- can use the phone.
4) A device is available from Information Innovators in Virginia
Beach, VA which is attached to the PBX via a PC. It will shut down an
800 line for a short period or indefinitly if it senses someone is
making repeated efforts to break in or locate a valid PIN.
None of this, of course, comes as anything new to TELECOM Digest
readers, but I thought you would enjoy excerpts from the 'tutorial'
given in the {Sun Times} for businesses plagued with phone abuse
problems.
Another reference is the August issue of {Teleconnect}, which has a
lengthy story on this same topic.
Patrick TownsonJohn Higdon <john@bovine.ati.com> (08/17/90)
TELECOM Moderator <telecom@eecs.nwu.edu> writes: > Ms. Holton discussed three common techniques used by phreaks to obtain > access codes: > 2) Buttering up the company operator: The phreak calls up a company, > and asks to be transferred to the sales department, or somewhere. He > gets the department receptionist and says he made a mistake, could he > please be transferred back to the operator. Now his call is on an > inside line, so who else could the operator be talking to besides an > employee? If the operator is busy, or not paying attention to who she > is talking to, the phreak can talk her into giving him an outside > line. Bingo, a three hour call to his mother somewhere. I would really be interested in knowing what kind of brain-dead PBX could be used to serve a large enough operation where one could hope to get away with this. Every system I have ever dealt with (AT&T, Rolm, ITT, Mitel, Siemens, Toshiba) clearly identifies to the attendant that an outside call being transferred back from a station is just that-- a returning outside call. It does not appear as an "inside" call. Giving that caller an outside line would become a "trunk to trunk" transfer, an option that can be denied in programming. Also, virtually all PBXes, even down to the lowly Panasonics, identify to a station whether the call is from the inside or outside via distinctive ringing. While transferring a call, the destination will have a double ring and when the person doing the transfer hangs up the ring will change to single. In short, it is just about impossible to masquerade as an inside call from the outside. There is one possible exception -- DISA access. This allows a person to dial a special line and then dial within the PBX. DISAs are protected by authorization codes, however, and on most switches still appear as outside calls to inside users, including the operator. John Higdon | P. O. Box 7648 | +1 408 723 1395 john@bovine.ati.com | San Jose, CA 95150 | M o o !
wrp@biochsn.acc.Virginia.EDU (William R. Pearson) (08/18/90)
] I would really be interested in knowing what kind of brain-dead PBX ] could be used to serve a large enough operation where one could hope ] to get away with this. ... ] Also, virtually all PBXes, even down to the lowly Panasonics, identify ] to a station whether the call is from the inside or outside via ] distinctive ringing. ... ] In short, it is just about impossible to masquerade as an inside call Here at the U. Virginia we have a ROLM system. My phone has a distinctive ring from the outside. But if I fail to pick up the phone, the call is transfered to my secretary. She then calls me back and transfers the call, and I have no idea where it came from. Perhaps if she had simply caused my phone to ring again with the outside call, its ringing would be distinctive, but since she calls me, announces the call, and then connects it, I do not know whether the caller is inside or outside. Bill Pearson