S.D-REUBEN%KLA.WESLYN@WESLEYAN.BITNET (Doug Reuben) (05/24/87)
Well, although Cellular is "untraceable" in the same way that regular phones
are, it still is not the ideal system to commit toll fraud on.
>From what I understand about how the cellular system works, a new
subscriber is assigned a phone number, and then given a 4 digit code
that is unique to his cellular phone. Thus, the chip that is placed
into a cell phone to identify it may have a # like this:
212-909-1234-5555. The 5555 is the 4 digit ID code, very much like the
PIN number on Bell System Calling Cards.
When you request service, you have to have your number "turned on" at the
Cellular Company. And, like a calling card, the Cell Co. checks to see if the
special ID # matches before it puts the call through (It checks a lot of other
things too, like signal strength and stuff, but that's not important now...).
So in order for someone to make free calls, he has to know an active number,
and then go to the dealer who sold the phone with that number and ask the
dealer what the ID number is. If the dealer is unscrupulous, he will give out
the ID number, and THEN you can make free calls.
However, in no more than a month, if the customer finds that there are a lot
of calls which he did not make, he can call the Cell. Co. and demand that they
remove the calls from his bill. The Cell. Co. will also change the ID number,
and if they are smart will check out the Cellular phone dealer to see if he
gave away the ID code to that specific number.
So what free Cellular service will get you is at best a month's worth of calls,
and that's about it. Also, you will have to go to different dealers all the
time, since if it happened with the same dealer a lot the Cell Co. might
investigate the Cellular phone dealer. Also, you would have to change your
number every month if you wanted people to call you.
Stolen Bell Cards work the same way, although faster. If you steal a Bell
System Calling Card, and you use it a lot, the local Bell Company (or, heaven
forbid, the GTE company if you can
manage to use a calling card there! :-) ) will call the paying customer and
ask "did you make 300 calls today?". Usually, the customer says no, so they
just cancel the card and issue a new PIN number to the customer, usually right
away. (The system to assign PIN numbers is almost instantaneous, it seems. The
minute they assign you a PIN # you can use it!). Assuming the free calls were
made from a payphone, the Bell Co. will still call the destination numbers to
see if anyone knows who called them, in hopes of catching the person. If they
get enough people to say "Sure, I know Mr. so-and-so", then they may go after
the person who stole the card.
The point is that Bell Calling Cards have a built in safety system to
protect against fraud. (The alternates don't have anything quite as
sophisticated...). It would not be very hard to put a similar "excessive use"
system of cellular phones. Thus, if cell fraud becomes pervasive, it should be
a relatively simple manner to end it, and thus Cell Fraud is really not much
better than the standard stuff people do at payphones.
Also, Bell System Calling Cards can be used as frequently as you like. The
normal "warning" occurs if you have more that 30 calls in 3 hours (or is it
36?). However, if you use your Bell Card a lot (like I do), then you can ask
your local Bell Co. to put a little note on your account that you are a heavy
user of the card. That way, if you make more than 30 calls in 3 hours (or
whatever), you don't get the card turned off. This is VERY convenient if you
are away from home and don't want to worry about how many calls you make.
Basically then, the people who designed the Cellular System were smart,
and they made sure you can't cheat it too easily or too long. Seeing how easy
it is for them to stop Calling Card fraud, I see no reason why with the
Cellular system set up the way it is that they can't prevent Cell fraud as
well...
(I'm sure I made a few mistakes there, so any corrections are welcome...)
Well, that's my two cents worth! -
-Doug
REUBEN@WESLYN.BITNET
S.D-REUBEN%KLA.WESLYN%WESLEYAN.BITNET@WISCVM.ARPA
...seismo!weslyn.bitnet!reuben (UUCP)
-------
mgrant@MIMSY.UMD.EDU (Michael Grant) (06/01/87)
Excuse me...YOU ARE WRONG! The Electronic Serial Number is an 8 digit Hexidecimal number. It is not easily changed. Both the MIN, (Mobil Id Number, your phone number) and the ESN are sent out when you press the send key. Your MIN is easily changed by reprogramming your phone, but the ESN is not easily changed. To change your phone number, both the phone, and the cell system must be changed. Depending on the cell system you are trying to commit fraud on, you may get several months of free calls, or just one. If you are using one of the systems that participate in the fraud detection systems in use, (the name slips my mind at the moment), your service will be cut off after the first fraudulent call--in all of those systems. You may have gotten the 5 digit code from the lock feature that comes with most cell phones these days. This is just a security feature to keep your phone from being used while it's unattended. It has nothing to do with the cell system itself. My phone only has a 3 digit security code. I usually see this security code set to the last n digits of the phone's phone number. -Mike
ron@TOPAZ.RUTGERS.EDU.UUCP (06/02/87)
> The Electronic Serial Number is an 8 digit Hexidecimal number. It is not > easily changed. Both the MIN, (Mobil Id Number, your phone number) and the > ESN are sent out when you press the send key. Your MIN is easily changed > by reprogramming your phone, but the ESN is not easily changed. To change Make that, it is not supposed to be easily changed. While the ESN is not in that NAM (the EPROM with the phone number) in it's nice ZIF socket, many manufacturers just put it in another ROM which anybody with a small amount of electronics background can change. I would expect the most common sort of Cellular fraud involves using phones from another system through automatic ROAM agreements. Presumably the ESN/Phone number checking isn't as rigourous or as up-to-date in remote systems as it is in your home system. -Ron
shibumi@well.UUCP (06/03/87)
It would seem that one should build a box which, when one is not sending a call keeps the original serial number/phone number/etc. number combination, but when one is to send simply picks a new series of numbers from any scavaged off the airwaves (that just happen to belong to other senders). I would think that the cost of the electronics to do this would be about 2 times one unit plus 10%. Have I missed something? -- Kenton
smb@research.att.com (01/28/89)
It is not impossible to change ESN in a phone, but is extremely difficult since it is manufactured physically into the unit, and is not generally documented by the manufacturer is public domain documnets for security reasons. Well -- maybe it's harder today, but a couple of years ago the N.Y. Times reported a fairly wide-spread business doctoring the id chips in phones. They said that the oddest thing was not that it was happening, but that it was decentralized -- lots of small-scale stuff, by lots of different folks who knew how to operate PROM burners. They didn't find what they expected: a few centralized shops with sophisticated crooks. --Steve Bellovin
tim@Athena.UUCP (Tim Dawson) (02/02/89)
In article <telecom-v09i0034m03@vector.UUCP> smb@research.att.com writes: >X-TELECOM-Digest: volume 9, issue 34, message 3 > > > It is not impossible to change ESN in a phone, but is > extremely difficult since it is manufactured physically into > the unit, and is not generally documented by the manufacturer > is public domain documnets for security reasons. > >Well -- maybe it's harder today, but a couple of years ago the N.Y. Times >reported a fairly wide-spread business doctoring the id chips in phones. >They said that the oddest thing was not that it was happening, but that >it was decentralized -- lots of small-scale stuff, by lots of different >folks who knew how to operate PROM burners. They didn't find what they >expected: a few centralized shops with sophisticated crooks. > > --Steve Bellovin Steve: I made this statement based on having primary exposure to Motorola cellular phone equipment where: 1) The prom with the ESN is potted into the radio cabinet. Therefore you cannot tell what kind of prom is in use. 2) The leads coming off the prom come out on a ribbon cable in random order to plug into the motherboard, so you can't necessarily determine how to access/read the prom. 3) The format by which the data is blown into the prom is also undocumented. This prom (at least on Motorola phones) is NOT the same chip as the NAM which is readily available/documented to the world. Are you sure that the above comment did not refer to changing the Mobiles phone number, which is stored in the NAM, not with the ESN?? Also, on newer phones the ESN is burned into a prom area in the Logic Module in the phone, which is a custom LSI which handles all the functionality of the phone, making it virtually impossible to change since these devices are not alterable or available to the general public. Heck, even if somebody DID get a hold of one, they would be stuck with the ESN blown into it at manufactuing, since they are built with an ESN in them. Once again let me state that I do not know how other vendors of cellular equipment handle this, since my only knowledge base is having worked for Motorola in the Cellular product area. Also, as an additional side note, cellular systems (Motorola again) are typically set up to reject or flag multiple calls from the same ESN or Mobile number, since this an impossible situation with the concept of the unique ESN. Hence, the system operators get informed of this type of fraud in a pretty big hurry if the questionable unit is used much. Once again, I have no idea about what other vendors of Cellular Equipment do or do not do, so I could be all wet as for as they go. -- ================================================================================ Tim Dawson (...!killer!mcsd!Athena!tim) Motorola Computer Systems, Dallas, TX. "The opinions expressed above do not relect those of my employer - often even I cannot figure out what I am talking about."