Toll fraud: multimillion-dollar telecomm problem

Communications News, Feb, 1994 by Ruth Michalecki

Telecommunications has always been a world of acronyms and alphabet soup. Today, while trying to deal with all the issues of toll fraud, one must first learn a new language: the language of the street. Dumpster Diving, Shoulder Surfing, Finger Hacking, Call-Sell, Social Engineering, and Blue, Black and Red Boxes are all part of the language of what has been estimated to be a $2 billion a year business.

Toll fraud has been around for years, only the victim was the long-distance carrier and not much attention was paid to the issue. Since the carriers have implemented advancements in fraud protection for their networks, hackers have targeted a more vulnerable alternative--PBX/voice mail system owners.

Figures on toll fraud from US West show a complete flip-flop of losses incurred by the long-distance carriers and the PBX users. In 1985, the carriers experienced approximately 90% of all toll fraud. In 1992, PBX users are incurring 90% of fraud.

How it happens

Fraud generally is engineered through stolen credit card numbers, penetration of databases, hacked PBX codes, internal sources, use of tone generators, and many others. One favorite access method is through 800 numbers that terminate on the DISA (direct inward system access) feature of the PBX--or, as hackers call it, "dial in-steal away." Using a "war-dialer," hackers dial phone numbers randomly (800 numbers are the first choice), until they receive a modem tone or dial tone.

Once valid numbers and authorization codes are discovered, they are distributed via stolen voice mail boxes or bulletin boards. The call-sell operators take over at that point. In a few hours, the unsuspecting PBX owner incurs a staggering volume of calls.

Case study

Our office was the victim of a DISA/call-sell operation. It happened over a July 4 weekend, when most offices are closed and call traffic should be light. The operators started noticing a lot of spill-over calls from our 800 number, used to access our long-distance network from off-campus--an operation we had run over six years without a problem. Auth codes were issued to our users and when they were out of town they could call back, enter their auth code and access the toll network (international dialing was blocked).

The chief operator called the local telco's switchroom technician (we are a centrex user), explained what was happening and asked him to check out 800 lines and make certain everything was all right. The technician called back advising the chief operator that nothing was wrong and that callers were indeed calling the correct 800 number!

Because most of the spilled calls were from people speaking a foreign language and the call volume appeared to be steadily increasing, the chief operator decided to call me. The minute the situation was described, I called the same switch technician and asked him to kill the DISA feature. The fraudulent calls were all placed from pay phones in New York and most of them terminated in the 809 area code. Our losses were instant and very large.

We learned several valuable and expensive lessons. First was the lack of training and information concerning toll fraud available to the operators and to the telco switchroom personnel. Although I had attended seminars and read articles on the subject, I had failed to share it with the people in the best position to detect fraud attempts.

Next, it was taken for granted that because we had once blocked international access on the POTS trunk group for our 800 number, it would remain blocked. Actually, when we needed additional lines, a new trunk group was installed and no one verified that the lines were still blocked (it is now checked regularly).

We discovered that even though we never published our 800 DISA number and considered it to be secure from hackers, it was probably as easily broken as if we had broadcast it worldwide.

Before we allowed callers to use our DISA service again, we made significant changes in the process including blocking IDDD, blocking access to a toll operator, restricting dial access outside our immediate calling area and assigning a "class of service" to our auth codes. If the auth code user doesn't require access to certain areas, they are not provided access to them.

In the past, departments asked for a single auth code that would be used by anyone from the department. Today, we insist on individual codes regardless of circumstance. Once we educated our users on the problem of toll fraud, the level of cooperation became very high.

A study published in October 1993 by Ernst & Young, New York, shows that more than one in four U.S. companies suffered financial loss due to breakdowns in the security of their systems, often at a cost of more than $100,000 and occasionally more than $1 million for a single incident.

Voice, mail, auto attendant

Voice mail boses and automated attendant systems are prime targets for call-sell operators. Voice mail boxes serve hackers by providing easy distribution of stolen numbers and other information. Hackers have taken over voice processing systems and through threats and/or extortion, kept system owners from reporting the problem.