Interesting People mailing list archives
Voicemail Hackers Phone It In By Michelle Delio
From: Dave Farber <dave () farber net>
Date: Thu, 17 Apr 2003 11:05:42 -0400
Voicemail Hackers Phone It In By Michelle Delio Story location: http://www.wired.com/news/infostructure/0,1377,58517,00.html 02:00 AM Apr. 17, 2003 PT Voicemail passwords are being transformed into all-access backstage passes that allow malicious hackers to exploit voicemail systems, racking up huge charges on their unlucky victims' phone bills. Hackers are exploiting a combination of automated operator services from AT&T, voicemail services from SBC Communications and consumers who haven't changed their default voicemail passwords. Victims say that AT&T and SBC know about the scam and are taking no concrete action to protect consumers from it. But AT&T spokesman Gordon Diamond said that AT&T has been instrumental in stopping the scam. "AT&T has ambitious programs that use sophisticated technology to detect and deter phone scams and protect our customers," Diamond said. "We detected these scams, and we stopped them. But technological deterrents can't do the job alone, and consumers and businesses are responsible for ensuring the security of their phone lines." Here's how the scam works: The default passwords that SBC issues to new users of their voicemail services are in a specific format and are easily guessed. If the default password is not changed after the system is set up, it's ripe for exploitation by malicious hackers, who have been breaking into SBC voicemail systems and replacing the owners' recorded greetings with recordings of a voice saying "yes" at appropriate intervals. The hackers then place a collect call, typically from the Philippines or Saudi Arabia, to the hacked system at an odd hour, assuming that the voicemail system will pick up. AT&T uses an automated voice-recognition system when processing collect calls. The recording asks whether the party who is being called will accept the charges. When the hacked system responds "yes," the call is connected. Once connected, the hackers have been leaving the line open for hours -- and in some cases for days -- resulting in enormous bills for the victim. According to network security expert Mike Sweeney, there are a few reasons why the malicious hackers might leave the line open. "One is just to mind fuck with someone just because they can," said Sweeney. "But I also know that hackers will set up conference calls this way to discuss various 'business deals' at no cost to themselves. They might have set up the conference ... and just left the line up when they were done -- it's the victims' dime, so why bother stopping it?" K.C. Hatcher, a San Francisco graphic artist and one of the scam's casualties, has been billed $12,000 dollars for calls that both she and AT&T agree she didn't make. But she's expected to pay for those calls anyway, as are the other victims. In Hatcher's case, the scam was carried out on her business line on New Year's Eve. Hatcher said when she returned to the office after the holiday, she received a call from Bill Allen of AT&T Fraud Detection, who told her he thought she was the victim of telephone fraud. "I checked my outgoing message and discovered it had been altered, exactly as Mr. Allen said it would be," Hatcher said. "In a man's voice with a foreign accent the new message stated something like, 'Yes, yes, I will accept the charges, yes, yes, yes....'" Hatcher said Allen then issued her a case number to dispute the charges once she received her next phone bill. "He said that I probably would not have to pay the charges, as this type of incident happened quite often, and that AT&T often waived the charges." Later Hatcher was told that AT&T would take 35 percent off her bill, but she'd have to pay $8,000. Hatcher was not happy. "AT&T then suggested I 'go after' SBC, and SBC blames AT&T for holding the victim responsible for the crime," Hatcher said. "Basically, these two communications giants are pointing the finger at each other, and I'm caught in the middle with the bill to pay, or my credit will be ruined." Other victims of the scam had the same experience. "I got a call from AT&T's fraud division after Christmas, asking me to check my voicemail message," said Mary Runyon, a Texas-based photographer. "To my alarm, my outgoing message had been replaced with a message from some man with a thick accent saying 'yes uh uh ... yes ... uh uh ... sure.'" Runyon said that she was billed $7,256.34 for two calls; AT&T offered a 30 percent discount. When she refused, her account was turned over to a collection agency. "In the process of fighting this, I spoke to numerous people at AT&T and SBC. Not one sounded surprised when I told them about this scam," Runyon said. "I got the distinct impression that this scam is widespread and new victims are being exploited daily." AT&T's Diamond said the scam is not being widely perpetrated. "These are isolated incidents, and we do all we can to ensure the safety of our customers and our network. However, in these instances, there is no question that the customer is in the best position to ensure the security of their voicemail systems." SBC said in a statement that the company includes a written warning to all new customers advising them to change their default passwords immediately. Runyon and Hatcher acknowledge that they didn't change their default passwords. Both said they later discovered that the warning was included in a large package of information that appeared to reiterate the conversation they'd had with a sales rep when they set up their accounts. "I did not change my password because I was not expressly advised to do so," Hatcher said. "I hold both companies responsible for not going to adequate measures to alert their consumers to a very expensive problem so that we could at least try to protect ourselves from its occurrence." SBC's written warning isn't enough, agreed Linda Sherry, executive director of the San Francisco organization, Consumer Action. The company should have issued random default passwords that are not easily guessed, as it now does for new business accounts. Sherry also slammed AT&T for its automated system. "That AT&T would permit third-party phone charges based only on the authority of a recorded message is beyond belief," Sherry fumed. "Third-party billing should be allowed only when a real person answers the phone and is able to verify that they approve the charges." Diamond said AT&T has no plans to change the automated system, "which has proven to be extremely reliable for many, many years." MCI uses an automated system similar to AT&T's. Sprint uses live operators to process collect calls. Consumer Action is asking AT&T and SBC to reimburse the scam victims. ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Voicemail Hackers Phone It In By Michelle Delio Dave Farber (Apr 17)