Voicemail Hackers Phone It In By Michelle Delio

[Dave Farber <dave () farber net>]

Voicemail Hackers Phone It In  By Michelle Delio

Story location: http://www.wired.com/news/infostructure/0,1377,58517,00.html
02:00 AM Apr. 17, 2003 PT
Voicemail passwords are being transformed into all-access backstage passes
that allow malicious hackers to exploit voicemail systems, racking up huge
charges on their unlucky victims' phone bills.
Hackers are exploiting a combination of automated operator services from
AT&T, voicemail services from SBC Communications and consumers who haven't
changed their default voicemail passwords.
Victims say that AT&T and SBC know about the scam and are taking no concrete
action to protect consumers from it.
But AT&T spokesman Gordon Diamond said that AT&T has been instrumental in
stopping the scam. 
"AT&T has ambitious programs that use sophisticated technology to detect and
deter phone scams and protect our customers," Diamond said. "We detected
these scams, and we stopped them. But technological deterrents can't do the
job alone, and consumers and businesses are responsible for ensuring the
security of their phone lines."
Here's how the scam works: The default passwords that SBC issues to new
users of their voicemail services are in a specific format and are easily
guessed. 
If the default password is not changed after the system is set up, it's ripe
for exploitation by malicious hackers, who have been breaking into SBC
voicemail systems and replacing the owners' recorded greetings with
recordings of a voice saying "yes" at appropriate intervals.
The hackers then place a collect call, typically from the Philippines or
Saudi Arabia, to the hacked system at an odd hour, assuming that the
voicemail system will pick up.
AT&T uses an automated voice-recognition system when processing collect
calls. The recording asks whether the party who is being called will accept
the charges. When the hacked system responds "yes," the call is connected.
Once connected, the hackers have been leaving the line open for hours -- and
in some cases for days -- resulting in enormous bills for the victim.
According to network security expert Mike Sweeney, there are a few reasons
why the malicious hackers might leave the line open.
"One is just to mind fuck with someone just because they can," said Sweeney.
"But I also know that hackers will set up conference calls this way to
discuss various 'business deals' at no cost to themselves. They might have
set up the conference ... and just left the line up when they were done --
it's the victims' dime, so why bother stopping it?"
K.C. Hatcher, a San Francisco graphic artist and one of the scam's
casualties, has been billed $12,000 dollars for calls that both she and AT&T
agree she didn't make. But she's expected to pay for those calls anyway, as
are the other victims.
In Hatcher's case, the scam was carried out on her business line on New
Year's Eve. Hatcher said when she returned to the office after the holiday,
she received a call from Bill Allen of AT&T Fraud Detection, who told her he
thought she was the victim of telephone fraud.
"I checked my outgoing message and discovered it had been altered, exactly
as Mr. Allen said it would be," Hatcher said. "In a man's voice with a
foreign accent the new message stated something like, 'Yes, yes, I will
accept the charges, yes, yes, yes....'"
Hatcher said Allen then issued her a case number to dispute the charges once
she received her next phone bill. "He said that I probably would not have to
pay the charges, as this type of incident happened quite often, and that
AT&T often waived the charges."
Later Hatcher was told that AT&T would take 35 percent off her bill, but
she'd have to pay $8,000.
Hatcher was not happy.
"AT&T then suggested I 'go after' SBC, and SBC blames AT&T for holding the
victim responsible for the crime," Hatcher said. "Basically, these two
communications giants are pointing the finger at each other, and I'm caught
in the middle with the bill to pay, or my credit will be ruined."
Other victims of the scam had the same experience.
"I got a call from AT&T's fraud division after Christmas, asking me to check
my voicemail message," said Mary Runyon, a Texas-based photographer. "To my
alarm, my outgoing message had been replaced with a message from some man
with a thick accent saying 'yes uh uh ... yes ... uh uh ... sure.'"
Runyon said that she was billed $7,256.34 for two calls; AT&T offered a 30
percent discount. When she refused, her account was turned over to a
collection agency. 
"In the process of fighting this, I spoke to numerous people at AT&T and
SBC. Not one sounded surprised when I told them about this scam," Runyon
said. "I got the distinct impression that this scam is widespread and new
victims are being exploited daily."
AT&T's Diamond said the scam is not being widely perpetrated.
"These are isolated incidents, and we do all we can to ensure the safety of
our customers and our network. However, in these instances, there is no
question that the customer is in the best position to ensure the security of
their voicemail systems."
SBC said in a statement that the company includes a written warning to all
new customers advising them to change their default passwords immediately.
Runyon and Hatcher acknowledge that they didn't change their default
passwords. Both said they later discovered that the warning was included in
a large package of information that appeared to reiterate the conversation
they'd had with a sales rep when they set up their accounts.
"I did not change my password because I was not expressly advised to do so,"
Hatcher said. "I hold both companies responsible for not going to adequate
measures to alert their consumers to a very expensive problem so that we
could at least try to protect ourselves from its occurrence."
SBC's written warning isn't enough, agreed Linda Sherry, executive director
of the San Francisco organization,
Consumer Action. The company should have issued random default passwords
that are not easily guessed, as it now does for new business accounts.
Sherry also slammed AT&T for its automated system.
"That AT&T would permit third-party phone charges based only on the
authority of a recorded message is beyond belief," Sherry fumed.
"Third-party billing should be allowed only when a real person answers the
phone and is able to verify that they approve the charges."
Diamond said AT&T has no plans to change the automated system, "which has
proven to be extremely reliable for many, many years."
MCI uses an automated system similar to AT&T's. Sprint uses live operators
to process collect calls.
Consumer Action is asking AT&T and SBC to reimburse the scam victims.






-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/