$89,911 phone bill

[InfoSec News <isn () c4i org>]

http://www.accessatlanta.com/partners/ajc/epaper/editions/thursday/business_b3130921445570660025.html

Michael E. Kanell - Staff
Thursday, June 21, 2001

Hackers from metro New York used a Covington company's toll-free line,
slipping through a technological loophole to run up $89,911.80 in
overseas calls.

Now, it's a question of who pays the bill.

Since no bad guys have been caught, the question of who ought to eat
that cost --- racked up in one week of reaching out to several other
continents in September 1999 --- depends on which version of events
you believe and which interpretation of the law.

Officials of the Covington company, Gerri Murphy Realty, say they bear
no blame for the calls to Pakistan, India, Bangladesh and other spots
outside metro Atlanta. Finding that the phone line was misused was
unpleasant. Finding that the company is supposed to pay sent the trio
who owns and runs Murphy Realty scrambling for lawyer Robert
Stansfield. Ralph Murphy, corporate secretary for the realty company
and also Gerri Murphy's husband, said he wants businesses to know they
are vulnerable, but he is worried about his company's survival.

"How many people have their britches down and they don't know it? The
only thing we could do is go bankrupt if we got a judgment for
$90,000," he said.

While AT&T has offered to settle for $45,000, it has sued Murphy
Realty in federal court because it believes the scam was carried out
using the company's voice mail, said AT&T spokesman David Arneke. "The
basic principle is that customers are responsible for calls made using
their own phone lines. We told them it was their problem, and we told
them they had responsibility for fixing the problem."

It started Sept. 6 when Murphy's office manager was awakened at home
by someone at AT&T who noticed unusual activity --- overseas calls ---
on the real estate company's line. Thieves had already rung up about
$6,000 in charges. Murphy said he was assured by AT&T it would do what
it could to solve the problem. But hours and days slid by, and the
numbers on the meter kept mounting.

"Basically, we told them that whatever it takes, turn it off," Murphy
said. "We thought at that point that they had pulled the plug, but
they had not pulled the plug."

That's not the way AT&T representatives remember it. The crooks were
calling the toll-free number and using the Murphy voice mail to get an
open line, Arneke said. "And if your system is being hacked, we can't
fix it for you."

AT&T did block international calls from the lines. But the hackers
scooted around that. AT&T has since added protections to prevent
hackers from taking that detour, but that doesn't absolve Murphy,
Arneke said. His position is that the hackers were still getting an
open line via the company's voice mail.

No, no, no, insists Murphy Realty, which is convinced the hacker got
the open line from a BellSouth switch. A Murphy technician has
testified he did what AT&T suggested, eliminating any way a caller
could get an open line from the voice mail.

The international charges continued until Sept. 13 when AT&T blocked
use of the toll-free line from anywhere in the continental United
States. Murphy thought that was the end of it. Until the bill came.

Accustomed to a phone bill of $400 to $500 a month, even AT&T's
settlement offer looks steep, he said. "We are a mom-and-pop
operation. We can't afford to pay $45,000."

As it is, the company has rung up more than $15,000 in legal expenses,
he said.

The lawyer, Stansfield, wonders why AT&T didn't make the fix sooner.
Why didn't AT&T offer Murphy Realty the option of turning off the 800
line? Why did AT&T assure Murphy that it would not be liable --- at
least after AT&T told them about the scam and Murphy Realty did what
it was asked?

Stansfield argues AT&T's inability to shut down the scamsters should
absolve Murphy Realty of responsibility.

Not when it was Murphy's responsibility, contends AT&T.

AT&T sued Gerri Murphy Realty in federal court, an action placed on
hold while the parties slug it out later this month before the Federal
Communications Commission in Washington.

No arrests have been made. The calls were made from pay phones in New
York and New Jersey. The amount involved probably wouldn't justify an
international investigation.

Not paying a $90,000 bill meant a cutoff. So now, the two-office
company has long-distance service from WorldCom's MCI unit, although
Ralph Murphy said he doesn't think it has any more protection from a
phone scam than before.

The odds are against a repeat --- it's just not that common a scam.
The phone hacking phenomenon is less frequent than before.

For one thing, the feloniously tech-savvy person has more options ---
the Internet, for example. And the Net itself provides a much cheaper
way to make international calls.

AT&T says it sees 1,400 to 1,500 cases a year amounting to $15 million
in stolen services from AT&T and its customers out of a $4
billion-a-year total fraud cost. A typical scam can easily be as
costly as the $90,000 tab run up in the Murphy Realty case, Arneke
said.

But the company doesn't end up in court often, he said. "These cases
are usually settled out of court now because there are such a
significant number of rulings on this that customers realize that the
law is well-established. We try to negotiate with the customer, as we
did here. And what we would really like is to reach a point where the
customer is satisfied and we are satisfied."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.