Phone hackers stick city for $15,000

[InfoSec News <isn () c4i org>]

http://www.mlive.com/news/grpress/index.ssf?/xml/story.ssf/html_standard.xsl?/base/news/101724390467486.xml

Wednesday, March 27, 2002
By Jim Harger
The Grand Rapids Press

Grand Rapids taxpayers are footing a $15,000 telephone bill for
international calls rung up because of hackers who broke into the
city's phone system over a weekend last summer.
 
Hackers broke into the city's voice-mail system in July and used a
"back door" code to get access to an outgoing line. The access code
was sold on the street and used to make $36,400 worth of international
phone calls, said Tom McQuillan, the city's director of information
technology.

Phone companies have agreed to forgive all but about $15,000 of the
debt.

According to McQuillan, "very sophisticated" hackers in New York,
using decommissioned cellular phones, broke the codes to the city's
switchboard the weekend of July 20-23.

The hackers used a little-known feature that allowed voice-mail access
to reach an outgoing line. That feature, which was not used by city
employees, has since been taken out of the system, McQuillan said
Tuesday.

It was the first time the city's phone system has been hacked since it
was installed 18 years ago, he said.

Access to the outgoing line was sold to users who called numbers in
Asia and the Middle East, McQuillan said. The calls were made during
off-hours when the city's own phone traffic was too low to detect the
problem.

Worldcom, the city's local service provider, discovered the problem on
July 23,the Monday after the hackers broke in, McQuillan said.

The city has been negotiating since then to determine how much of the
bill taxpayers must foot.

Sprint has agreed to forgive $11,132 worth of calls billed through its
long-distance service, McQuillan said in a memorandum to city
commissioners. However, AT& is willing to write off only $10,119.71 of
the $25,299.28 worth of calls made through its service.

"AT& believes that it has legal standing to demand such payment," said
McQuillan, who asked the City Commission to sign off on the $15,000
settlement Tuesday.

"We do not dispute that the calls were made through our phone system,
even though they were made by outsiders," McQuillan said. "AT& has
worked with us during the entire process, and there is no real fault
to be assigned. Unfortunately, toll fraud is a fairly common business
occurrence."

City Attorney Philip Balkema told commissioners AT&'s case was a
strong one. "There is an FCC ruling that is identical on all the
points," he said. "Their ruling is that AT& was entitled to recovery."

AT& spokesman Mike Pruyn said he was not familiar with the Grand
Rapids case, but noted AT& routinely holds telephone customers
responsible for their telephone numbers.

"We deal with each complaint on a case-by-case basis," he said. "But
in general, each customer is responsible for their telephone and calls
made by their telephones, whether they're made by hackers or not."

Due to confidentiality agreements in the city's contract with AT&,
McQuillan said he could not comment on the negotiations that led to
the agreement.

McQuillan also said he could not comment on any findings of the
investigation into identifying the hackers.

Assistant City Manager Gregory Sundstrom said city officials have
taken steps so it won't happen again. He said an investigation
determined no city employees were involved in the fraud.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.