Phreaking Not Dead Yet

← Back to Stories (view on slashdot.org)

Posted by CowboyNeal on Thursday April 17, 2003 @10:24AM from the red-box-blue-box-beige-box-new-box dept.

santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."

4 of 193 comments (clear)

Min score:

Reason:

Sort:

Phreaking by Cyno01 · 2003-04-17 10:30 · Score: 4, Informative

For more about Fone Phreaking, check out the grand master... Phone Losers of America

--
"Sic Semper Tyrannosaurus Rex."
Not really new ... by Anonymous Coward · 2003-04-17 10:32 · Score: 5, Informative

The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.
Quick summary of the exploit by Levine · 2003-04-17 10:33 · Score: 4, Informative

Users are given a brand new phone system, with some default password used to set voicemail messages. Users did not change that default password. Enterprising na'er-do-wells realize this is going on, use the default password to change the voicemail greetings to "yes, yes, I will accept the charges, yes, yes" and proceed to make free collect calls.

We have a classic case of stupid users.

It's not that I don't feel for them. And I certainly think AT&T/SBC will start provisioning these systems with pseudorandom passwords as defaults. But if you don't change your password, and someone else finds out about it... that's no one's fault but your own.

Should the people who did this be punished? Absolutely, they clearly broke the law. But now, maybe people will begin to realize that security isn't something that they can leave up to third parties -- it's something they need to take in their own hands, lest they find themselves $12,000 up shit creek and lacking any means of locomotion.

levine
My companys voice mail server used to get hacked by eyeareque · 2003-04-17 11:29 · Score: 4, Informative

my companys voice mail server used to get hacked all the time. we have over 20,000 mail boxes so toll fraud is something that we just had to deal with. A simple fix for our problem.. turn off the ability to dial out of the voice mail server, and viola, problem solved. :)