Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phreaking Not Dead Yet

Posted by CowboyNeal on from the red-box-blue-box-beige-box-new-box dept.

santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."

18 of 193 comments (clear)

  1. Social engineering more than phreaking by JUSTONEMORELATTE · · Score: 5, Insightful

    IMHO, this is more social engineering scam than phreaking. The telephone network is still operating perfectly normally, and the folks doing the hack aren't using any extra-ordinary control over the network.
    Interesting read, just the same.

    --

    1. Re:Social engineering more than phreaking by stretch0611 · · Score: 2, Insightful
      this is more social engineering scam than phreaking.

      No, the article says that people are attacking the system with the default password that SBC sets when the voicemail is installed.

      AT&T doesn't seem concerned because they are still charging people for the calls. (Gee, a 30% discount on a $10,000 phone call that a person did not make, how generous -sic.)

      SBC probably doesn't care because it makes their competitor (or future competitor depending on your state), AT&T, look bad to consumers when they try to collect the bill.

      --
      Looking for a job?
      Want your resume written professionally?
      DON'T USE TUNAREZ!!!
  2. Automated System Culpable by dtolton · · Score: 4, Insightful

    It seems like AT&T is directly at fault here, even though they are warning people to change their default password, this type of scam wouldn't be possible if they didn't have an automated system processing collect calls.

    Not only that, but AT&T is the one that chooses the default password, by picking something that is easily guessable they are doubly guilty of allowing this to happen.

    Only paying 30% of a scam like this is shameful.

    --

    Doug Tolton

    "The destruction of a value which is, will not bring value to that which isn't." -John Galt
  3. Losers by blackmonday · · Score: 3, Insightful

    Why would'nt the providers be concerned? Let's see, because they might lose money? Hmm..

  4. You tell me who is right... by greenskyx · · Score: 4, Insightful

    #1 --> "Victims say that AT&T and SBC know about the scam and are taking no
    concrete action to protect consumers from it."

    OR

    #2 --> "But AT&T spokesman Gordon Diamond said that AT&T has been instrumental
    in stopping the scam."

    CLUE :

    "Later Hatcher was told that AT&T would take 35 percent off her bill,
    but she'd have to pay $8,000"

    HMMMM.......

  5. Even worse by zipwow · · Score: 2, Insightful
    Its not just that the fact the system is automated that is causing the problem, its the fact that the system is automated stupidly that casues problems.

    Why can other systems (telemarketers, for example) tell that you've got an answering machine, but the phone company's can't?

    And the article claims that they're happy with it that way:
    Diamond said AT&T has no plans to change the automated system, "which has proven to be extremely reliable for many, many years."
    I'll bet the people with the $12k bills wouldn't describe it as "extremely reliable"...

    -Zipwow

    --
    I don't know which is more depressing, that 2/3 didn't care enough to vote, or that 1/2 of those that did are crazy.
  6. Re:Quick summary of the exploit by mabu · · Score: 2, Insightful

    How difficult is it for SBC to employ a password scheme which isn't so easy to crack?

    While it is foolish for the user to not change his/her password, that pales in comparison to the blatant negligence on the part of the voicemail provider, who presumably has plenty of resources and expertise at their disposal, though obviously not evidenced in this fiasco.

    Whoever is responsible for this scheme at SBC should be fired. And SBC should be responsible for the victims' bills.

  7. Default Password by SwansonMarpalum · · Score: 4, Insightful
    I'm curious why everyone is pointing at the telcos when the users should have changed their passwords. While I wouldn't abdicate either party from being guilty, I think that the people who leave their voicemail wide open are just as irresponsible as the telephone companies using an automated system.

    There is a solution however and I feel that the easiest would be for SBC to require users to change their passwords upon logging in for the first time. I know that voicemail systems which I have used have made that the very first step, before even allowing you to record your "I'm away" message.

    Fix the problem and the rest will fall into place.

    --
    "Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
  8. An idea to improve the automated collect calls by Ryu2 · · Score: 4, Insightful

    If AT&T is too stingy to use live humans for collect call acceptance, here should be some randomly chosen sort of challenge/response mechanism asked by the voice recognition system (eg, asking a simple question like "what day of the week is it?") or even "please repeat the word I say" (randomly chosen) to ensure that a simple pre-recorded static greeting can't work.

    Sort of like the "Turing tests" that services like Yahoo and even Slashdot itself set up to foil automated registrations.

    --
    There's 10 types of people in this world, those who understand binary and those who don't.
    1. Re:An idea to improve the automated collect calls by mpost4 · · Score: 2, Insightful

      Be careful on how you implement this, there will always a group of people that will not be able to use the feature. Lets take you example of yahoo registration, which is a word that is done via a picture. Well there is a group of people that have trouble registering at yahoo, the group of people who have that problem are the blind. I remember I had to go over to a friends place to help him register for yahoo because their screen reader can not read a image.
      How could there be a group of people that have problems with that, well lets take some one that might be mute, they can hear but can not talk but they have a TTY setup but that can not work on the collect call, so they have a recoding of a person saying "yes" to accept now the call is complete and they can hook up their TTY devices and continue on.

  9. Re:Before everyone starts talking.. by Anonymous Coward · · Score: 1, Insightful

    You're a loser.

  10. Re:Turing test for phones.. by protonman · · Score: 2, Insightful

    Easily defeated.

    You just record & play back whatever they say. You could even use sox or something to fiddle with speed, noise, whatever, to make it sound less perfect.

    Asking people to spell words or to complete an easy password cycle (like "Who's the current president of the USA?" or "Knock, knock?", etc. etc.) would be a lot thougher to beat. Thougher to implement too.

    --
    The man of knowledge must be able not only to love his enemies but also to hate his friends.
  11. Bell Canada's system by Anonymous Coward · · Score: 1, Insightful

    If you get Bell's voicemail, when you set it up, you are required to enter a new password. It won't let you proceed unless you enter a new password.

    How hard would this be for AT&T et al. to set this up?

  12. Can't read the article but... by allism · · Score: 3, Insightful

    (seems like Wired actually got /.ed?)

    We have had something like this happen at our company. The problem is not just the default password here...here is what happened (and yeah, this could be offtopic, but I found it interesting so maybe you will too)

    Precursors to the condition:

    1. We have multiple 800 numbers running into our phone bank.

    2. Phones may be set up to forward phone calls to a remote number, including numbers overseas, if the user has the 4-digit password. (Yes, we actually have a need for that - we're UK-owned)

    Here's what happened:

    We had someone war-dialing our system to hack the passwords for users. (I am assuming they were using war-dialing since they hit extension 201 first, then 202, etc.) They were calling in on our 800 number, then brute-forcing the 4-digit password.

    When the hacker got the password, he/she would set up the phone so that the phone automatically forwarded all incoming calls to somewhere overseas (Pakistan and Taiwan, to name a couple of places).

    The hacker then called back and dialed the extension, which automatically forwarded the call to the pre-selected number.

    The only solution our IS/IT department came up with was to start requiring everyone to use 8-digit passwords which must be approved for complexity by their department. The calls in to our 800 number didn't stop for a long time.

    --
    Denver Isuzu Suzuki
  13. current state of security sucks by primus_sucks · · Score: 2, Insightful

    Just today I forgot my online banking password. All I had to do was call the bank give them my ss#, date of birth, and mother's maiden name and bingo, they gave me a new password. This is information that plenty of ex-wives/girfriends would have access to, not to mention the person from the bank I just told.

    A couple of years ago someone apparently printed out checks from a laser printer with my name on them. Any jack-ass with a descent laser printer can make checks and a fake id.

    Also today my wife's purse was stolen. I was helping her call credit card companies to cancel her cards. But the credit card companies wouldn't let me cancel them because I obviously wasn't my wife even though I had the answers to all their lame "security" questions.

    The whole entire system is fucked up and easily beaten.

  14. Re:Quick summary of the exploit by liquidsin · · Score: 2, Insightful

    Ideally what would be in place is that when someone activates the voicemail service, they have to enter a password right then, or at most have a default password that expires in 24 hours. So long as AT&T knew about the default passwords, which I'm sure they did, I can't say SBC is to blame. AT&T *knew* the risk was there, they could have required their new users to set a new password.

    --
    do not read this line twice.
  15. Re:Old Voice mail exploit by vDave420 · · Score: 2, Insightful

    Sigh...

    From article:
    [Quote]
    Here's how the scam works: The default passwords that SBC issues to new users of their voicemail services are in a specific format and are easily guessed.

    If the default password is not changed after the system is set up, it's ripe for exploitation by malicious hackers, who have been breaking into SBC voicemail systems and replacing the owners' recorded greetings with recordings of a voice saying "yes" at appropriate intervals.
    [/Quote]

    So, "you did that once?"

    -dave-

    --
    The pig browse. With Google. Sigh is to the chicken. Chicken is fool. Giggle. The DailyWTF giggle.
  16. Blame the victim? Are you nuts? by ChaosDiscord · · Score: 4, Insightful

    I see a hell of alot of posts to the effect "they kept the default password, they deserve the charges."

    That's just stupid and shortsighted.

    People balance security against realistic perceived risk. Realistic worst case risk for failing to reset my voice mail password: someone else hears my voice mail messages, deletes them without my ever hearing them, then records something embarrassing or damaging for my outgoing message. Bad, but perhaps I'm willing to live with that risk.

    Getting hit with a $12,000 bill (or a $8,000 bill after AT&T generously reduces it) is completely unreasonable. Prior to reading this article, I didn't realize that this was a potential attack at all. I would have assumed that no company was stupid enough to let an answering machine accept charges on a phone call! You can't assess risks on attacks you aren't aware of. It's simply not possible to protect against all attacks (is your computer TEMPEST secure? Do you shred any documents you throw out with your social security number on them?). People need to balance risks against the cost to defend against them. Some people apparently decided against changing their password. They misjudged the risks because they were unaware that AT&T was doing something insanely stupid that could cost them alot of money.

    Also remember that in many cases people are actively encouraged by their employers or service providers to not change the default passwords. I've specifically been told that in a number of cases. Depending on the reasonable risk level, I sometimes change the password anyway. I distinctly remember an ISP I was dealing with being shocked that I would want to change the factory standard password on the ISDN modem they sold us. If I changed it, how could they debug it remotely?)

    --
    Search 2010 Gen Con events