Slashdot Mirror
Phreaking Not Dead Yet
santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."
We used to hit 9 three times in a row on the Nike 1-800 number to get a dail tone and make long distance phone calls on Nikes tab. Not really phreaking but it was a phone system exploit
IMHO, this is more social engineering scam than phreaking. The telephone network is still operating perfectly normally, and the folks doing the hack aren't using any extra-ordinary control over the network.
Interesting read, just the same.
--
Real phreaking is sneaking out of your parents house at ungodly hours to clip into your neighbor's line, or to build a BlueBox and scream 2600hz down the handset. Those were the days.
--sig fault--
It's just a flesh wound!
It seems like AT&T is directly at fault here, even though they are warning people to change their default password, this type of scam wouldn't be possible if they didn't have an automated system processing collect calls.
Not only that, but AT&T is the one that chooses the default password, by picking something that is easily guessable they are doubly guilty of allowing this to happen.
Only paying 30% of a scam like this is shameful.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
For more about Fone Phreaking, check out the grand master... Phone Losers of America
"Sic Semper Tyrannosaurus Rex."
Why would'nt the providers be concerned? Let's see, because they might lose money? Hmm..
The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.
For a second I thought this meant all my friends with dialers would start calling me long distance. I hated that every five minutes.
please insert more money
hang on dude (holding dialer to hand set)
waiting as dialer mimics the sound of one quarter at a time
#1 --> "Victims say that AT&T and SBC know about the scam and are taking no
:
concrete action to protect consumers from it."
OR
#2 --> "But AT&T spokesman Gordon Diamond said that AT&T has been instrumental
in stopping the scam."
CLUE
"Later Hatcher was told that AT&T would take 35 percent off her bill,
but she'd have to pay $8,000"
HMMMM.......
Users are given a brand new phone system, with some default password used to set voicemail messages. Users did not change that default password. Enterprising na'er-do-wells realize this is going on, use the default password to change the voicemail greetings to "yes, yes, I will accept the charges, yes, yes" and proceed to make free collect calls.
We have a classic case of stupid users.
It's not that I don't feel for them. And I certainly think AT&T/SBC will start provisioning these systems with pseudorandom passwords as defaults. But if you don't change your password, and someone else finds out about it... that's no one's fault but your own.
Should the people who did this be punished? Absolutely, they clearly broke the law. But now, maybe people will begin to realize that security isn't something that they can leave up to third parties -- it's something they need to take in their own hands, lest they find themselves $12,000 up shit creek and lacking any means of locomotion.
levine
...about how much they love to "phreak", keep in mind that a good deal of us thought girls had "koodies" when the real phreaking was going on.
This ties in with our general hacker degredation. Phreaking is nearly gone, everything today is a DOS attack, a script kiddie, or a win32 virus, etc. Hell, I mutter "All your base..." in my compSci class and I am hard-pressed to find someone that can complete the phrase!
Sad, sad world...
Going from what I'm reading here it looks like they are using the default password that are shipped with systems. A quick search of google will chuck up the default for loads of systems. So bascically the adminstrators of the system aren't doing the job correctly or am I just misreading this?
Rus
Cheap UK and US VPS
Here's the real question-should the people be forced to pay the bill because they were too dumb to not understand the words, "change your default password immediately." I say that we have already made things in life enough idiot-proof and AT&T has every right to ask them for thousands of dollars. Call it a "Stupid Bill".
--Chag
My advice to the consumers: don't pay the bill. Write a letter and have your lawyer, stating why you will not pay the bill. There is no legal reason why the victim should be obliged to pay. The biggest joke is AT&T offering a 30% "discount," when there gross margins are probably in excess of 90% for these collect calls.
Don't pay the bill. Call a lawyer, write your congressman, and tell AT&T you WILL NOT pay, and ignore the collection agency. They have no right to engage in a shakedown like this; AT&T is reaping huge profits from the scam victims. This scam costs AT&T almost no money, yet they are reaping giant rewards. Seems like AT&T is the one running the scam.
I would think that something simple, like yahoo uses for account creation. Instead of "please say yes", it should be "please say XXXXX" where XXXX is randomly selected.
There is a solution however and I feel that the easiest would be for SBC to require users to change their passwords upon logging in for the first time. I know that voicemail systems which I have used have made that the very first step, before even allowing you to record your "I'm away" message.
Fix the problem and the rest will fall into place.
"Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
If AT&T is too stingy to use live humans for collect call acceptance, here should be some randomly chosen sort of challenge/response mechanism asked by the voice recognition system (eg, asking a simple question like "what day of the week is it?") or even "please repeat the word I say" (randomly chosen) to ensure that a simple pre-recorded static greeting can't work.
Sort of like the "Turing tests" that services like Yahoo and even Slashdot itself set up to foil automated registrations.
There's 10 types of people in this world, those who understand binary and those who don't.
Hmmmmm ... Who's to say AT&T really WANTS to fix this problem.
;o)
Every time someone pulls this scam (not Phreak) AT&T makes money. In the two cases cited each one is worth about $8000 to AT&T.
Yes, some will fight the bill, and even win out against AT&T and SBC, but for every one who fights the charge hard enough to win, I'll bet that ten more just swallow and pay.
Uh, who knows, maybe SBS and AT&T are even making the calls, eh?
The thing is, even if you do change your password this kind of exploit is still wide open. A dedicated phreak can set up a wardialer (a program that will call repeatedly if necessary and perform simply touch tone codes to a number) to try all possible combinations. Just have it play something like 00010020030040050060070080090110120130140150160170 18019021022023024025025026028....etc and all possible three or four digit numbers will be hit, thereby cracking the code. A lot of VMBs have it so you can only try one set then call back for another, but this is no problem. Just set the wardialer to try four, then call back and try the next four. Many VMBs have been seized through this method.
Example: "YOu are about to accept a collect call. DO you accept?" (wait for 'yes', 'yep', 'uh-huh', whatever, interpret it, continue) 'To verify, please say the following word: (random word from set A)' (verify)
It wouldn't even take much effort. Suppose A includes 'toast', 'ummagumma', 'vaccum', 'moose', 'arbitrary', and of course, 'Forty-two'. They're all VERY distinctive, more so than 'nope' and 'yep', which they have to contend with anyway. Have, oh, 20 different lists, rotate them week to week (they're all on some server, not a problem there). Instant secure. Well, not absolute, but by an order of magnitude or 12.
I'm not shy, I'm stalking my prey
Let me get this straight. Person A orders voice mail. Said person: 1. never changes his password 2. never changes his voice message 3. never =listens= to his voice message 4. never gets told by his family/friends that he has an odd message, probably because he... 5. never receives calls May I ask why these people are ordering voice mail service in the first place?!
(seems like Wired actually got /.ed?)
We have had something like this happen at our company. The problem is not just the default password here...here is what happened (and yeah, this could be offtopic, but I found it interesting so maybe you will too)
Precursors to the condition:
1. We have multiple 800 numbers running into our phone bank.
2. Phones may be set up to forward phone calls to a remote number, including numbers overseas, if the user has the 4-digit password. (Yes, we actually have a need for that - we're UK-owned)
Here's what happened:
We had someone war-dialing our system to hack the passwords for users. (I am assuming they were using war-dialing since they hit extension 201 first, then 202, etc.) They were calling in on our 800 number, then brute-forcing the 4-digit password.
When the hacker got the password, he/she would set up the phone so that the phone automatically forwarded all incoming calls to somewhere overseas (Pakistan and Taiwan, to name a couple of places).
The hacker then called back and dialed the extension, which automatically forwarded the call to the pre-selected number.
The only solution our IS/IT department came up with was to start requiring everyone to use 8-digit passwords which must be approved for complexity by their department. The calls in to our 800 number didn't stop for a long time.
Denver Isuzu Suzuki
my companys voice mail server used to get hacked all the time. we have over 20,000 mail boxes so toll fraud is something that we just had to deal with. A simple fix for our problem.. turn off the ability to dial out of the voice mail server, and viola, problem solved. :)
You can use a radioshack scanner and plug it into a computer running pd with a DTMF decoder patch and get anyone's voicemail password who has a cordless phone. For some cordless phones, you can even use an old TV set that goes up to channel 83!
You can also get long distance calling cards this way too, I'm paranoid and I now dial these on the cord phone, then pick up the cordless. Are user's responsible for using encrypted phones?
AT&T is clearly at fault for accepting the charges. That is the part of the system that is the weak link, not the voicemail passwords. Someone could have hung an answering machine on their phone line. It's a ridiculous hole.
As for SBC, Their system asks you for your password BEFORE your mailbox number, and if it's right for the phone you're using, it doesn't ask for the mailbox. So, if you have the same password as the person whose phone you're using, you hear THEIR messages, and there is no way to listen to your own! It's rare, but it happens. Telcos are lame.
=Rich
BTW, pd is the greatest, coolest, amazingest piece of linux software there is and hardly anyone seems to use it. You can make a DTMF decoder in no time, or generate any tones you need, and so much more! See the examples.....
I never call back numbers that I don't recognize. If it's important, they'll call me again.
AT&T screwed up with deploying voice recognition for this purpose (and presumably continuing to charge operator assist rates); that's their problem. I hope the lawyers are going to have a field day with them.
I see a hell of alot of posts to the effect "they kept the default password, they deserve the charges."
That's just stupid and shortsighted.
People balance security against realistic perceived risk. Realistic worst case risk for failing to reset my voice mail password: someone else hears my voice mail messages, deletes them without my ever hearing them, then records something embarrassing or damaging for my outgoing message. Bad, but perhaps I'm willing to live with that risk.
Getting hit with a $12,000 bill (or a $8,000 bill after AT&T generously reduces it) is completely unreasonable. Prior to reading this article, I didn't realize that this was a potential attack at all. I would have assumed that no company was stupid enough to let an answering machine accept charges on a phone call! You can't assess risks on attacks you aren't aware of. It's simply not possible to protect against all attacks (is your computer TEMPEST secure? Do you shred any documents you throw out with your social security number on them?). People need to balance risks against the cost to defend against them. Some people apparently decided against changing their password. They misjudged the risks because they were unaware that AT&T was doing something insanely stupid that could cost them alot of money.
Also remember that in many cases people are actively encouraged by their employers or service providers to not change the default passwords. I've specifically been told that in a number of cases. Depending on the reasonable risk level, I sometimes change the password anyway. I distinctly remember an ISP I was dealing with being shocked that I would want to change the factory standard password on the ISDN modem they sold us. If I changed it, how could they debug it remotely?)
Search 2010 Gen Con events