Phreaking Not Dead Yet

santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."

Old Voice mail exploit

[Lowen+Na]

We used to hit 9 three times in a row on the Nike 1-800 number to get a dail tone and make long distance phone calls on Nikes tab. Not really phreaking but it was a phone system exploit

Re:Old Voice mail exploit

[British]

Here's what I did once.

1. Hack a direct dial voice mail #(after hours business)
2. Record the message "hello??.........Yes I'll accept"
3. Call Long distance operator to do a 3rd party billing for a call, give voice mail # to bill to

The call went through, regardless of the fact that the person calling her, and the person she called both had the same voice.

Social engineering more than phreaking

[JUSTONEMORELATTE]

IMHO, this is more social engineering scam than phreaking. The telephone network is still operating perfectly normally, and the folks doing the hack aren't using any extra-ordinary control over the network.
Interesting read, just the same.

--

Thats not 'Real Phreaking'!

[NETHED]

Real phreaking is sneaking out of your parents house at ungodly hours to clip into your neighbor's line, or to build a BlueBox and scream 2600hz down the handset. Those were the days.

Re:Thats not 'Real Phreaking'!

[unicron]

Back in my day we stole our lineman's headsets from the MaBell truck. None of this pussy catalog order shit you little whipersnapers got these days. And they were even touch-tone! They were rotary! I still have a rotary lineman's headset lying around here somewhere. The rotary wheel is made of cast-iron, I shit you not. Thing weighs like 25lbs and looks like the meanest bludgening weapon ever made.

Re:Thats not 'Real Phreaking'!

[Waffle+Iron]

Thing weighs like 25lbs and looks like the meanest bludgening weapon ever made.

It was designed that way so that linemen could use it beat the crap out of teenaged punks who they caught trying to steal their equipment.

Automated System Culpable

[dtolton]

It seems like AT&T is directly at fault here, even though they are warning people to change their default password, this type of scam wouldn't be possible if they didn't have an automated system processing collect calls.

Not only that, but AT&T is the one that chooses the default password, by picking something that is easily guessable they are doubly guilty of allowing this to happen.

Only paying 30% of a scam like this is shameful.

Re:Automated System Culpable

[stretch0611]

It seems like AT&T is directly at fault here...
...Not only that, but AT&T is the one that chooses the default password

Actually, SBC is at fault here. SBC is selling the voicemail system. SBC is setting the same default password for everyone.

AT&T is at fault for allowing someone's voicemail to accept collect calls and also by billing people that never made the calls.

Last, but not least, are the people that leave the default password on something.

Phreaking

[Cyno01]

For more about Fone Phreaking, check out the grand master... Phone Losers of America

Not really new ...

The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.

thank god !?!?

[Brigadier]

For a second I thought this meant all my friends with dialers would start calling me long distance. I hated that every five minutes.

please insert more money
hang on dude (holding dialer to hand set)
waiting as dialer mimics the sound of one quarter at a time

You tell me who is right...

[greenskyx]

#1 --> "Victims say that AT&T and SBC know about the scam and are taking no
concrete action to protect consumers from it."

OR

#2 --> "But AT&T spokesman Gordon Diamond said that AT&T has been instrumental
in stopping the scam."

CLUE :

"Later Hatcher was told that AT&T would take 35 percent off her bill,
but she'd have to pay $8,000"

HMMMM.......

Quick summary of the exploit

[Levine]

Users are given a brand new phone system, with some default password used to set voicemail messages. Users did not change that default password. Enterprising na'er-do-wells realize this is going on, use the default password to change the voicemail greetings to "yes, yes, I will accept the charges, yes, yes" and proceed to make free collect calls.

We have a classic case of stupid users.

It's not that I don't feel for them. And I certainly think AT&T/SBC will start provisioning these systems with pseudorandom passwords as defaults. But if you don't change your password, and someone else finds out about it... that's no one's fault but your own.

Should the people who did this be punished? Absolutely, they clearly broke the law. But now, maybe people will begin to realize that security isn't something that they can leave up to third parties -- it's something they need to take in their own hands, lest they find themselves $12,000 up shit creek and lacking any means of locomotion.

levine

Before everyone starts talking..

[bazmonkey]

...about how much they love to "phreak", keep in mind that a good deal of us thought girls had "koodies" when the real phreaking was going on.

This ties in with our general hacker degredation. Phreaking is nearly gone, everything today is a DOS attack, a script kiddie, or a win32 virus, etc. Hell, I mutter "All your base..." in my compSci class and I am hard-pressed to find someone that can complete the phrase!

Sad, sad world...

Passwords

[rf0]

Going from what I'm reading here it looks like they are using the default password that are shipped with systems. A quick search of google will chuck up the default for loads of systems. So bascically the adminstrators of the system aren't doing the job correctly or am I just misreading this?

Rus

But here's the question

[Chagatai]

In the article, it discusses two individuals who failed to change their default password on their voicemail, leaving them vulnerable to a scam where people would make collect calls to their voicemail (after someone gained access to it), where the message was replaced by someone saying, "yes, I'll accept the charges". AT&T agreed that the individuals did not make the calls, but insist that the individuals (or their companies) still pay about two-thirds of the bill.

Here's the real question-should the people be forced to pay the bill because they were too dumb to not understand the words, "change your default password immediately." I say that we have already made things in life enough idiot-proof and AT&T has every right to ask them for thousands of dollars. Call it a "Stupid Bill".

Don't pay that bill!

[fname]

My advice to the consumers: don't pay the bill. Write a letter and have your lawyer, stating why you will not pay the bill. There is no legal reason why the victim should be obliged to pay. The biggest joke is AT&T offering a 30% "discount," when there gross margins are probably in excess of 90% for these collect calls.

Don't pay the bill. Call a lawyer, write your congressman, and tell AT&T you WILL NOT pay, and ignore the collection agency. They have no right to engage in a shakedown like this; AT&T is reaping huge profits from the scam victims. This scam costs AT&T almost no money, yet they are reaping giant rewards. Seems like AT&T is the one running the scam.

Turing test for phones..

[pres]

I would think that something simple, like yahoo uses for account creation. Instead of "please say yes", it should be "please say XXXXX" where XXXX is randomly selected.

Default Password

[SwansonMarpalum]

I'm curious why everyone is pointing at the telcos when the users should have changed their passwords. While I wouldn't abdicate either party from being guilty, I think that the people who leave their voicemail wide open are just as irresponsible as the telephone companies using an automated system.

There is a solution however and I feel that the easiest would be for SBC to require users to change their passwords upon logging in for the first time. I know that voicemail systems which I have used have made that the very first step, before even allowing you to record your "I'm away" message.

Fix the problem and the rest will fall into place.

An idea to improve the automated collect calls

[Ryu2]

If AT&T is too stingy to use live humans for collect call acceptance, here should be some randomly chosen sort of challenge/response mechanism asked by the voice recognition system (eg, asking a simple question like "what day of the week is it?") or even "please repeat the word I say" (randomly chosen) to ensure that a simple pre-recorded static greeting can't work.

Sort of like the "Turing tests" that services like Yahoo and even Slashdot itself set up to foil automated registrations.

Re:Even worse

[Zirnike]

Even just a minor change would be good.

Example: "YOu are about to accept a collect call. DO you accept?" (wait for 'yes', 'yep', 'uh-huh', whatever, interpret it, continue) 'To verify, please say the following word: (random word from set A)' (verify)

It wouldn't even take much effort. Suppose A includes 'toast', 'ummagumma', 'vaccum', 'moose', 'arbitrary', and of course, 'Forty-two'. They're all VERY distinctive, more so than 'nope' and 'yep', which they have to contend with anyway. Have, oh, 20 different lists, rotate them week to week (they're all on some server, not a problem there). Instant secure. Well, not absolute, but by an order of magnitude or 12.

My companys voice mail server used to get hacked

[eyeareque]

my companys voice mail server used to get hacked all the time. we have over 20,000 mail boxes so toll fraud is something that we just had to deal with. A simple fix for our problem.. turn off the ability to dial out of the voice mail server, and viola, problem solved. :)

Blame the victim? Are you nuts?

[ChaosDiscord]

I see a hell of alot of posts to the effect "they kept the default password, they deserve the charges."

That's just stupid and shortsighted.

People balance security against realistic perceived risk. Realistic worst case risk for failing to reset my voice mail password: someone else hears my voice mail messages, deletes them without my ever hearing them, then records something embarrassing or damaging for my outgoing message. Bad, but perhaps I'm willing to live with that risk.

Getting hit with a $12,000 bill (or a $8,000 bill after AT&T generously reduces it) is completely unreasonable. Prior to reading this article, I didn't realize that this was a potential attack at all. I would have assumed that no company was stupid enough to let an answering machine accept charges on a phone call! You can't assess risks on attacks you aren't aware of. It's simply not possible to protect against all attacks (is your computer TEMPEST secure? Do you shred any documents you throw out with your social security number on them?). People need to balance risks against the cost to defend against them. Some people apparently decided against changing their password. They misjudged the risks because they were unaware that AT&T was doing something insanely stupid that could cost them alot of money.

Also remember that in many cases people are actively encouraged by their employers or service providers to not change the default passwords. I've specifically been told that in a number of cases. Depending on the reasonable risk level, I sometimes change the password anyway. I distinctly remember an ISP I was dealing with being shocked that I would want to change the factory standard password on the ISDN modem they sold us. If I changed it, how could they debug it remotely?)