Phreaking Not Dead Yet

santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."

Old Voice mail exploit

[Lowen+Na]

We used to hit 9 three times in a row on the Nike 1-800 number to get a dail tone and make long distance phone calls on Nikes tab. Not really phreaking but it was a phone system exploit

Re:Old Voice mail exploit

[British]

Here's what I did once.

1. Hack a direct dial voice mail #(after hours business)
2. Record the message "hello??.........Yes I'll accept"
3. Call Long distance operator to do a 3rd party billing for a call, give voice mail # to bill to

The call went through, regardless of the fact that the person calling her, and the person she called both had the same voice.

Social engineering more than phreaking

[JUSTONEMORELATTE]

IMHO, this is more social engineering scam than phreaking. The telephone network is still operating perfectly normally, and the folks doing the hack aren't using any extra-ordinary control over the network.
Interesting read, just the same.

--

Thats not 'Real Phreaking'!

[NETHED]

Real phreaking is sneaking out of your parents house at ungodly hours to clip into your neighbor's line, or to build a BlueBox and scream 2600hz down the handset. Those were the days.

Re:Thats not 'Real Phreaking'!

[Waffle+Iron]

Thing weighs like 25lbs and looks like the meanest bludgening weapon ever made.

It was designed that way so that linemen could use it beat the crap out of teenaged punks who they caught trying to steal their equipment.

Not really new ...

The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.

Before everyone starts talking..

[bazmonkey]

...about how much they love to "phreak", keep in mind that a good deal of us thought girls had "koodies" when the real phreaking was going on.

This ties in with our general hacker degredation. Phreaking is nearly gone, everything today is a DOS attack, a script kiddie, or a win32 virus, etc. Hell, I mutter "All your base..." in my compSci class and I am hard-pressed to find someone that can complete the phrase!

Sad, sad world...

Don't pay that bill!

[fname]

My advice to the consumers: don't pay the bill. Write a letter and have your lawyer, stating why you will not pay the bill. There is no legal reason why the victim should be obliged to pay. The biggest joke is AT&T offering a 30% "discount," when there gross margins are probably in excess of 90% for these collect calls.

Don't pay the bill. Call a lawyer, write your congressman, and tell AT&T you WILL NOT pay, and ignore the collection agency. They have no right to engage in a shakedown like this; AT&T is reaping huge profits from the scam victims. This scam costs AT&T almost no money, yet they are reaping giant rewards. Seems like AT&T is the one running the scam.

Re:Even worse

[Zirnike]

Even just a minor change would be good.

Example: "YOu are about to accept a collect call. DO you accept?" (wait for 'yes', 'yep', 'uh-huh', whatever, interpret it, continue) 'To verify, please say the following word: (random word from set A)' (verify)

It wouldn't even take much effort. Suppose A includes 'toast', 'ummagumma', 'vaccum', 'moose', 'arbitrary', and of course, 'Forty-two'. They're all VERY distinctive, more so than 'nope' and 'yep', which they have to contend with anyway. Have, oh, 20 different lists, rotate them week to week (they're all on some server, not a problem there). Instant secure. Well, not absolute, but by an order of magnitude or 12.