Slashdot Mirror
Hacked Business Owner Stuck With $52k Phone Bill
ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.
Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?
"Oh hi, I got my PBX hacked (possibly because of my 4 character PIN "security") and lost 50 grand on calls to Bulgarian criminals, how about paying me to set up your computers?"
Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.
Dude, it wasn't the phone company's equipment - hence the "outrageous" charge to the consumer.
Shouldn't the telecom provider be able to identify the phone number(s) in Bulgaria that the hacker called? If a hacker is calling Bulgaria, I'd think there's probably some international crime or identity theft ring centered there that the phone company and government officials would want to know about. Either that, or the hacker was calling about the whereabouts of his mail-order bride.
This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.
As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.
Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.
http://www.schneier.com/blog/archives/2007/01/information_sec_1.html
http://www.schneier.com/blog/archives/2006/03/credit_card_com.html
http://www.schneier.com/blog/archives/2005/10/preventing_iden.html
I don't find this suprising in perspective of what people in the service sector usually have for themselves.
After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?
Hint - the mechanic's car is usually fixed last, if ever.
In similar light I knew a cardiologist a few years back who died of heart failure.
It isn't easy to find time to maintain for yourself the same kind of equipment that you are paid to keep up for others.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I hear bulgaria has the best phone sex lines confirm/deny?
Why should the phone company be responsible for their customer's incompetence? If they installed it... maybe... but they didn't. Now, as far as a compassion standpoint... the company should at least help out some.
I had a phone cable dug up recently because MTS didn't mark it on a cable locate. The responses ranged from "sorry, you're out of luck" to "where else are you going to go for phone service?" I feel bad for the guy, but unless he takes it to court he isn't getting any help from MTS.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
It is strange that MTS doesn't monitor extreme spikes in phone use. They claim that they don't have the resources to monitor anomalies, but it should be relatively straightforward to write a report that queries billing totals that are n times a customer's long term average. After all, few companies would see a legitimate spike of 20 or 30x normal billing from month to month. What it boils down to is that MTS doesn't want to be responsible for identifying fraudulent billing (lest the victim use that as grounds to get the charges waived), and the easiest way to avoid legal responsibility is to bury their heads in the sand.
Let's assume these calls cost $3.00 for a minute.
$56,000 / 3.00 = 18667 Minutes.
18667 / 60 (min/hr) = 311 Hrs.
So that means nobody noticed as this guy called for almost 2 full weeks of talk-time??
($3.00 is an assumption as I have no idea what actual international rates are)
Still, if this is even in the ball-park, that's a hell of a lot of talk time going unnoticed. You'd think the system would flag if you suddenly doubled your usage over a period of time.
Sorry, but no sympathy for this guy. It's his company's equipment which was hacked. His telecom company isn't responsible for his equipment, and if they're nice, they'll alert him to the calls. They make money when those calls are made, and why should they be responsible for alerting a customer who's making phone calls. Yes, the calls are going to Bulgaria, but that doesn't mean a telco should alert every person when they make a phone call overseas.
"The only constant in the universe is change." - Unknown author
Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?
If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?
I was also under the impression that YOU had to be the one that actually 'in good faith' placed the calls for it to legally billed to you. I am not sure about US/Canadian telecom laws?
If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
I would simply be responsible for getting a better protected router or some other commonplace and reasonable standard process of WiFi protection.
Similarly, this firm likely had made reasonable efforts to NOT have their phone system hacked, and therefore did not make the calls and thus should not be made responsible for them. The phone company should protect their customers 'in good faith'.
He should be looking to the company that installed the system for compensation, not MTS.
The phone bill is exactly stolen services....and for the phone company to sell that should be illegal.
THL phish sticks
Taking this further, given enough bandwidth, we could well see many a PC relegated to being a dumb terminal attached to a hackable 'cloud computer', or 'personal virtual machine'. Imagine a million of those hacked instantly because Amazon EC2 has a security flaw - a backdoor admin password revealed to a boy/girlfriend of the opposite political persuasion; a lost Amazon laptop with a functioning VPN link into EC2 with superadmin privileges; an unfortunate fraud detection and prevention businessman specializing in cloud security?
Her lips were softer than a duck's bill, but her quacks
This should be a lesson to all the people who think customers should pay by the megabyte for internet access. The safety of a fixed price per month is worth it, even if you would normally pay a little less with a metered connection.
Of course a metered connection could still be made a lot safer by allowing the customer to set an upper limit, but that would prevent accidental roaming and long distance charges which everybody seems to fall victim to once in a lifetime. Maybe it's time for a law...
But why is there no credit limits on what phone companies provide, they all seem to happily keep upping someones bill without ever wondering if that person can pay it.
Someday we are going to hear about a someone getting billed 30 million for watching a movie on their iphone while on safari.
After the first few grand they should cut you off and tell you about it. And if you want a bigger credit limit you request it.
Davison has a four-digit password on the voice mail. That doesn't stop professional hackers, said Brett Rhodes, an expert in the field who runs SME Teleresources Inc. in Winnipeg.
I once saw a web site with a list of all 4-digit pins on it. I mean like, every single one!!!! There must be... hundreds.. no... thousands of possiblities! Keeping or distributing such a list should be illegal.
Someone steals from the phone company using someone else's phone, and it's the someone else who needs to pay?
Say there's a water main and a pipe running off it to someone's house. Unscrupulous fiend taps into it. If he taps into the part closest to the street, it's a clear case of that person stealing from the water company and they're stuck with the problem. If he makes his hole six inches to the left, the water company gets to send a bill? How is that sane?
-- 'The' Lord and Master Bitman On High, Master Of All
...and there is no, I mean, NO excuse for what this guy allowed to happen, from the perspective of a telephony engineer.
Point #1: how weak is your security that an external entity can log in and gain access?
Point #2: why in the world does his voice mail system have a class of service that allows outdialing? Typically a telephony engineer restricts the class of service on the ports connecting to the phone system so that they can only pass calls to the phone system itself, not to the outside world.
This guy is unbelievably lazy, and the fact that he wants someone else to pay for his mistakes is insane. He fails at life.
---don't make me break out my red pen.
Everyone here seems to have this blame the victim for getting hacked, but, why should we have to do this security stuff at all? Why can't we just execute the criminals. Everything is all about put up shields, pay tons of money for security, and its as if the criminals have more of a right to our systems than we do. Enough already. This guy shouldn't have to pay any money at all, regardless of whether he had the shields up, or not. People ought to be able to have a relative sense of security about themselves, and if we have to behead 50,000 convicted hackers and identity thieves and hang their bloated corpses off of bridges as an example to others, then, lets get on with it.
Death to hackers, that's the best security policy that any country could have.
This is my sig.
As in, on par with American airport security? As in, make you feel like something has been done? Or did you mean on par with the cc companies, taking it one step further than that, like making you feel secure but actually doing very little so that they end up with your money the majority of the fraud cases.
I liked one of the comments under the original article that charging 52K for long distance is crime itself. Are we still living in the dark ages of pre-internet where telcos being monopolists could charge whatever price they wanted for pnone calls? Another thing that bothers me is that there are sooo many voip solutions out there that allow you to make calls to Europe for as low as 3 cents per minute. It's not worth the risk of hacking if you have that option.
This is an interesting legal point.
It seems to me a lot of lawsuits come down to "what are the damages"?
If someone steals a physical item, how is its value determined - retail or wholesale? The "actual damages" are a lot lower than the retail price of lots of things, but especially phone service.
This issue is a bit more complicated than you think.
I work for a Telco. We flag to clients when they accrue silly spends to foreign numbers. This happens around the $100 mark generally. Why did this go unnoticed for so long? Incidentally this is completely the responsbility of the end client. Anyone could ring Bulgaria for hours on end and then blame "teh criminalz!!!11". Secure your equipment better.
This is sooo cool... where is the How-to?
Sounds like Cisco ought to start paying more attention to security as well.
That's not because Bulgaria rocks - it's because you're from Utah.
Weaselmancer
rediculous.
MTS is the worse company in Canada (IMO) when it come to overcharging and nickel and dimming. I'll stop here, but know that I could write an awesome rant. ~:-)
Who's fault is it ?
The company was not using the telco approved equipment, it was their own configuration that messed things up.
Should the telcos do more to prevent things like this ?
In an ideal world yes; then again in such a world the telcos wouldn't have to. Shit happens, get on with it.
Should we trust this company to secure our systems ? Should we hire them ?
I do not see any reason not to other than the fact they were so public about it (but then again any publicity is a good publicity).
This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.
The credit card companies have it very simple - they stick the merchant with the bill. Sorry, but that isn't a solution as far as I (a merchant) am concerned.
How do big businesses handle it? Simple, they have insurance that covers their losses. Because still the credit card processor sticks them with the bill.
at least on par with what the credit card companies have done.
Jebus! Have you used their systems?! AVS and 3DSecure are NOT inspirational targets...
Pros:
Cons:
You'd think a simple system that checks against a list of compromised card numbers would be straightforward enough, easier than checking ever changing addresses anyway.
If you've ever dealt with a CC company over a fraudulent card you might have got the strong impression they don't care, except in as much as they *really* want their chargeback fee from the retailer (the innocent party in 99.99% of cases). If you've dealt with them multiple times you may have found them so unhelpful you might even suspect that they *welcomed* CC fraud. After all most of it goes undetected, and when it doesn't they charge for the orginal transaction, the refund and then double for chargeback.
3D Secure (verified by visa etc) was meant to address the retailer's concerns about this by transferring some responsibility back to the CC issuer, but it makes the customer jump through so many hoops that it is disabled by most retailers in order for them to keep their business alive. Additionally the list of exemptions and pre-requisites for them taking liability is as long as your standard credit card terms and conditions, making it in practice completely useless.
Nothing to do with phones I know, but Credit Card companies are *not* aspirational technology leaders. Because of all politicians complete lack of understanding of technology they have managed to carve a privileged position where they profit from everyone and take no reponsibility themselves. If I'm leading the revolution they will be the first against the wall...
It's sad, for a number of reasons: it's his business, it's a very expensive cost. Not so much his costly phone bill, the more how his client might percieve it. It's especially sad because security is not a mathematical solid thing. Even the very great security specialists may be the prey of a hacker activism.
It's so easy to judge this by outsiders who don't have the details of the hack itself, most of which probabely have no serious knowledge of security what so ever. For example in the old days sendmail has a serious security exploit. Because it the specific exploit was kept secret amongst hackers.
Ifg such thing hits the news, it's better to have access to all the details (provided that he secured the issues first).
They're no different than any regional telecom giant. People in Alberta and BC can give you horror stories for days about dealing with Telus, and I imagine there are similar stories in Ontario and Quebec about Bell and Rogers. I deal with MTS Allstream pretty regularly as they sold us (and manage) our PBX and I don't have any major complaints, but then they actually have to compete out here.
This poo is cold.
This is bringing back too many '80s memories for me. I'm running CP/M on a Z80 again. Dot matrix printers. Pulse dialing. Seven inch floppy disks. Oh no....
http://michaelsmith.id.au
You have single-handedly rescued this thread from the clutches of fail.
DRM: Terminator crops for your mind!
I had a Panasonic key system and my employee left some default passwords in place. It was hacked to route incoming calls to a new outgoing line, and $14,000 worth of calls were made to Indonesia. It took many discussions with Verizon, threats back and forth, and some letters to the FCC to get Verizon to drop the charges.
This is why, as a small business owner, I think it's important to outsource critical parts of the business to experts, as opposed to trying to save a few bucks and doing it in house. Email, web hosting, telephone... unless one of those things is what your company does, there's no reason to take on the liability and the headache of taking care of these things when A. You can be spending your time doing other things and B. The people you outsource to know more than you do.
I used to do everything in house because I used to be an IT guy, but I learned this lesson a few years ago, and now I outsource all of this piddly stuff, because it's not piddly when there's a problem!
It's the manufacture that designed these systems. They allow anyone to setup a user and security via a prompt on the phone off site. That is simply stupid. Nevermind that any factory default passwords are public along with some backdoor passwords. It's not that hard, trust me, I have had two of my clients fall victim to this and it was locked down as much as they could be and disabled for allowing this. Most of these systems are 20 years old and the security measures protecting them reflect the age. All they do is use the various public ones and they get in. Setup a new user and class of service and it's off the the bank they go.
It's not like CC companies are doing that out of the kindness of their hearts. They're legally obliged to protect their customers against fraudelent use of their cards. It's not time for the phone companies to get their systems on a par with those of the credit card companies, it's time for legislation to force them to.
FGD 135
It is rare for these agreements to even approach 3 cents a minute nowadays, phone cards are proof of that because they usually average about 1-2 cents profit per minute because the competition is brutal. The phone companies are charging sometimes 50 times the amount they pay. So did you get that, MTS is charging 1.33 Canadian and you can get phone cards for around 4 cents a minute US. So around 40,000 minutes of calls which would cost around 1500 bucks US they are trying to get him to pay around 45,000 US or about 30 times cost. Are people really that stupid to still be sticking with a land line when they won't even spit on your asshole before raping you?
I have friends in Georgia, Russia and the Ukraine and I just use a cheap skype router and talk to them that way, it works better than the phone system. 90% of the people under the age of 35 in those countries do the same. So my question would be who were the calls to, who was making them and why can't they charge one of them?
An Education is the Font of All Liberty
How would you secure elastix/asterisk against this sort of outgoing call transfer ?
or how would you eliminate the ability to access voice mail over the regular IVR menu ?
If the industry norm for phone systems is anything like the industry norm for computers, this means he has a phone on the sidewalk in front of the building, with a sign that says "free phone calls."
"Believe me!" -- Donald Trump
I hate to say it but this guy deserves everything he had coming to him. Even if the phone bill were 52 billion dollars he should still be forced to pay every single penny. This idiot is a Darwin Award waiting to happen.
It's worse than having "no business reason" - they have a business reason to allow fraud as long as they get to charge for it. It gets them more billable revenue. Since they provide a mostly necessary service without competition, it's not like their victims^Wcustomers are going to switch to another provider or go without, after all.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I have to wonder, given that nature of the business which I suppose would cause a higher number of people with the skills to do so to have access to the equipment and possibly motive if they become disgruntled. If this wasn't an inside job of hacking. Some studies have suggested those are actually the most common breaches and hardest to protect from.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
You are obvoiusly basing this on your experience in the United States. Here in Canada it is much different. Our Telcos are regulated by the CRTC - and therefore they do not provide any such luxuries as "spit". They get right to the point.
Lot's of times when something goes wrong with phone bills, it goes *very* wrong.
When I usually have a phone bill of 20 euros, and one month my bill starts rising to 5000,-.
I'd like to be able to tell them in advance to cut me off at 200,-, because if I'd ever reach that amount then something went wrong! I'd even be more than happy to pay them 20 euros of service fees for this service.
At the company I work for, mistakes happen quite frequently and there should be a way to detect them. Those mistakes amount thousands of euro's down the toilet per year. A phone bill is just completely uncontrollable.
Example: Someone creates a bill of 1000,- euros in the first week of January. I'd only notice this at 15 February when the bill of January arrives. Imagine that the trend continues all these weeks: We'd be talking about 6000,- euro's while we're expecting a bill of 100,- for that user.
Therefore you should be able to specify a maximum amount for a certain user in advance. When the costs ever reach that amount, service should be terminated.
I work for a LEC and we will normally waive charges in these circumstances. But only once. If the abuse continues and the customer fails to secure their equipment, then they are liable. From what I understand this is a common problem and most LECs will let you off the hook once.
A much greater concern is that this exposes a serious flaw in the security of communication services we have all been taking advantage of for decades. There are simply too many individuals out there attempting to adopt new technologies into their homes who either aren't aware of the potential risks involved in using such equipment, or simply don't care.
If the individual users aren't willing to accept the consequences of haphazardly using technology capable of communicating over an external connection, without first educating themselves on how to prevent such problems (where possible), then the companies who provide these services will have no choice but to contractually demand that the user does not connect any hardware to their system that the provider don't completely control by themselves, such as how cable companies require a converter box of their own to use their television services.
It's really difficult to find middle ground on this issue that completely absolves the end user from responsibility when such things happen without sacrificing convenience in the process. The service was provided to a device the end user was supposed to be in control of... therefore the service was carried out as requested.
8==8 Bones 8==8
Before commenting on the lax security of telecoms, RTFA.
Telecoms have NO way of determining if those calls are legitimate or not. They came out of the customers PBX. The guy could be calling his mistress in Bulgaria and doing it from outside the office to evade his wife. He could be in the Eastern European mob. He could have friends in Bulgaria. MTS is under _0_ obligation to provide any kind of security to this guy for his PBX BECAUSE IT DOESN'T BELONG TO MTS. That someone exploited the PBX sucks, but as someone who is familiar with them, let me tell you...
This guy simply didn't secure his system or guard against employee stupidity. There are two ways to do what the criminal in this case did:
Exploit the PBX based on the use of widely known default settings that 10 seconds of configuration on setup would have avoided.
Social Engineering.
This guy is clearly not good at what his business does.
Lets say that this guy did go with the MTS PBX equipment. MTS says it will cover the charges if its on one of their boxes.
Does the MTS automatically block these fraudulent calls? Does MTS monitor *more closely* such attempts or successful ones with their boxes? Do the MTS boxes have better security than other non-MTS boxes have in the industry?
There's one easy solution to this. Call and threaten to cancel your service. Bell, Telus, Rogers all the same. Whomever you speak to first in 'Customer Service' will try to talk you out of it. Be persistent without actually canceling, unless you REALLY want to. In no time, you'll be transferred to another department. These are their customer saving or retention team people. They're there to save you from selling your soul to the competition. With these guys, you can get better and cheaper plans, better and faster service and every effort will be made to help you in the future. If you have some really mucked up billing issue save yourself of the hundreds of phone calls: threaten to cancel. I almost guarantee it will be fixed in 2 business days and not 2 months.
I just thought I'd share this information with others. I'm willing to bet our southern neighbours will enjoy this nugget too. If the big companies cannot provide good service, let their CEOs see how many people are threatening to cancel service. Shareholders wouldn't be too happy would they?
Discount with a special driver?
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Now some politician is going to start making us enter CAPTCHAs every time we want to make a call..... To protect us.....
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
We have international numbers blocked by our telco and don't have any outbound routes to '011'. It also has 900 and 976 numbers blocked too in both places.
If we need to call internationally we can just use a calling card. It's cheaper and 'max cost' limited to the face value of the card.
that used a rotary dial until General telephone eliminated the tone surcharge. Proud NOT to be the first adopter.
...Lorenzo / I'm into kinky crustaceans. I just discovered internet praWn.
"where else are you going to go for phone service?"
Your friendly local cable company, most of whom now offer landline telephone service. Or, depending on your needs, maybe even a cell phone provider, or a voip outfit.
If you're a zombie and you know it, bite your friend!
...Richard is one of my clients. Neat dude, with a great rotating art collection.
...Lorenzo / I'm into kinky crustaceans. I just discovered internet praWn.
"This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done."
Good thing this wasn't a story about unsecured WAPs. Otherwise we could use the "But IT asked me to" defense to put the blame were it belongs.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
My phone company(also my isp) sends me email alerts if my call charges go 50% above the average for a month. Seems like something most service providers should do.
...and that is all I have to say about that.
http://jessta.id.au
One can only hope the PIN wasn't the classic 1234. If so maybe he should change the combo on his luggage also.
We had two recent installations of Trixbox get hacked within a two month period. Our upstream is a VoIP vendor. Our payment plan is automatic charges of $40 against a debit card whenever the balance gets to $20. Our charges (well under 2c per minute) means those numbers work for us. When these Trixbox installations got hacked in both cases we were notified by our VoIP vendor, before we even hit the recharge limit. It was inconvenient, but it saved us a lot of money.
"Shit, won't the government bail me out?"
nonconformity at work
I'm from Colombia. the last month I got my phone bill with some charges for a international calls to Bulgaria, I called customer services and the told me that was caused by a virus that was downloaded into my computer and that did that kind of calls, I told them that I use FreeBSD and Gentoo Linux, so that explanation was not good enough to me because there was no virus that could do this to a FreeBSD box. apparently none of them knew what FreeBSD and Linux was because they keep giving me the same explanation. I'm still struggling with the company because they're still charging for some calls I didn't do.
He's a select certified cisco partner. That takes a few tests which you take online, and a call to your Channel Account Manager. I got Select Status in 4 hours..
Hardly someone is who going to secure Unified Communications Manager for the Enterprise. He can't even buy full out call manager lol.
Food for thought... Don't give this guy as much credit as he is getting.
PS.
Feature 36 is not a Cisco feature, so I'm sure he couldnt afford a Demo-in-the-box you can get when you are a select partner. UC520/Couple of IP Phones/Wireless etc.
I was called in to clean up the mess and all I could really do was just remove the relaying from everyone's mailboxes, then we got rid of that phone system completely and went with asterisk which has it's own set of challenges but careful log scrutiny.