Hacked Business Owner Stuck With $52k Phone Bill

ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.

ScuttleMonkey doesn't even read TFS

[mugnyte]

Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

    Dude, it wasn't the phone company's equipment - hence the "outrageous" charge to the consumer.

Why would they do that?

[GrenDel+Fuego]

This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.

Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.

http://www.schneier.com/blog/archives/2007/01/information_sec_1.html

http://www.schneier.com/blog/archives/2006/03/credit_card_com.html

http://www.schneier.com/blog/archives/2005/10/preventing_iden.html

Re:Bulgaria?

[OhPlz]

Often times, the thief sells calls at clusters of payphones in low income urban areas. The calls are made to wherever the immigrants in the area came from. These rings have phone systems like this that they hijacked, stolen prepaid phone card lists, stolen credit card lists that they can use to place calls, and so on. This is where a lot of phishing leads to. If they think anyone is on to them, they can just walk away. The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough. It's a great scam because it's easy and they don't have to risk taking delivery of anything. The minutes turn into cash.

Re:WTF?

[oldspewey]

I thought the Streisand effect was when somebody doesn't want information to become public, and by acting to suppress it they generate publicity.

I am in the same business

[E.+Edward+Grey]

...and there is no, I mean, NO excuse for what this guy allowed to happen, from the perspective of a telephony engineer.

Point #1: how weak is your security that an external entity can log in and gain access?

Point #2: why in the world does his voice mail system have a class of service that allows outdialing? Typically a telephony engineer restricts the class of service on the ports connecting to the phone system so that they can only pass calls to the phone system itself, not to the outside world.

This guy is unbelievably lazy, and the fact that he wants someone else to pay for his mistakes is insane. He fails at life.

Re:WTF?

[Registered+Coward+v2]

this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

The customer equipment that got compromised was a goddamn PBX. He should have been watching it himself for signs of abnormal usage.

I agree fully with that statement. I worked for a small company (400 people) and our telecom folks watched the usage patterns like a hawk, and stopped several hack attempts cold. The only one I know of that they didn't stop was one where a calling card number was shoulder surfed; and they kept getting either no answer or VM at the phone company's fraud desk. The phone company ate that bill.