Slashdot Mirror
Hacked Business Owner Stuck With $52k Phone Bill
ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.
Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?
"Oh hi, I got my PBX hacked (possibly because of my 4 character PIN "security") and lost 50 grand on calls to Bulgarian criminals, how about paying me to set up your computers?"
Why should the phone company be responsible for their customer's incompetence? If they installed it... maybe... but they didn't. Now, as far as a compassion standpoint... the company should at least help out some.
It is strange that MTS doesn't monitor extreme spikes in phone use. They claim that they don't have the resources to monitor anomalies, but it should be relatively straightforward to write a report that queries billing totals that are n times a customer's long term average. After all, few companies would see a legitimate spike of 20 or 30x normal billing from month to month. What it boils down to is that MTS doesn't want to be responsible for identifying fraudulent billing (lest the victim use that as grounds to get the charges waived), and the easiest way to avoid legal responsibility is to bury their heads in the sand.
Let's assume these calls cost $3.00 for a minute.
$56,000 / 3.00 = 18667 Minutes.
18667 / 60 (min/hr) = 311 Hrs.
So that means nobody noticed as this guy called for almost 2 full weeks of talk-time??
($3.00 is an assumption as I have no idea what actual international rates are)
Still, if this is even in the ball-park, that's a hell of a lot of talk time going unnoticed. You'd think the system would flag if you suddenly doubled your usage over a period of time.
Or the old quote.
The Carpenters house is always the one that is in least repair.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Sorry, but no sympathy for this guy. It's his company's equipment which was hacked. His telecom company isn't responsible for his equipment, and if they're nice, they'll alert him to the calls. They make money when those calls are made, and why should they be responsible for alerting a customer who's making phone calls. Yes, the calls are going to Bulgaria, but that doesn't mean a telco should alert every person when they make a phone call overseas.
"The only constant in the universe is change." - Unknown author
Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?
If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?
I was also under the impression that YOU had to be the one that actually 'in good faith' placed the calls for it to legally billed to you. I am not sure about US/Canadian telecom laws?
If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
I would simply be responsible for getting a better protected router or some other commonplace and reasonable standard process of WiFi protection.
Similarly, this firm likely had made reasonable efforts to NOT have their phone system hacked, and therefore did not make the calls and thus should not be made responsible for them. The phone company should protect their customers 'in good faith'.
He should be looking to the company that installed the system for compensation, not MTS.
After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?
Hint - the mechanic's car is usually fixed last, if ever.
Care to try and back that statement up?
I happen to work in the automotive repair industry. Good automotive techs know better than most that it's far cheaper to maintain their vehicle than it is to repair damage later.
Ironically, the word ironically is often used incorrectly.
The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough.
$50K not high enough? Huh.
But anyway, given that it can't have cost the Canadian telecom anywhere *near* $50K, and it was clearly fraud, shouldn't they prorate this guys bill to *cost* or a little more? Demanding the full $50K is unfair.
If you want news from today, you have to come back tomorrow.
"It is not as useful or profitable for a telco to do the same, because " they are not legally on the hook. Thanks to some consumer-friendly legislation passed a while back, the credit card companies are specifically liable for fraudulent transactions above a $50 limit. The phone companies are not. Figuring out whether or not the marginal cost to the phone company was comparable to $52k (they're probably paying some other company to call Bulgaria) is complicated. But I'll agree that it's likely much less, whereas the marginal cost to the CC company is the numeric amount. But really I think the liability protection has made the biggest difference in how attentive CC companies are to these things. Other practices aside, this is something that most CC companies do very well in striking a balance between usability and minimizing fraud.
Because the water company doesn't own the pipe six inches to the left, and the company that got their water hijacked was a "pipe security" company.
I work for a Telco. We flag to clients when they accrue silly spends to foreign numbers. This happens around the $100 mark generally. Why did this go unnoticed for so long? Incidentally this is completely the responsbility of the end client. Anyone could ring Bulgaria for hours on end and then blame "teh criminalz!!!11". Secure your equipment better.
>> "Hint - the mechanic's car is usually fixed last, if ever."
> Care to try and back that statement up?
I can't back that statement up, but in Norway we have a saying that goes:
"Skomakerens barn"
Which means "The shoemakers children". And is a reference that the shoemakers children never has good shoes. Which of course is just a saying - but the implication is that if you work with something, you don't take care of yourself/your family - in the field of your speciality.
It's just like us computer people. We don't repair our family-members computers after leaving our teenage years.
The real issue there is that receiving a message, with no way to block it, costs the recipient money.
In what sort of world does that make sense?
Either you don't know any mechanics personally, or the mechanics you deal with are shitty ones. Ive seen engines so spotless that you can eat off them, with brand new bolts everywhere.
That may be true when they start out - beautifully prepared and maintained, usually quite highly tuned, always immaculate; by the time they get to their mid-forties and are running their own business, working long hours to make ends meet, their own cars get just enough attention to keep running.
My brother's first car was a beaut - Austin A35 with an MG Midget engine and a Marina back axle - hundreds of hours of work just for the joy of it. That was followed by a stream of Escort Mexicos and RS200s. As the years have passed, his own cars have become just a means of transport - minimal maintenance to keep them running then scrap 'em. Maybe he's a shitty mechanic, but since he used to service crew for WRC teams, maybe not - perhaps he's just a family man who would rather spend his spanner time putting food on the table.
[ ]Half Empty [ ]Half Full [x]Twice as big as it needs to be
He's a select certified cisco partner. That takes a few tests which you take online, and a call to your Channel Account Manager. I got Select Status in 4 hours..
Hardly someone is who going to secure Unified Communications Manager for the Enterprise. He can't even buy full out call manager lol.
Food for thought... Don't give this guy as much credit as he is getting.
PS.
Feature 36 is not a Cisco feature, so I'm sure he couldnt afford a Demo-in-the-box you can get when you are a select partner. UC520/Couple of IP Phones/Wireless etc.