Slashdot Mirror
Hacked Business Owner Stuck With $52k Phone Bill
ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.
Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?
"Oh hi, I got my PBX hacked (possibly because of my 4 character PIN "security") and lost 50 grand on calls to Bulgarian criminals, how about paying me to set up your computers?"
It is strange that MTS doesn't monitor extreme spikes in phone use. They claim that they don't have the resources to monitor anomalies, but it should be relatively straightforward to write a report that queries billing totals that are n times a customer's long term average. After all, few companies would see a legitimate spike of 20 or 30x normal billing from month to month. What it boils down to is that MTS doesn't want to be responsible for identifying fraudulent billing (lest the victim use that as grounds to get the charges waived), and the easiest way to avoid legal responsibility is to bury their heads in the sand.
Let's assume these calls cost $3.00 for a minute.
$56,000 / 3.00 = 18667 Minutes.
18667 / 60 (min/hr) = 311 Hrs.
So that means nobody noticed as this guy called for almost 2 full weeks of talk-time??
($3.00 is an assumption as I have no idea what actual international rates are)
Still, if this is even in the ball-park, that's a hell of a lot of talk time going unnoticed. You'd think the system would flag if you suddenly doubled your usage over a period of time.
Or the old quote.
The Carpenters house is always the one that is in least repair.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Sorry, but no sympathy for this guy. It's his company's equipment which was hacked. His telecom company isn't responsible for his equipment, and if they're nice, they'll alert him to the calls. They make money when those calls are made, and why should they be responsible for alerting a customer who's making phone calls. Yes, the calls are going to Bulgaria, but that doesn't mean a telco should alert every person when they make a phone call overseas.
"The only constant in the universe is change." - Unknown author
Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?
If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?
I was also under the impression that YOU had to be the one that actually 'in good faith' placed the calls for it to legally billed to you. I am not sure about US/Canadian telecom laws?
If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
I would simply be responsible for getting a better protected router or some other commonplace and reasonable standard process of WiFi protection.
Similarly, this firm likely had made reasonable efforts to NOT have their phone system hacked, and therefore did not make the calls and thus should not be made responsible for them. The phone company should protect their customers 'in good faith'.
He should be looking to the company that installed the system for compensation, not MTS.
"It is not as useful or profitable for a telco to do the same, because " they are not legally on the hook. Thanks to some consumer-friendly legislation passed a while back, the credit card companies are specifically liable for fraudulent transactions above a $50 limit. The phone companies are not. Figuring out whether or not the marginal cost to the phone company was comparable to $52k (they're probably paying some other company to call Bulgaria) is complicated. But I'll agree that it's likely much less, whereas the marginal cost to the CC company is the numeric amount. But really I think the liability protection has made the biggest difference in how attentive CC companies are to these things. Other practices aside, this is something that most CC companies do very well in striking a balance between usability and minimizing fraud.
I work for a Telco. We flag to clients when they accrue silly spends to foreign numbers. This happens around the $100 mark generally. Why did this go unnoticed for so long? Incidentally this is completely the responsbility of the end client. Anyone could ring Bulgaria for hours on end and then blame "teh criminalz!!!11". Secure your equipment better.