Slashdot Mirror
Hacked Business Owner Stuck With $52k Phone Bill
ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.
Shouldn't the telecom provider be able to identify the phone number(s) in Bulgaria that the hacker called? If a hacker is calling Bulgaria, I'd think there's probably some international crime or identity theft ring centered there that the phone company and government officials would want to know about. Either that, or the hacker was calling about the whereabouts of his mail-order bride.
I don't find this suprising in perspective of what people in the service sector usually have for themselves.
After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?
Hint - the mechanic's car is usually fixed last, if ever.
In similar light I knew a cardiologist a few years back who died of heart failure.
It isn't easy to find time to maintain for yourself the same kind of equipment that you are paid to keep up for others.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I had a phone cable dug up recently because MTS didn't mark it on a cable locate. The responses ranged from "sorry, you're out of luck" to "where else are you going to go for phone service?" I feel bad for the guy, but unless he takes it to court he isn't getting any help from MTS.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
The phone bill is exactly stolen services....and for the phone company to sell that should be illegal.
THL phish sticks
ScuttleMonkey probably just hasn't figured out that, as far as the telcos are concerned, everything on the INSIDE of the drop is the customer's problem, everything on the OUTSIDE of the drop is the phone company's problem, unless the customer has specifically hired the phone company to handle the customer premises equipment. And more and more phone companies aren't doing that anymore.
My blog
Agreed. When our receptionist got hacked, and was doing call transfers to "9", AT&T picked up on the outbound calls as unusual and called us. They shut down the calls and canceled the charges. We own our switch, and there was none of this silly dance that MTS is doing.
Why, without your clothes, you're naked, Miss Dudley!
Credit card companies do things like monitoring your usage habits, and calling you when you deviate wildly from them in order to make sure everything is legit and froody.
This is a useful and profitable thing for them to be doing, since when things turn out not to be legit and froody, the credco is sometimes on the hook themselves for a lot of money.
It is not as useful or profitable for a telco to do the same, because they charge money for a "service" that it costs them next to nothing to render. If the customer accidentally runs up a huge bill, then the dilemma is different: if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.
DRM: Terminator crops for your mind!
Let me assure you, none of us had ever seen so many gorgeous women in one place.
THL phish sticks
Some context from a native of Winnipeg:
MTS is our AT&T, it's the big bad phone company. I believe it's the second largest company in our province, behind the power company. HUB is a tiny business that I had never heard of. This is very much a David vs. Goliath thing, the HUB guy wants MTS to go easy on the bill because they have money. MTS has dropped all responsibility because it's not their equipment that was hacked, but this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".
The HUB guy will have to lay off one of his staff unless MTS goes easy on this bill. His only method of leverage on MTS is to speak to the newspaper. That's the reason he's risking public embarrassment.
Everyone here seems to have this blame the victim for getting hacked, but, why should we have to do this security stuff at all? Why can't we just execute the criminals. Everything is all about put up shields, pay tons of money for security, and its as if the criminals have more of a right to our systems than we do. Enough already. This guy shouldn't have to pay any money at all, regardless of whether he had the shields up, or not. People ought to be able to have a relative sense of security about themselves, and if we have to behead 50,000 convicted hackers and identity thieves and hang their bloated corpses off of bridges as an example to others, then, lets get on with it.
Death to hackers, that's the best security policy that any country could have.
This is my sig.
if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.
This is a myth - when the phone company does not originate and terminate the call themselves, they get charged by the companies they pass the call on to to have it terminated. In many situations, the large phone companies agree to call it quits as they carry roughly the same amount of each others calls, but in international call markets, these agreements are much rarer.
So yes, potentially (in reality, quite likely in this case) there is a real cost to the phone company if they do not collect on the bill.
This is an interesting legal point.
It seems to me a lot of lawsuits come down to "what are the damages"?
If someone steals a physical item, how is its value determined - retail or wholesale? The "actual damages" are a lot lower than the retail price of lots of things, but especially phone service.
This issue is a bit more complicated than you think.
It gets better,
consider the fact that nowadays, modern cellphone companies allow you to email to a phone number.
If you don't have an unlimited call plan, receiving messages in this way costs the receiver for
every message received. Combine this with a gentle DDOS attack that doesn't break the server routing
to the phone in question and?
Why does it cost money to put blocking on these services?
I wouldn't consider the mad hatter mad. Just reality impaired. He sure can make a mean cup of tea.
I think your jumping to conclusions - the article doesn't give enough information to say whether it should be embarrassing or not. Clearly if he setup the system himself using Asterisk or something, and setting up PBX systems is a service he sells, it's pretty embarrassing. The article doesn't say that, though.
He could have bought the PBX system from a third party, and had them set it up. But the article doesn't say he did that, either. In that case he should probably sue that company for not securing their product.
All the article says is that he wasn't renting the equipment from the phone company.
Maybe not
That is true, but the transit fees carriers pay to each other for this kind of traffic are often smaller than the amount billed to the end-users by an order of magnitude or more.
DRM: Terminator crops for your mind!
Why should the phone company be responsible for their customer's incompetence?
If they installed it... maybe... but they didn't.
Why are credit card companies responsible for their customers' incompetence? If I leave my credit card on a bench at the mall, and call to report it lost within a reasonable amount of time, I'm not liable for most of the charges. That's a legal limitation, too... not just customer service. The credit card company didn't leave my card lying around, or make it easier to lose in some way, but they still have to eat the charges.
Several years ago, our electric bill jumped suddenly. Our deadbeat tweaker roommate decided to run the AC 24/7 "Like they do in Hawaii." The (municipal) power department computers automatically detected the change in usage, flagged it, stopped our bill from being issued, and sent it to CS to contact us and find out if there was a physical problem. (Then something got dropped so they didn't contact us, and didn't send a bill... four months later they came knocking on our door, all apologies.)
So, yeah, I think it's reasonable for a utility company to auto-flag aberrant usage. Though true, the guy *should* have configured his phone system correctly too...
Don't you wish your girlfriend was a geek like me?
They're no different than any regional telecom giant. People in Alberta and BC can give you horror stories for days about dealing with Telus, and I imagine there are similar stories in Ontario and Quebec about Bell and Rogers. I deal with MTS Allstream pretty regularly as they sold us (and manage) our PBX and I don't have any major complaints, but then they actually have to compete out here.
This poo is cold.
Absolutely, there is NO incentive for the communications companies to change. This theft actually generated more revenue for the phone company. Although the guy that got screwed just paid for an expensive lesson in security.
It is rare for these agreements to even approach 3 cents a minute nowadays, phone cards are proof of that because they usually average about 1-2 cents profit per minute because the competition is brutal. The phone companies are charging sometimes 50 times the amount they pay. So did you get that, MTS is charging 1.33 Canadian and you can get phone cards for around 4 cents a minute US. So around 40,000 minutes of calls which would cost around 1500 bucks US they are trying to get him to pay around 45,000 US or about 30 times cost. Are people really that stupid to still be sticking with a land line when they won't even spit on your asshole before raping you?
I have friends in Georgia, Russia and the Ukraine and I just use a cheap skype router and talk to them that way, it works better than the phone system. 90% of the people under the age of 35 in those countries do the same. So my question would be who were the calls to, who was making them and why can't they charge one of them?
An Education is the Font of All Liberty
His company cannot have been very successful (or big) if it is worth less than $50k.
I wouldn't ignore a $50k phone bill I would pay it, I'm not rich enough to not pay it. I'm also not rich enough to damage my companies reputation by exposing incompetence.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
And yet when it is the monopoly's fault that something went wrong, they still bill the customer. The Church across the street is undergoing construction, and the gas company had to upgrade the gas pipe in the area to accommodate. They shut off our gas with no warning, then posted a note giving us a number to call to get the gas back on. I called the number and they gave me a day three days in the future when they would come by to turn it on and I needed to be home between 8 and 5. They didn't show. I called them every 10 minutes between then and 7 (when their phone operators stopped answering) and got various responses indicating first that he was on his way, then later that he had never been on his way and that he was at another work site. And finally, just before 7, they said he would be there in ten minutes. At about 8:40, he came by to turn it on. Then they found that their meter had not been working properly and was underreporting my usage. They put in a new meter. On my next bill, it was about 10 times the normal amount because they estimated my usage that their meter failed to account for. One week later, they cut my gas off again, and left a note again, which I found at about 6 PM when I got home from work. I had plans to go out of town for the weekend. I called them up and said they needed to get their by 7 as I was going out of town. They said they were unable to do that, but would be happy to schedule someone to come out on Monday. I replied that I was going camping and would very much like to come back and have a warm shower before going to work on Monday. They said there was nothing I could do. I asked them if there was another gas company that they could put me in contact with (of course there is not). So I had to stay home from work AGAIN on that Monday, and again they showed up after 5 PM, so I could have gone in to work. As mentioned before, despite having two interruptions to my gas service, lasting approximately 20% of the month, my normal monthly "connection" fee was exactly the same, and my "usage" fee was 10 times normal.
Interestingly, the next month, it was back to it's normal rate that it was before the "broken" meter was replaced. I think it was not really broken at all, but they just believed that I could not use that small amount of gas that I do.
Another time, I had just moved to a small town. I selected AT&T as my long distance carrier. I selected a plan that was $0.10 a minute with no monthly fee and an international plan that was something like $0.16 a minute with a $4 a month fee. The next month, I got a bill for about $500, with long distance charges of $0.76 a minute and over $2 a minute for international calls. I called to inquire about this and they told me that I did not have a calling plan at all. I told them the specific name of the plan that I had been sold. They eventually found that I had requested that plan, but that it was not valid for my area, so rather than call and notify me, they just defaulted me to no plan at all. I asked them what they were going to do about the charges, and they said that all they could do was put me on this other plan, which was more expensive, and had more monthly fees and they would graciously split the difference between what I owed and what I would have owed if I had been using this new plan. I told them that what they needed to do was to go ahead and put me on the plan that I had been sold and charge me according to the rates I had been quoted. But they said they could not do that. I as a customer was responsible for their employees mistake.
Now, long distance telephone service was not a monopoly, so I could go to another carrier, however, if I didn't pay them, my phone service would be cut off, because it was billed through my local phone company, and they don't care whether you didn't pay the local or didn't pay the long distance. Either way, you didn't pay, so you are cut off.
If you are not allowed to question your government then the government has answered your question.
Why should it be any different? Is my ISP responsible for ensuring I have WPA properly configured on my wireless router to ensure my neighbor doesn't leach my bandwidth and cost me extra charges because I've gone over my monthly limit?
Your ISP should offer you an option of not allowing you to exceed a certain monthly limit.
I.e. to turn off the connection, or throttle you down after a certain point.
Phone companies should provide a similar option.
i.e. If I never want to allow my monthly phone bill to exceed $200... I should be able to establish that limit.
And once exceeded, they will disallow any actions that would cause the limit to be exceeded (without me calling them and authorizing a change).