Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked Business Owner Stuck With $52k Phone Bill

Posted by ScuttleMonkey on from the build-a-better-mousetrap dept.

ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.

16 of 300 comments (clear)

  1. Bulgaria? by onehitwonder · · Score: 3, Interesting

    Shouldn't the telecom provider be able to identify the phone number(s) in Bulgaria that the hacker called? If a hacker is calling Bulgaria, I'd think there's probably some international crime or identity theft ring centered there that the phone company and government officials would want to know about. Either that, or the hacker was calling about the whereabouts of his mail-order bride.

    1. Re:Bulgaria? by OhPlz · · Score: 3, Interesting

      $50k is a lot to you or me, but sadly it's not enough to interest the authorities. I've been there. We knew the street corners in various cities where these guys operated, times of day, we could even detect when they were active. Occasionally the FBI would take our info but we never heard that anything ever came of it.

      I can understand it. Nothing tangible was stolen. The business is in one location, the crime can be geographically far away. Why does NYC care about some small company in some town they've never heard of? Even if they caught the guys, it's going to be a difficult case to prove. You'd have to catch them with their lists or catch them selling to an informant. Even then, could you tie them to other thefts on different days? I don't know.

      Are they going to be able to recover anything? Probably not. I'd bet these guys are working for someone else. The best you can do is lock them up, and the someone else will simply hire someone else.

      Finally, the losers in these cases are somewhat to blame. The company in this story didn't secure their phone system. They didn't monitor it either. It's one thing to ask why the telco wasn't watching for fraud, but why wasn't this company either? Why didn't their switch throw up a red flag?

      In cases I've dealt with, we sold prepaid minutes online. It was too easy. Enter a credit card and we give you a PIN. Hello fraud opportunity. Doesn't surprise me at all that they didn't want to help find people taking advantage of our poorly thought out business plan. We did get rather good at detecting these situations real time though, both at time of sale and at time of use. They were clever, it was almost like reading the "Cukoo's Egg". They'd find a way around almost every roadblock we put up, eventually.

  2. Not astonishingly suprising... by damn_registrars · · Score: 5, Interesting

    I don't find this suprising in perspective of what people in the service sector usually have for themselves.

    After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

    Hint - the mechanic's car is usually fixed last, if ever.

    In similar light I knew a cardiologist a few years back who died of heart failure.

    It isn't easy to find time to maintain for yourself the same kind of equipment that you are paid to keep up for others.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Not astonishingly suprising... by Spazztastic · · Score: 5, Interesting

      Or the old quote. The Carpenters house is always the one that is in least repair.

      Good point, their site runs Sharepoint and the Site Settings prompt is open to the world.

      http://www.hub.ca/default.aspx

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    2. Re:Not astonishingly suprising... by 222 · · Score: 3, Interesting

      I manage a Cisco CallManager cluster (now called Unified Communication Manager, but whatever) and the problem here is that this is such a trivial mistake. We have every device / extension that doesn't require outside access in an internal only calling search space, and this includes our Unity voicemail ports.

      I can't stress this enough; whoever was responsible for setting up this system seems to have ignored every best practice guide for deploying CallManager. I'd actually like to see their setup, just for curiosities sake. I'd also have to recommend against using their consulting services :- )

      But as for the other stuff you said, I sort of agree. My network at home is an absolute cabling / design mess.

  3. Good luck with MTS. Seriously. by Abstrackt · · Score: 5, Interesting

    I had a phone cable dug up recently because MTS didn't mark it on a cable locate. The responses ranged from "sorry, you're out of luck" to "where else are you going to go for phone service?" I feel bad for the guy, but unless he takes it to court he isn't getting any help from MTS.

    --
    They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  4. If the phone company wants to charge... by gandhi_2 · · Score: 3, Interesting
    ...then they should be legally liable for selling stolen goods.

    The phone bill is exactly stolen services....and for the phone company to sell that should be illegal.

    --
    THL phish sticks
  5. Re:ScuttleMonkey doesn't even read TFS by morgan_greywolf · · Score: 4, Interesting

    ScuttleMonkey probably just hasn't figured out that, as far as the telcos are concerned, everything on the INSIDE of the drop is the customer's problem, everything on the OUTSIDE of the drop is the phone company's problem, unless the customer has specifically hired the phone company to handle the customer premises equipment. And more and more phone companies aren't doing that anymore.

    --
    My blog
  6. Re:bewildering... by snspdaarf · · Score: 4, Interesting

    Agreed. When our receptionist got hacked, and was doing call transfers to "9", AT&T picked up on the outbound calls as unusual and called us. They shut down the calls and canceled the charges. We own our switch, and there was none of this silly dance that MTS is doing.

    --
    Why, without your clothes, you're naked, Miss Dudley!
  7. Re:ScuttleMonkey doesn't even read TFS by spazdor · · Score: 3, Interesting

    Credit card companies do things like monitoring your usage habits, and calling you when you deviate wildly from them in order to make sure everything is legit and froody.

    This is a useful and profitable thing for them to be doing, since when things turn out not to be legit and froody, the credco is sometimes on the hook themselves for a lot of money.

    It is not as useful or profitable for a telco to do the same, because they charge money for a "service" that it costs them next to nothing to render. If the customer accidentally runs up a huge bill, then the dilemma is different: if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.

    --
    DRM: Terminator crops for your mind!
  8. Re:1-900... by gandhi_2 · · Score: 5, Interesting
    I just spent 2 weeks in Bulgaria with the Utah Army National Guard.

    Let me assure you, none of us had ever seen so many gorgeous women in one place.

    --
    THL phish sticks
  9. Re:WTF? by mewsenews · · Score: 5, Interesting

    Some context from a native of Winnipeg:

    MTS is our AT&T, it's the big bad phone company. I believe it's the second largest company in our province, behind the power company. HUB is a tiny business that I had never heard of. This is very much a David vs. Goliath thing, the HUB guy wants MTS to go easy on the bill because they have money. MTS has dropped all responsibility because it's not their equipment that was hacked, but this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

    The HUB guy will have to lay off one of his staff unless MTS goes easy on this bill. His only method of leverage on MTS is to speak to the newspaper. That's the reason he's risking public embarrassment.

  10. When can we start executing hackers? by tjstork · · Score: 3, Interesting

    Everyone here seems to have this blame the victim for getting hacked, but, why should we have to do this security stuff at all? Why can't we just execute the criminals. Everything is all about put up shields, pay tons of money for security, and its as if the criminals have more of a right to our systems than we do. Enough already. This guy shouldn't have to pay any money at all, regardless of whether he had the shields up, or not. People ought to be able to have a relative sense of security about themselves, and if we have to behead 50,000 convicted hackers and identity thieves and hang their bloated corpses off of bridges as an example to others, then, lets get on with it.

    Death to hackers, that's the best security policy that any country could have.

    --
    This is my sig.
  11. Re:ScuttleMonkey doesn't even read TFS by Richard_at_work · · Score: 3, Interesting

    if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.

    This is a myth - when the phone company does not originate and terminate the call themselves, they get charged by the companies they pass the call on to to have it terminated. In many situations, the large phone companies agree to call it quits as they carry roughly the same amount of each others calls, but in international call markets, these agreements are much rarer.

    So yes, potentially (in reality, quite likely in this case) there is a real cost to the phone company if they do not collect on the bill.

  12. Re:WTF? by jlarocco · · Score: 4, Interesting

    I think your jumping to conclusions - the article doesn't give enough information to say whether it should be embarrassing or not. Clearly if he setup the system himself using Asterisk or something, and setting up PBX systems is a service he sells, it's pretty embarrassing. The article doesn't say that, though.

    He could have bought the PBX system from a third party, and had them set it up. But the article doesn't say he did that, either. In that case he should probably sue that company for not securing their product.

    All the article says is that he wasn't renting the equipment from the phone company.

    --
    Maybe not
  13. Re:The phone company? by Ironica · · Score: 4, Interesting

    Why should the phone company be responsible for their customer's incompetence?

    If they installed it... maybe... but they didn't.

    Why are credit card companies responsible for their customers' incompetence? If I leave my credit card on a bench at the mall, and call to report it lost within a reasonable amount of time, I'm not liable for most of the charges. That's a legal limitation, too... not just customer service. The credit card company didn't leave my card lying around, or make it easier to lose in some way, but they still have to eat the charges.

    Several years ago, our electric bill jumped suddenly. Our deadbeat tweaker roommate decided to run the AC 24/7 "Like they do in Hawaii." The (municipal) power department computers automatically detected the change in usage, flagged it, stopped our bill from being issued, and sent it to CS to contact us and find out if there was a physical problem. (Then something got dropped so they didn't contact us, and didn't send a bill... four months later they came knocking on our door, all apologies.)

    So, yeah, I think it's reasonable for a utility company to auto-flag aberrant usage. Though true, the guy *should* have configured his phone system correctly too...

    --
    Don't you wish your girlfriend was a geek like me?