Hacked Business Owner Stuck With $52k Phone Bill

ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.

WTF?

[fuzzyfuzzyfungus]

Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?

"Oh hi, I got my PBX hacked (possibly because of my 4 character PIN "security") and lost 50 grand on calls to Bulgarian criminals, how about paying me to set up your computers?"

Re:WTF?

[Spazztastic]

Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?

Perhaps he's now offering super-low-discount services and this is just an elaborate advertising campaign?

Re:WTF?

[Warll]

So what you're saying is that his pan is somehting like this:
1. Get hacked
2. Tell the press
3. ?????
4. Profit!

Re:WTF?

** Caution: Low-flying Wooshes **

This is an alert of the emergency joke-casting system. Sarcasm detectors in your area have detected low-flying wooshes. This alert is in effect for the entirety of this thread.

Repeat.

This is an alert of the emergency joke-casting system. Sarcasm detectors in your area have detected low-flying wooshes. This alert is in effect for the entirety of this thread.

Re:WTF?

[oldspewey]

I thought the Streisand effect was when somebody doesn't want information to become public, and by acting to suppress it they generate publicity.

Re:WTF?

[mewsenews]

Some context from a native of Winnipeg:

MTS is our AT&T, it's the big bad phone company. I believe it's the second largest company in our province, behind the power company. HUB is a tiny business that I had never heard of. This is very much a David vs. Goliath thing, the HUB guy wants MTS to go easy on the bill because they have money. MTS has dropped all responsibility because it's not their equipment that was hacked, but this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

The HUB guy will have to lay off one of his staff unless MTS goes easy on this bill. His only method of leverage on MTS is to speak to the newspaper. That's the reason he's risking public embarrassment.

Re:WTF?

[jlarocco]

I think your jumping to conclusions - the article doesn't give enough information to say whether it should be embarrassing or not. Clearly if he setup the system himself using Asterisk or something, and setting up PBX systems is a service he sells, it's pretty embarrassing. The article doesn't say that, though.

He could have bought the PBX system from a third party, and had them set it up. But the article doesn't say he did that, either. In that case he should probably sue that company for not securing their product.

All the article says is that he wasn't renting the equipment from the phone company.

Re:WTF?

[poot_rootbeer]

this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

The customer equipment that got compromised was a goddamn PBX. He should have been watching it himself for signs of abnormal usage.

Re:WTF?

[Registered+Coward+v2]

this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

The customer equipment that got compromised was a goddamn PBX. He should have been watching it himself for signs of abnormal usage.

I agree fully with that statement. I worked for a small company (400 people) and our telecom folks watched the usage patterns like a hawk, and stopped several hack attempts cold. The only one I know of that they didn't stop was one where a calling card number was shoulder surfed; and they kept getting either no answer or VM at the phone company's fraud desk. The phone company ate that bill.

Re:WTF?

[fm6]

He's reporting a $50,000 fraud. Exactly how does one go about keeping that out of the news?

Re:WTF?

[Dan541]

By not reporting it, sometime you need to decide what's more important. $50k or your business.

Re:WTF?

[Dan541]

His company cannot have been very successful (or big) if it is worth less than $50k.

I wouldn't ignore a $50k phone bill I would pay it, I'm not rich enough to not pay it. I'm also not rich enough to damage my companies reputation by exposing incompetence.

Re:WTF?

[socsoc]

Yeah, because many small businesses have $50k in liquid assets just waiting to pay to a utility.

I'm not saying that he isn't responsible, but your reasoning is a bit off.

ScuttleMonkey doesn't even read TFS

[mugnyte]

Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

    Dude, it wasn't the phone company's equipment - hence the "outrageous" charge to the consumer.

Re:ScuttleMonkey doesn't even read TFS

[morgan_greywolf]

ScuttleMonkey probably just hasn't figured out that, as far as the telcos are concerned, everything on the INSIDE of the drop is the customer's problem, everything on the OUTSIDE of the drop is the phone company's problem, unless the customer has specifically hired the phone company to handle the customer premises equipment. And more and more phone companies aren't doing that anymore.

Re:ScuttleMonkey doesn't even read TFS

[spazdor]

Credit card companies do things like monitoring your usage habits, and calling you when you deviate wildly from them in order to make sure everything is legit and froody.

This is a useful and profitable thing for them to be doing, since when things turn out not to be legit and froody, the credco is sometimes on the hook themselves for a lot of money.

It is not as useful or profitable for a telco to do the same, because they charge money for a "service" that it costs them next to nothing to render. If the customer accidentally runs up a huge bill, then the dilemma is different: if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.

Re:ScuttleMonkey doesn't even read TFS

[michaelwv]

"It is not as useful or profitable for a telco to do the same, because " they are not legally on the hook. Thanks to some consumer-friendly legislation passed a while back, the credit card companies are specifically liable for fraudulent transactions above a $50 limit. The phone companies are not. Figuring out whether or not the marginal cost to the phone company was comparable to $52k (they're probably paying some other company to call Bulgaria) is complicated. But I'll agree that it's likely much less, whereas the marginal cost to the CC company is the numeric amount. But really I think the liability protection has made the biggest difference in how attentive CC companies are to these things. Other practices aside, this is something that most CC companies do very well in striking a balance between usability and minimizing fraud.

Re:ScuttleMonkey doesn't even read TFS

[Richard_at_work]

if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.

This is a myth - when the phone company does not originate and terminate the call themselves, they get charged by the companies they pass the call on to to have it terminated. In many situations, the large phone companies agree to call it quits as they carry roughly the same amount of each others calls, but in international call markets, these agreements are much rarer.

So yes, potentially (in reality, quite likely in this case) there is a real cost to the phone company if they do not collect on the bill.

Re:ScuttleMonkey doesn't even read TFS

[eonlabs]

It gets better,
consider the fact that nowadays, modern cellphone companies allow you to email to a phone number.
If you don't have an unlimited call plan, receiving messages in this way costs the receiver for
every message received. Combine this with a gentle DDOS attack that doesn't break the server routing
to the phone in question and?

Why does it cost money to put blocking on these services?

Re:ScuttleMonkey doesn't even read TFS

[spazdor]

That is true, but the transit fees carriers pay to each other for this kind of traffic are often smaller than the amount billed to the end-users by an order of magnitude or more.

Re:ScuttleMonkey doesn't even read TFS

[NeuralAbyss]

The real issue there is that receiving a message, with no way to block it, costs the recipient money.

In what sort of world does that make sense?

Re:ScuttleMonkey doesn't even read TFS

[mysidia]

Why should it be any different? Is my ISP responsible for ensuring I have WPA properly configured on my wireless router to ensure my neighbor doesn't leach my bandwidth and cost me extra charges because I've gone over my monthly limit?

Your ISP should offer you an option of not allowing you to exceed a certain monthly limit.

I.e. to turn off the connection, or throttle you down after a certain point.

Phone companies should provide a similar option.

i.e. If I never want to allow my monthly phone bill to exceed $200... I should be able to establish that limit.

And once exceeded, they will disallow any actions that would cause the limit to be exceeded (without me calling them and authorizing a change).

Bulgaria?

[onehitwonder]

Shouldn't the telecom provider be able to identify the phone number(s) in Bulgaria that the hacker called? If a hacker is calling Bulgaria, I'd think there's probably some international crime or identity theft ring centered there that the phone company and government officials would want to know about. Either that, or the hacker was calling about the whereabouts of his mail-order bride.

Re:Bulgaria?

[OhPlz]

Often times, the thief sells calls at clusters of payphones in low income urban areas. The calls are made to wherever the immigrants in the area came from. These rings have phone systems like this that they hijacked, stolen prepaid phone card lists, stolen credit card lists that they can use to place calls, and so on. This is where a lot of phishing leads to. If they think anyone is on to them, they can just walk away. The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough. It's a great scam because it's easy and they don't have to risk taking delivery of anything. The minutes turn into cash.

Re:Bulgaria?

[Frosty+Piss]

The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough.

$50K not high enough? Huh.

But anyway, given that it can't have cost the Canadian telecom anywhere *near* $50K, and it was clearly fraud, shouldn't they prorate this guys bill to *cost* or a little more? Demanding the full $50K is unfair.

Re:Bulgaria?

[OhPlz]

$50k is a lot to you or me, but sadly it's not enough to interest the authorities. I've been there. We knew the street corners in various cities where these guys operated, times of day, we could even detect when they were active. Occasionally the FBI would take our info but we never heard that anything ever came of it.

I can understand it. Nothing tangible was stolen. The business is in one location, the crime can be geographically far away. Why does NYC care about some small company in some town they've never heard of? Even if they caught the guys, it's going to be a difficult case to prove. You'd have to catch them with their lists or catch them selling to an informant. Even then, could you tie them to other thefts on different days? I don't know.

Are they going to be able to recover anything? Probably not. I'd bet these guys are working for someone else. The best you can do is lock them up, and the someone else will simply hire someone else.

Finally, the losers in these cases are somewhat to blame. The company in this story didn't secure their phone system. They didn't monitor it either. It's one thing to ask why the telco wasn't watching for fraud, but why wasn't this company either? Why didn't their switch throw up a red flag?

In cases I've dealt with, we sold prepaid minutes online. It was too easy. Enter a credit card and we give you a PIN. Hello fraud opportunity. Doesn't surprise me at all that they didn't want to help find people taking advantage of our poorly thought out business plan. We did get rather good at detecting these situations real time though, both at time of sale and at time of use. They were clever, it was almost like reading the "Cukoo's Egg". They'd find a way around almost every roadblock we put up, eventually.

Why would they do that?

[GrenDel+Fuego]

This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.

Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.

http://www.schneier.com/blog/archives/2007/01/information_sec_1.html

http://www.schneier.com/blog/archives/2006/03/credit_card_com.html

http://www.schneier.com/blog/archives/2005/10/preventing_iden.html

Not astonishingly suprising...

[damn_registrars]

I don't find this suprising in perspective of what people in the service sector usually have for themselves.

After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

Hint - the mechanic's car is usually fixed last, if ever.

In similar light I knew a cardiologist a few years back who died of heart failure.

It isn't easy to find time to maintain for yourself the same kind of equipment that you are paid to keep up for others.

Re:Not astonishingly suprising...

[jellomizer]

Or the old quote.
The Carpenters house is always the one that is in least repair.

Re:Not astonishingly suprising...

[That's+Unpossible!]

After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

Hint - the mechanic's car is usually fixed last, if ever.

Care to try and back that statement up?

I happen to work in the automotive repair industry. Good automotive techs know better than most that it's far cheaper to maintain their vehicle than it is to repair damage later.

Re:Not astonishingly suprising...

[Spazztastic]

Or the old quote. The Carpenters house is always the one that is in least repair.

Good point, their site runs Sharepoint and the Site Settings prompt is open to the world.

http://www.hub.ca/default.aspx

Re:Not astonishingly suprising...

[the+jalapeno]

Or the old quote. The Carpenters house is always the one that is in least repair.

Or the town barber is always the one with the worst haircut..

Re:Not astonishingly suprising...

[222]

I manage a Cisco CallManager cluster (now called Unified Communication Manager, but whatever) and the problem here is that this is such a trivial mistake. We have every device / extension that doesn't require outside access in an internal only calling search space, and this includes our Unity voicemail ports.

I can't stress this enough; whoever was responsible for setting up this system seems to have ignored every best practice guide for deploying CallManager. I'd actually like to see their setup, just for curiosities sake. I'd also have to recommend against using their consulting services :- )

But as for the other stuff you said, I sort of agree. My network at home is an absolute cabling / design mess.

Re:Not astonishingly suprising...

[larry+bagina]

[citation needed]

Re:Not astonishingly suprising...

[D+Ninja]

That's kind of sad, in my opinion. I work in the computer industry and my own computers and network are, at the very least, up-to-date and maintained well. (I don't claim to be a security expert...but there are some basic things that you can do.)

Same with any doctor I visit (he better look like he's in good health, at least), my mechanic I use (he's fanatical about how he takes care of his car), etc.

People who just have a "job" won't want to continue doing their job after they are finished for the day. People who love what they do, will continue what they do, even after they are finished with their hours at the end of the day. Those are the people you won't working for you and providing services.

Re:Not astonishingly suprising...

[he-sk]

Great work! Not only is he stuck with a 50k phone bill, but now his internet bill will skyrocket as well thanks to the slashdotting of his site.

Are you his competitor by any chance?

Re:Not astonishingly suprising...

[citation needed]

Will this do?

Re:Not astonishingly suprising...

[Raistlin77]

This does not really have the same meaning as the others because giving yourself a haircut is more difficult than giving another person a haircut.

So is open heart surgery...

Re:Not astonishingly suprising...

[ralf1]

The Carpenter's house is the one with the really skinny dead chick in it.

Re:Not astonishingly suprising...

[Myrddin+Wyllt]

Either you don't know any mechanics personally, or the mechanics you deal with are shitty ones. Ive seen engines so spotless that you can eat off them, with brand new bolts everywhere.

That may be true when they start out - beautifully prepared and maintained, usually quite highly tuned, always immaculate; by the time they get to their mid-forties and are running their own business, working long hours to make ends meet, their own cars get just enough attention to keep running.

My brother's first car was a beaut - Austin A35 with an MG Midget engine and a Marina back axle - hundreds of hours of work just for the joy of it. That was followed by a stream of Escort Mexicos and RS200s. As the years have passed, his own cars have become just a means of transport - minimal maintenance to keep them running then scrap 'em. Maybe he's a shitty mechanic, but since he used to service crew for WRC teams, maybe not - perhaps he's just a family man who would rather spend his spanner time putting food on the table.

1-900...

[curtix7]

I hear bulgaria has the best phone sex lines confirm/deny?

Re:1-900...

[Servo]

Only one way to find out!

Re:1-900...

[gandhi_2]

I just spent 2 weeks in Bulgaria with the Utah Army National Guard.

Let me assure you, none of us had ever seen so many gorgeous women in one place.

Re:1-900...

[LandDolphin]

Of course, you came from Utah.

Re:1-900...

[JohnnyLocust]

I just spent 2 weeks in Bulgaria with the Utah Army National Guard.

Let me assure you, none of us had ever seen so many gorgeous women in one place.

Insert polygamy joke here ->

The phone company?

[Tdawgless]

Why should the phone company be responsible for their customer's incompetence? If they installed it... maybe... but they didn't. Now, as far as a compassion standpoint... the company should at least help out some.

Re:The phone company?

[Ironica]

Why should the phone company be responsible for their customer's incompetence?

If they installed it... maybe... but they didn't.

Why are credit card companies responsible for their customers' incompetence? If I leave my credit card on a bench at the mall, and call to report it lost within a reasonable amount of time, I'm not liable for most of the charges. That's a legal limitation, too... not just customer service. The credit card company didn't leave my card lying around, or make it easier to lose in some way, but they still have to eat the charges.

Several years ago, our electric bill jumped suddenly. Our deadbeat tweaker roommate decided to run the AC 24/7 "Like they do in Hawaii." The (municipal) power department computers automatically detected the change in usage, flagged it, stopped our bill from being issued, and sent it to CS to contact us and find out if there was a physical problem. (Then something got dropped so they didn't contact us, and didn't send a bill... four months later they came knocking on our door, all apologies.)

So, yeah, I think it's reasonable for a utility company to auto-flag aberrant usage. Though true, the guy *should* have configured his phone system correctly too...

Re:The phone company?

[Raistlin77]

Why should the phone company be responsible for their customer's incompetence?

If they installed it... maybe... but they didn't.

Why are credit card companies responsible for their customers' incompetence? If I leave my credit card on a bench at the mall, and call to report it lost within a reasonable amount of time, I'm not liable for most of the charges. That's a legal limitation, too... not just customer service. The credit card company didn't leave my card lying around, or make it easier to lose in some way, but they still have to eat the charges.

Several years ago, our electric bill jumped suddenly. Our deadbeat tweaker roommate decided to run the AC 24/7 "Like they do in Hawaii." The (municipal) power department computers automatically detected the change in usage, flagged it, stopped our bill from being issued, and sent it to CS to contact us and find out if there was a physical problem. (Then something got dropped so they didn't contact us, and didn't send a bill... four months later they came knocking on our door, all apologies.)

So, yeah, I think it's reasonable for a utility company to auto-flag aberrant usage. Though true, the guy *should* have configured his phone system correctly too...

Pfff. Florida Power & Light happily and without any warning sent me a $500 bill the month after a neighbor in the triplex I lived in had been stealing power from an outside outlet via extension cord. My usual bill was about $125/mo.

Lucky for me my landlord was nice enough to eat the difference since it was his tenant. The guy was kicked out shortly after paying rent the following month. Needless to say, FPL didn't give a shit, like they typically never do.

Re:The phone company?

[tompaulco]

And yet when it is the monopoly's fault that something went wrong, they still bill the customer. The Church across the street is undergoing construction, and the gas company had to upgrade the gas pipe in the area to accommodate. They shut off our gas with no warning, then posted a note giving us a number to call to get the gas back on. I called the number and they gave me a day three days in the future when they would come by to turn it on and I needed to be home between 8 and 5. They didn't show. I called them every 10 minutes between then and 7 (when their phone operators stopped answering) and got various responses indicating first that he was on his way, then later that he had never been on his way and that he was at another work site. And finally, just before 7, they said he would be there in ten minutes. At about 8:40, he came by to turn it on. Then they found that their meter had not been working properly and was underreporting my usage. They put in a new meter. On my next bill, it was about 10 times the normal amount because they estimated my usage that their meter failed to account for. One week later, they cut my gas off again, and left a note again, which I found at about 6 PM when I got home from work. I had plans to go out of town for the weekend. I called them up and said they needed to get their by 7 as I was going out of town. They said they were unable to do that, but would be happy to schedule someone to come out on Monday. I replied that I was going camping and would very much like to come back and have a warm shower before going to work on Monday. They said there was nothing I could do. I asked them if there was another gas company that they could put me in contact with (of course there is not). So I had to stay home from work AGAIN on that Monday, and again they showed up after 5 PM, so I could have gone in to work. As mentioned before, despite having two interruptions to my gas service, lasting approximately 20% of the month, my normal monthly "connection" fee was exactly the same, and my "usage" fee was 10 times normal.
Interestingly, the next month, it was back to it's normal rate that it was before the "broken" meter was replaced. I think it was not really broken at all, but they just believed that I could not use that small amount of gas that I do.

Another time, I had just moved to a small town. I selected AT&T as my long distance carrier. I selected a plan that was $0.10 a minute with no monthly fee and an international plan that was something like $0.16 a minute with a $4 a month fee. The next month, I got a bill for about $500, with long distance charges of $0.76 a minute and over $2 a minute for international calls. I called to inquire about this and they told me that I did not have a calling plan at all. I told them the specific name of the plan that I had been sold. They eventually found that I had requested that plan, but that it was not valid for my area, so rather than call and notify me, they just defaulted me to no plan at all. I asked them what they were going to do about the charges, and they said that all they could do was put me on this other plan, which was more expensive, and had more monthly fees and they would graciously split the difference between what I owed and what I would have owed if I had been using this new plan. I told them that what they needed to do was to go ahead and put me on the plan that I had been sold and charge me according to the rates I had been quoted. But they said they could not do that. I as a customer was responsible for their employees mistake.
Now, long distance telephone service was not a monopoly, so I could go to another carrier, however, if I didn't pay them, my phone service would be cut off, because it was billed through my local phone company, and they don't care whether you didn't pay the local or didn't pay the long distance. Either way, you didn't pay, so you are cut off.

Good luck with MTS. Seriously.

[Abstrackt]

I had a phone cable dug up recently because MTS didn't mark it on a cable locate. The responses ranged from "sorry, you're out of luck" to "where else are you going to go for phone service?" I feel bad for the guy, but unless he takes it to court he isn't getting any help from MTS.

bewildering...

[Dzimas]

It is strange that MTS doesn't monitor extreme spikes in phone use. They claim that they don't have the resources to monitor anomalies, but it should be relatively straightforward to write a report that queries billing totals that are n times a customer's long term average. After all, few companies would see a legitimate spike of 20 or 30x normal billing from month to month. What it boils down to is that MTS doesn't want to be responsible for identifying fraudulent billing (lest the victim use that as grounds to get the charges waived), and the easiest way to avoid legal responsibility is to bury their heads in the sand.

Re:bewildering...

[snspdaarf]

Agreed. When our receptionist got hacked, and was doing call transfers to "9", AT&T picked up on the outbound calls as unusual and called us. They shut down the calls and canceled the charges. We own our switch, and there was none of this silly dance that MTS is doing.

Some Math

Let's assume these calls cost $3.00 for a minute.

$56,000 / 3.00 = 18667 Minutes.

18667 / 60 (min/hr) = 311 Hrs.

So that means nobody noticed as this guy called for almost 2 full weeks of talk-time??

($3.00 is an assumption as I have no idea what actual international rates are)

Still, if this is even in the ball-park, that's a hell of a lot of talk time going unnoticed. You'd think the system would flag if you suddenly doubled your usage over a period of time.

Re:Some Math

[LackThereof]

Well, there's three reasons I can see.

This company probably didn't have an international calling plan of any sort, so they were stuck paying whatever obscene rate the local phone company charges for international calls, a la carte.

Also, the phreakers probably had multiple lines in action at any given time, so it wouldn't have taken too terribly long to rack up a large number of minutes.

Lastly, HUB probably didn't notice that anything was going on, until they got the paper bill in the postal mail. With a monthly billing cycle, plus an extra two or three weeks to receive the bill after the end of the cycle (and then a few weeks past that for the accounts payable clerk to bring it to the attention of the owner), I can imagine that this slipped by unnoticed for a long time.

Ha ha

[DeadManCoding]

Sorry, but no sympathy for this guy. It's his company's equipment which was hacked. His telecom company isn't responsible for his equipment, and if they're nice, they'll alert him to the calls. They make money when those calls are made, and why should they be responsible for alerting a customer who's making phone calls. Yes, the calls are going to Bulgaria, but that doesn't mean a telco should alert every person when they make a phone call overseas.

Re:Ha ha

[Creepy+Crawler]

In most civilized countries, possession of stolen property is a criminal offense, as is selling said property. Service is also seen as the same.

How is it not fraudulent behaviour to collect on services that amounted from theft?

Re:Ha ha

[Richard_at_work]

In most civilized countries, possession of stolen property is a criminal offense, as is selling said property. Service is also seen as the same.

How is it not fraudulent behaviour to collect on services that amounted from theft?

Because it should not be the service providers responsibility to police their customers (come on guys, doesnt that sound awfully familiar?), especially when their customers can provide their own equipment and the service provider cannot legally force equipment limitations.

In short, the telephone company in this instance did *exactly* what they were contracted to do - why the hell should they suffer (and they will suffer, they are out of pocket on the international termination charges) through no fault of their own?

Its time the customer starts taking *some* responsibility. Secure your system or pay the penalty.

Have Teleco Block Outgoing International Calls?

[Zymergy]

Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?
If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?

I was also under the impression that YOU had to be the one that actually 'in good faith' placed the calls for it to legally billed to you. I am not sure about US/Canadian telecom laws?

If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
I would simply be responsible for getting a better protected router or some other commonplace and reasonable standard process of WiFi protection.

Similarly, this firm likely had made reasonable efforts to NOT have their phone system hacked, and therefore did not make the calls and thus should not be made responsible for them. The phone company should protect their customers 'in good faith'.

Re:Have Teleco Block Outgoing International Calls?

[GrenDel+Fuego]

If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).

There's a difference between criminal liability and financial. You wouldn't be convicted of downloading child porn (or shouldn't be at least), but if your internet access was pay as you go, you may still be required to pay for the bandwidth used.

Re:Have Teleco Block Outgoing International Calls?

[athakur999]

The problem is, that 52K phone bill is not all going to this guy's phone company's coffers. They're going to pass on some amount of that to their upstream provider who will pass some amount on to someone else and on and on. It's not like the phone company can waive that 52K charge and nobody's hurt. The phone company still has to pay someone else for that call.

Sorry, but I can't side with the guy in this case. He setup his own equipment instead of using the phone company's and that implies, in the absence of an agreement otherwise, that you're taking the responsibility to make sure it is setup correctly.

Re:Have Teleco Block Outgoing International Calls?

The phone company should protect their customers 'in good faith'.

I know what all those phrases mean. I just never imagined I'd see them all together in one sentence like that.

Re:Have Teleco Block Outgoing International Calls?

[witherstaff]

If you're in the US and you provide the last link then YOU ARE RESPONSIBLE. Welcome to the wonderful world of CALEA. By providing wifi you're at fault, plain and simple. It's one of the legal hassles of anyone providing wifi.

Having helped similar problems like this I can give a few case studies. The best I can say you WILL be responsible until they figure out it wasn't you. But you may very well have months of sleepless nights.

I had RIAA send a notice about one of my client IPs putting a pre-release CD up on IRC. They sent the scary legal pre-format letter spelling out doom and gloom. The client was found to have a trojan allowing the system to upload the info. All steps were documented, screenshots, and sent back to lawyer. No further contact so it must have been enough for them. Overall I found this more amusing than anything.

I know someone who was investigated for child porn. He had an unsecured wifi unit living along a busy road. The police swooped in and took all the computers in his home. They grilled him on "having found some child porn videos on one computer". He kept asking for outside experts to verify their claims. After a few months they finally returned all the equipment, said they were incorrect on having found anything, and agreed it must have been the open wifi. In the meantime he had months of utter stress from being lied to by police.

Guilty until proven innocent is what you should expect.

Why ask MTS for compensation?

[e9th]

He should be looking to the company that installed the system for compensation, not MTS.

If the phone company wants to charge...

[gandhi_2]

...then they should be legally liable for selling stolen goods.

The phone bill is exactly stolen services....and for the phone company to sell that should be illegal.

Yay for 4-digit pins

[MobyDisk]

Davison has a four-digit password on the voice mail. That doesn't stop professional hackers, said Brett Rhodes, an expert in the field who runs SME Teleresources Inc. in Winnipeg.

I once saw a web site with a list of all 4-digit pins on it. I mean like, every single one!!!! There must be... hundreds.. no... thousands of possiblities! Keeping or distributing such a list should be illegal.

Re:Yay for 4-digit pins

[dietdew7]

Oh crap! I'm going to have the change the combination on my luggage.

Re:Yay for 4-digit pins

Incorrect PIN number. You have 9998 tries remaining.

I am in the same business

[E.+Edward+Grey]

...and there is no, I mean, NO excuse for what this guy allowed to happen, from the perspective of a telephony engineer.

Point #1: how weak is your security that an external entity can log in and gain access?

Point #2: why in the world does his voice mail system have a class of service that allows outdialing? Typically a telephony engineer restricts the class of service on the ports connecting to the phone system so that they can only pass calls to the phone system itself, not to the outside world.

This guy is unbelievably lazy, and the fact that he wants someone else to pay for his mistakes is insane. He fails at life.

When can we start executing hackers?

[tjstork]

Everyone here seems to have this blame the victim for getting hacked, but, why should we have to do this security stuff at all? Why can't we just execute the criminals. Everything is all about put up shields, pay tons of money for security, and its as if the criminals have more of a right to our systems than we do. Enough already. This guy shouldn't have to pay any money at all, regardless of whether he had the shields up, or not. People ought to be able to have a relative sense of security about themselves, and if we have to behead 50,000 convicted hackers and identity thieves and hang their bloated corpses off of bridges as an example to others, then, lets get on with it.

Death to hackers, that's the best security policy that any country could have.

Re:What's with the law?

[IceCreamGuy]

Because the water company doesn't own the pipe six inches to the left, and the company that got their water hijacked was a "pipe security" company.

Any lawyers out there?

[NotQuiteReal]

This is an interesting legal point.

It seems to me a lot of lawsuits come down to "what are the damages"?

If someone steals a physical item, how is its value determined - retail or wholesale? The "actual damages" are a lot lower than the retail price of lots of things, but especially phone service.

hmmmm

[dissolved]

I work for a Telco. We flag to clients when they accrue silly spends to foreign numbers. This happens around the $100 mark generally. Why did this go unnoticed for so long? Incidentally this is completely the responsbility of the end client. Anyone could ring Bulgaria for hours on end and then blame "teh criminalz!!!11". Secure your equipment better.

Or.....

[Weaselmancer]

That's not because Bulgaria rocks - it's because you're from Utah.

Re:Good luck with MTS. Seriously.

[despisethesun]

They're no different than any regional telecom giant. People in Alberta and BC can give you horror stories for days about dealing with Telus, and I imagine there are similar stories in Ontario and Quebec about Bell and Rogers. I deal with MTS Allstream pretty regularly as they sold us (and manage) our PBX and I don't have any major complaints, but then they actually have to compete out here.

Happened to me for $14K

[S-100]

I had a Panasonic key system and my employee left some default passwords in place. It was hacked to route incoming calls to a new outgoing line, and $14,000 worth of calls were made to Indonesia. It took many discussions with Verizon, threats back and forth, and some letters to the FCC to get Verizon to drop the charges.

1.33 Canadian Dollars per minute

[linzeal]

It is rare for these agreements to even approach 3 cents a minute nowadays, phone cards are proof of that because they usually average about 1-2 cents profit per minute because the competition is brutal. The phone companies are charging sometimes 50 times the amount they pay. So did you get that, MTS is charging 1.33 Canadian and you can get phone cards for around 4 cents a minute US. So around 40,000 minutes of calls which would cost around 1500 bucks US they are trying to get him to pay around 45,000 US or about 30 times cost. Are people really that stupid to still be sticking with a land line when they won't even spit on your asshole before raping you?

I have friends in Georgia, Russia and the Ukraine and I just use a cheap skype router and talk to them that way, it works better than the phone system. 90% of the people under the age of 35 in those countries do the same. So my question would be who were the calls to, who was making them and why can't they charge one of them?

Spit? .... Luxury!

The phone companies are charging sometimes 50 times the amount they pay. So did you get that, MTS is charging 1.33 Canadian and you can get phone cards for around 4 cents a minute US. So around 40,000 minutes of calls which would cost around 1500 bucks US they are trying to get him to pay around 45,000 US or about 30 times cost. Are people really that stupid to still be sticking with a land line when they won't even spit on your asshole before raping you?

You are obvoiusly basing this on your experience in the United States. Here in Canada it is much different. Our Telcos are regulated by the CRTC - and therefore they do not provide any such luxuries as "spit". They get right to the point.

Re:Good luck with MTS. Seriously.

[failedlogic]

There's one easy solution to this. Call and threaten to cancel your service. Bell, Telus, Rogers all the same. Whomever you speak to first in 'Customer Service' will try to talk you out of it. Be persistent without actually canceling, unless you REALLY want to. In no time, you'll be transferred to another department. These are their customer saving or retention team people. They're there to save you from selling your soul to the competition. With these guys, you can get better and cheaper plans, better and faster service and every effort will be made to help you in the future. If you have some really mucked up billing issue save yourself of the hundreds of phone calls: threaten to cancel. I almost guarantee it will be fixed in 2 business days and not 2 months.

I just thought I'd share this information with others. I'm willing to bet our southern neighbours will enjoy this nugget too. If the big companies cannot provide good service, let their CEOs see how many people are threatening to cancel service. Shareholders wouldn't be too happy would they?

Just Great.....

[IHC+Navistar]

Now some politician is going to start making us enter CAPTCHAs every time we want to make a call..... To protect us.....