Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked Business Owner Stuck With $52k Phone Bill

Posted by ScuttleMonkey on from the build-a-better-mousetrap dept.

ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.

31 of 300 comments (clear)

  1. WTF? by fuzzyfuzzyfungus · · Score: 4, Insightful

    Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?

    "Oh hi, I got my PBX hacked (possibly because of my 4 character PIN "security") and lost 50 grand on calls to Bulgarian criminals, how about paying me to set up your computers?"

    1. Re:WTF? by Spazztastic · · Score: 4, Funny

      Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?

      Perhaps he's now offering super-low-discount services and this is just an elaborate advertising campaign?

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    2. Re:WTF? by Warll · · Score: 4, Funny

      So what you're saying is that his pan is somehting like this:
      1. Get hacked
      2. Tell the press
      3. ?????
      4. Profit!

    3. Re:WTF? by oldspewey · · Score: 4, Informative

      I thought the Streisand effect was when somebody doesn't want information to become public, and by acting to suppress it they generate publicity.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    4. Re:WTF? by mewsenews · · Score: 5, Interesting

      Some context from a native of Winnipeg:

      MTS is our AT&T, it's the big bad phone company. I believe it's the second largest company in our province, behind the power company. HUB is a tiny business that I had never heard of. This is very much a David vs. Goliath thing, the HUB guy wants MTS to go easy on the bill because they have money. MTS has dropped all responsibility because it's not their equipment that was hacked, but this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

      The HUB guy will have to lay off one of his staff unless MTS goes easy on this bill. His only method of leverage on MTS is to speak to the newspaper. That's the reason he's risking public embarrassment.

    5. Re:WTF? by jlarocco · · Score: 4, Interesting

      I think your jumping to conclusions - the article doesn't give enough information to say whether it should be embarrassing or not. Clearly if he setup the system himself using Asterisk or something, and setting up PBX systems is a service he sells, it's pretty embarrassing. The article doesn't say that, though.

      He could have bought the PBX system from a third party, and had them set it up. But the article doesn't say he did that, either. In that case he should probably sue that company for not securing their product.

      All the article says is that he wasn't renting the equipment from the phone company.

      --
      Maybe not
    6. Re:WTF? by poot_rootbeer · · Score: 4, Insightful

      this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

      The customer equipment that got compromised was a goddamn PBX. He should have been watching it himself for signs of abnormal usage.

  2. Why would they do that? by GrenDel+Fuego · · Score: 5, Informative

    This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

    As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.

    Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.

    http://www.schneier.com/blog/archives/2007/01/information_sec_1.html

    http://www.schneier.com/blog/archives/2006/03/credit_card_com.html

    http://www.schneier.com/blog/archives/2005/10/preventing_iden.html

  3. Not astonishingly suprising... by damn_registrars · · Score: 5, Interesting

    I don't find this suprising in perspective of what people in the service sector usually have for themselves.

    After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

    Hint - the mechanic's car is usually fixed last, if ever.

    In similar light I knew a cardiologist a few years back who died of heart failure.

    It isn't easy to find time to maintain for yourself the same kind of equipment that you are paid to keep up for others.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Not astonishingly suprising... by Spazztastic · · Score: 5, Interesting

      Or the old quote. The Carpenters house is always the one that is in least repair.

      Good point, their site runs Sharepoint and the Site Settings prompt is open to the world.

      http://www.hub.ca/default.aspx

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    2. Re:Not astonishingly suprising... by he-sk · · Score: 4, Funny

      Great work! Not only is he stuck with a 50k phone bill, but now his internet bill will skyrocket as well thanks to the slashdotting of his site.

      Are you his competitor by any chance?

      --
      Free Manning, jail Obama.
    3. Re:Not astonishingly suprising... by Anonymous Coward · · Score: 5, Funny

      [citation needed]

      Will this do?

    4. Re:Not astonishingly suprising... by Raistlin77 · · Score: 4, Funny

      This does not really have the same meaning as the others because giving yourself a haircut is more difficult than giving another person a haircut.

      So is open heart surgery...

    5. Re:Not astonishingly suprising... by ralf1 · · Score: 4, Funny

      The Carpenter's house is the one with the really skinny dead chick in it.

      --
      "Would you, could you, with a goat?" Dr Seuss
  4. 1-900... by curtix7 · · Score: 4, Funny

    I hear bulgaria has the best phone sex lines confirm/deny?

    1. Re:1-900... by gandhi_2 · · Score: 5, Interesting
      I just spent 2 weeks in Bulgaria with the Utah Army National Guard.

      Let me assure you, none of us had ever seen so many gorgeous women in one place.

      --
      THL phish sticks
    2. Re:1-900... by LandDolphin · · Score: 4, Funny

      Of course, you came from Utah.

      --
      Spelling and Grammar errors have been added to this post for your enjoyment
  5. Good luck with MTS. Seriously. by Abstrackt · · Score: 5, Interesting

    I had a phone cable dug up recently because MTS didn't mark it on a cable locate. The responses ranged from "sorry, you're out of luck" to "where else are you going to go for phone service?" I feel bad for the guy, but unless he takes it to court he isn't getting any help from MTS.

    --
    They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  6. Some Math by Anonymous Coward · · Score: 4, Insightful

    Let's assume these calls cost $3.00 for a minute.

    $56,000 / 3.00 = 18667 Minutes.

    18667 / 60 (min/hr) = 311 Hrs.

    So that means nobody noticed as this guy called for almost 2 full weeks of talk-time??

    ($3.00 is an assumption as I have no idea what actual international rates are)

    Still, if this is even in the ball-park, that's a hell of a lot of talk time going unnoticed. You'd think the system would flag if you suddenly doubled your usage over a period of time.

  7. Have Teleco Block Outgoing International Calls? by Zymergy · · Score: 4, Insightful

    Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?
    If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?

    I was also under the impression that YOU had to be the one that actually 'in good faith' placed the calls for it to legally billed to you. I am not sure about US/Canadian telecom laws?

    If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
    I would simply be responsible for getting a better protected router or some other commonplace and reasonable standard process of WiFi protection.

    Similarly, this firm likely had made reasonable efforts to NOT have their phone system hacked, and therefore did not make the calls and thus should not be made responsible for them. The phone company should protect their customers 'in good faith'.

    1. Re:Have Teleco Block Outgoing International Calls? by GrenDel+Fuego · · Score: 4, Insightful

      If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).

      There's a difference between criminal liability and financial. You wouldn't be convicted of downloading child porn (or shouldn't be at least), but if your internet access was pay as you go, you may still be required to pay for the bandwidth used.

  8. Why ask MTS for compensation? by e9th · · Score: 4, Insightful

    He should be looking to the company that installed the system for compensation, not MTS.

  9. Re:Ha ha by Creepy+Crawler · · Score: 4, Insightful

    In most civilized countries, possession of stolen property is a criminal offense, as is selling said property. Service is also seen as the same.

    How is it not fraudulent behaviour to collect on services that amounted from theft?

    --
  10. Re:ScuttleMonkey doesn't even read TFS by morgan_greywolf · · Score: 4, Interesting

    ScuttleMonkey probably just hasn't figured out that, as far as the telcos are concerned, everything on the INSIDE of the drop is the customer's problem, everything on the OUTSIDE of the drop is the phone company's problem, unless the customer has specifically hired the phone company to handle the customer premises equipment. And more and more phone companies aren't doing that anymore.

    --
    My blog
  11. Re:bewildering... by snspdaarf · · Score: 4, Interesting

    Agreed. When our receptionist got hacked, and was doing call transfers to "9", AT&T picked up on the outbound calls as unusual and called us. They shut down the calls and canceled the charges. We own our switch, and there was none of this silly dance that MTS is doing.

    --
    Why, without your clothes, you're naked, Miss Dudley!
  12. Re:Bulgaria? by OhPlz · · Score: 5, Informative

    Often times, the thief sells calls at clusters of payphones in low income urban areas. The calls are made to wherever the immigrants in the area came from. These rings have phone systems like this that they hijacked, stolen prepaid phone card lists, stolen credit card lists that they can use to place calls, and so on. This is where a lot of phishing leads to. If they think anyone is on to them, they can just walk away. The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough. It's a great scam because it's easy and they don't have to risk taking delivery of anything. The minutes turn into cash.

  13. Yay for 4-digit pins by MobyDisk · · Score: 4, Funny

    Davison has a four-digit password on the voice mail. That doesn't stop professional hackers, said Brett Rhodes, an expert in the field who runs SME Teleresources Inc. in Winnipeg.

    I once saw a web site with a list of all 4-digit pins on it. I mean like, every single one!!!! There must be... hundreds.. no... thousands of possiblities! Keeping or distributing such a list should be illegal.

    1. Re:Yay for 4-digit pins by Anonymous Coward · · Score: 5, Funny

      Incorrect PIN number. You have 9998 tries remaining.

  14. Re:ScuttleMonkey doesn't even read TFS by michaelwv · · Score: 4, Insightful

    "It is not as useful or profitable for a telco to do the same, because " they are not legally on the hook. Thanks to some consumer-friendly legislation passed a while back, the credit card companies are specifically liable for fraudulent transactions above a $50 limit. The phone companies are not. Figuring out whether or not the marginal cost to the phone company was comparable to $52k (they're probably paying some other company to call Bulgaria) is complicated. But I'll agree that it's likely much less, whereas the marginal cost to the CC company is the numeric amount. But really I think the liability protection has made the biggest difference in how attentive CC companies are to these things. Other practices aside, this is something that most CC companies do very well in striking a balance between usability and minimizing fraud.

  15. Or..... by Weaselmancer · · Score: 4, Funny

    That's not because Bulgaria rocks - it's because you're from Utah.

    --
    Weaselmancer
    rediculous.
  16. Re:The phone company? by Ironica · · Score: 4, Interesting

    Why should the phone company be responsible for their customer's incompetence?

    If they installed it... maybe... but they didn't.

    Why are credit card companies responsible for their customers' incompetence? If I leave my credit card on a bench at the mall, and call to report it lost within a reasonable amount of time, I'm not liable for most of the charges. That's a legal limitation, too... not just customer service. The credit card company didn't leave my card lying around, or make it easier to lose in some way, but they still have to eat the charges.

    Several years ago, our electric bill jumped suddenly. Our deadbeat tweaker roommate decided to run the AC 24/7 "Like they do in Hawaii." The (municipal) power department computers automatically detected the change in usage, flagged it, stopped our bill from being issued, and sent it to CS to contact us and find out if there was a physical problem. (Then something got dropped so they didn't contact us, and didn't send a bill... four months later they came knocking on our door, all apologies.)

    So, yeah, I think it's reasonable for a utility company to auto-flag aberrant usage. Though true, the guy *should* have configured his phone system correctly too...

    --
    Don't you wish your girlfriend was a geek like me?