sundance-communications.com/forum Forums General General Telephone & Systems Information 800 Toll Free Phone Fraud?

To OCI We had one like your first suggestion up here as well. Story follows-----
CRTC tells Bell to pay bills run up by hackers

In a stinging decision, Bell Canada has been ordered to pay $581,638 for fraudulent calls made by ``hackers'' after it replaced human operators with machines.

The Canadian Radio-television and Telecommunications Commission said having human operators would have made the fraud ``virtually impossible''.

Bell has been slashing jobs, more than 12,000 in the past 2 1/2 years, and where possible replacing people with computers.

``The commission is of the view that where the telephone company makes such changes to its operating systems, it should make every effort to ensure that the changes do not increase the opportunities for fraud'', the CRTC decision stated.

Bell had wanted Rogers Cantel Inc. to pay because a teenage computer fraud artist known as Zap Phrog had set up Cantel voice mail boxes to tell Bell's automated attendant that these Cantel numbers would accept charges for third-party billing of long distance.

Once the hacker, who was 17 at the time, had set up the system, he alerted hackers all over North America via phone lines and electronic bulletin boards about the scheme for free calls, said Ian Angus, a telecommunications consultant and author of Phone Pirates.

Bell officials said they may or may not appeal the decision to the federal cabinet.

``Right now it is under review'', said Linda Gervais, Bell's vice-president of government relations.

``It is precedent-setting. We need to take a close look at this'', she said.

Angus said it sets a precedent because phone companies around the world have long won cases where the owner of the phone number is liable for fraudulent calls, not the phone company.

``The CRTC is saying otherwise and that Bell has failed to do its job'', Angus said. ``I am not aware of any other case like this.''

Here's how the scam worked:


Using a simple touch-tone phone, the hacker found two Cantel voicemail boxes and figured out the passwords.

Once in, the hacker changed the greeting on the voicemail to say ``Yes.''

Also using a touch-tone phone, the hacker would make long-distance calls through Bell's automated attendant so that the charges would be billed to the Cantel mailboxes.

Bell's computer would then phone the Cantel voicemail asking for verification that the long-distance call could be billed to that number.

Cantel's computer serving the voicemail would respond ``Yes.''

Bell would then charge the Cantel numbers with the calls.
``It was trivially easy'', Angus said. ``After word got out, it wasn't long until hundreds of thousands of dollars in calls were made.''

Len Katz, Cantel's senior vice-president, said the company is relieved by the decision because Bell has been adding late payment charges since the dispute began and the bill now exceeds $1 million.

The CRTC said Bell must credit Cantel's account for all charges, including late payment levies and taxes payable.

The CRTC came down unusually hard on Bell for making third-party billing from its own pay telephones go through live operators while not doing the same for Cantel and other customers.

``In the commission's view, it would be inappropriate for Bell to protect itself from fraud by restricting third-party billing to a live person for pay telephone calls while applying a different, less stringent standard -- i.e. acceptance by a machine -- such as to permit, as in Cantel's case, fraud to take place'', the CRTC said.

``Regarding Bell's position that it made every reasonable effort to protect Cantel once it learned of the fraud being conducted, the commission view is otherwise.''

Bell workers, while relieved at the CRTC's statements about the cautions of computers, fear Bell will use the decision to further the bad-news scenario it is painting within the company to slash jobs.

``It's a double-edged sword'', Bell union official Rory Hawes said.

``Management seems to take every bit of bad news to further plans to downsize.''

Experienced operators, he said, ``have a sixth sense to spot fraud artists on the line.''

The hacker, who cannot be named under the Young Offenders Act, was convicted on computer-fraud-related charges.

Oh!! I just remembered another step that I Made.

I tried to cancel my 800 phone # but my customers could not find me, Bell would not add a recording that changed my phone # even for a $100.00 service charge. I was forced to reinstate my original 800 phone #.They wanted to charge me another $125.00 to turn my 800 back on. Thank goodness it was taped that if they could not add the taped message that my # WAS CHANGED DON'T DO IT,but I was almost 2week without my toll free # before they found out they can't add that message

Thanks Leonard

I've made it a policy to delete all unused mailboxes and change the default administrative passwords on all v-mails I install. It's becoming common knowledge in the hacker communities the passwords for many mail systems.

There's no reason to make it even easier.

Bill.

TO Deltron:Quote "There's no reason to make it even easier." End Quote----I was not sure who you thought was making it easier?

If you are referring to my last post ,just before this one,Yes I did state how this scam was worked, but my information was taken almost verbatim from the Toronto Daily Star Newspaper.

Is it not better to warn persons that this can happen to them?

However ,if by that statement you meant, that by NOT deleting mailboxes and NOT changing the default administrative passwords on all v-mail that you install. It makes it easier for fraud and/or scams.

Then please forgive me for misunderstanding your post !! Leonard Chowns

I always advise customers to place non-trivial passwords on all voicemail boxes. I then tell the horror story about the time that I tried to get showtimes at the local theatre, and acidentally logged into their admin mailbox.

All passwords should be non-trivial. All passwords must be changed from default. When any person leaves the organization, all passwords to whcih they had access must be changed.