IT COULD NEVER HAPPEN TO ME
A REAL STORY:
A small business with three telephone lines goes about its business – until AT&T, that is not the telephone provider of the company, calls one day informing the company that there has been unusual telephone activity from their number and if they were aware of these calls. “Of course not!” the ATT operator is told. We never call outside the country.
That’s when they were told to expect their next bill to be a little ‘Out of the Ordinary’ --- once the bill was received, the original bill is normal, but there was an additional $28,107.92 of out of area calls!
AT&T was one of the carriers used by TELEPHONE PHREACKERS to break into this small business’ lines and make more than thousands of minutes of phone calls to Eastern Europe.
Suddenly a small business, trying to make a living, is thrust into a frenzy of activity and panic to stop these activities and ameliorate the charges and effects of this activity.
THE WARNING THAT CAME OUT VERY CLEARLY IS THAT PHREAKING (using knowledge about telephone systems to make calls at another’s expense) AND PHRACKING (combining phone and computer hacking) is virtually invisible and can hit ANYONE with a few telephone lines with voicemail access.
This article is meant to educate you sufficiently for you to take very low cost action that could save you tens of thousands of dollars and the severe agita that would accompany this action if it happened to you.
How to Know It Might Be Happening
Are you getting phone calls with no one on the line when you pick up? Many Freackers break into your system at night, but they are using computers to hit random phone numbers seeking entry and that could happen at any time.
Many of us have telephone systems that permit us to dial into our telephones from afar and listen to our voicemails. Without being too technical, the system allows you to open it with a series of tones (equivalent to a security code). Those same tones could be used to seize your voicemail system to dial OUT. A computer program simply dials number after number seeking a system that permits it to send back tones that will tell the host telephone system that it is a legitimate user. It takes a line and then uses it for 86,400 seconds a day (60 seconds X 60 Minutes X 24 Hours) to make calls. It is transparent to you. You go about your business. The only effect that you might feel is an occasional fast busy (exchange busy) signal when you try to make a call (because all of your lines are in use) and occasionally someone will call and tell you that all of your lines are continuously busy (because one or more of them have been seized for illegitimate use).
When Do You Find Out?
You might get lucky if a carrier (AT&T in this case) sees something unusual happening and calls you. Otherwise you had better be sitting down when you open your next phone bill. You may not get notified until your bill comes in the normal billing cycle.
What Do You Do?
IF YOU’VE BEEN HACKED,
1. The FIRST thing you do is begin a written log of your activities beginning the moment you are first informed of the problem.
2. Ask your phone service provider to block all international calls made from your phone system AND permit NO changes to your services orally – all changes must be made in writing on your letterhead by an authorized representative of your company.
3. If you have a relationship with a telephone consultant, (your PBX vendor who provided you the system and does your software and internal phone maintenance) have them put ‘1010 Block’ on all your lines
4. Ask your phone service provider or your phone software company to change the security password on all lines (in case the Phreaker already has it) AND add a four digit security code for any international calls (even if you’ve taken the action already to block international calls). This provides another level of security against robot-calling computers.
5. Send a letter on your letterhead as quickly as possible to your phone company’s Finance Department (to avoid collection calls), fraud department and customer service
a. Disputing the charges
b. Include copies of the invoices
c. Include proof (a letter on their letterhead or a copy of their bill for the service they provide to protect you) from your phone software company confirming the ‘timely’ steps you have taken to eliminate repetition of the problem.
6. Check subsequent bills in case the problem falls into additional months
7. Carefully check the Long Distance Provider – different from your normal phone company. Often these thieves use small, third-party long distance providers. You must dispute the charges directly to each third party long distance provider. Your primary phone company won’t do this for you!
8. Because some blocks only have a six month duration, repeat the security process above with the phone company with instructions to your software support company EVERY SIX MONTHS.
IF YOU’RE LUCKY ENOUGH TO BE READING THIS AND THINKING, “I FEEL BAD FOR THAT COMPANY, BUT THIS WOULD NEVER HAPPEN TO ME!”
Follow #’s 2, 3, 4 and 8, above and you’re less likely to have this happen to you.
What Could Happen if I Don’t Do This Due Diligence?
One medium sized business was hit with six-digit phone bills and failed to take action immediately. The phone companies would not abate their bills because they did NOT take action to avoid further occurrences. The company was forced into bankruptcy due to Phreaking.
Is This The Only Thing That Can Happen?
Unfortunately, no. Phracking is even more insidious than Phreaking. This combines the programed break-in of your phones to access your network. Even if the criminals have no use for the data in your system and even if they don’t just maliciously wipe your system clean, the value of most small businesses is in their e-mail system and contact list. Imagine someone taking your e-mail and every contact you have and using your and their e-mails to send Spam or worse to whomever they would like.
Have you ever gotten rejected e-mail sent to someone you don’t even know? Their server rejected it and your e-mail was listed as the sender. If so, congratulations, you’ve been HIJACKED. The worst that could happen is that your e-mail is blacklisted by one or more of several major e-mail distributors. That would shut you down and forbid you to send ANY e-mail from your address.
How Can I React To These Issues?
You can’t stop someone from trying to break into your systems any more than you can stop someone from breaking into your home or business. But like in home or business security, DILIGENCE is the correct answer. It doesn’t cost you money, but it requires you to stop overlooking these little indicators that something is wrong. The phone issues will rear their ugly heads imminently in your phone bills. But system break-ins can last for months without your knowledge (more than those nagging rejections that you have no idea why you are getting). Pay attention to the symptoms and you can shortcut and solve your problems before they overwhelm you.
A FINAL WARNING – This is a true story. This is a real problem. The small company involved is US! Total long distance charges in the two months = $32,000. We now have a procedure and a consultant who is on top of this for us and for any of our clients who need the service.