Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

Phreaking Not Dead Yet 200

Posted by CowboyNeal from the red-box-blue-box-beige-box-new-box dept.
santos_douglas writes "From Wired comes this article about an exploit involving weak voicemail passwords and automated voice recognition systems for accepting collect calls. The providers involved, SBC and AT&T, don't seem too concerned about their customers receiving tens of thousands in fraudulant charges from places like Saudi Arabia and the Phillipines."
This discussion has been archived. No new comments can be posted.

Phreaking Not Dead Yet More

Phreaking Not Dead Yet

Comments Filter:

  • Old Voice mail exploit (Score:5, Interesting)

    by Lowen Na ( 648807 ) on Thursday April 17, 2003 @06:27PM (#5755157)
    We used to hit 9 three times in a row on the Nike 1-800 number to get a dail tone and make long distance phone calls on Nikes tab. Not really phreaking but it was a phone system exploit

    • Re:Old Voice mail exploit (Score:5, Interesting)

      by British ( 51765 ) <british1500@gmail.com> on Thursday April 17, 2003 @06:30PM (#5755184) Homepage Journal
      Here's what I did once.

      1. Hack a direct dial voice mail #(after hours business)
      2. Record the message "hello??.........Yes I'll accept"
      3. Call Long distance operator to do a 3rd party billing for a call, give voice mail # to bill to

      The call went through, regardless of the fact that the person calling her, and the person she called both had the same voice.
      • Sigh...

        From article:
        [Quote]
        Here's how the scam works: The default passwords that SBC issues to new users of their voicemail services are in a specific format and are easily guessed.

        If the default password is not changed after the system is set up, it's ripe for exploitation by malicious hackers, who have been breaking into SBC voicemail systems and replacing the owners' recorded greetings with recordings of a voice saying "yes" at appropriate intervals.
        [/Quote]

        So, "you did that once?"

        -dave-
    • but I know a certain phone company that got significant profit from such freaks.
    • I wish I was born 10 years earlier. Then I could have been cool too. But unfortunately my parents weren't thinking of me at that time. Stupid bastards.
    • Here is what I did once...

      I posted on a website how I scammed a large company.

      Then I got arrested.

  • Social engineering more than phreaking (Score:5, Insightful)

    by JUSTONEMORELATTE ( 584508 ) on Thursday April 17, 2003 @06:27PM (#5755158) Homepage
    IMHO, this is more social engineering scam than phreaking. The telephone network is still operating perfectly normally, and the folks doing the hack aren't using any extra-ordinary control over the network.
    Interesting read, just the same.

    --

    • thank god !?!? (Score:4, Funny)

      by Brigadier ( 12956 ) on Thursday April 17, 2003 @06:32PM (#5755202)


      For a second I thought this meant all my friends with dialers would start calling me long distance. I hated that every five minutes.

      please insert more money
      hang on dude (holding dialer to hand set)
      waiting as dialer mimics the sound of one quarter at a time
    • this is more social engineering scam than phreaking.

      No, the article says that people are attacking the system with the default password that SBC sets when the voicemail is installed.

      AT&T doesn't seem concerned because they are still charging people for the calls. (Gee, a 30% discount on a $10,000 phone call that a person did not make, how generous -sic.)

      SBC probably doesn't care because it makes their competitor (or future competitor depending on your state), AT&T, look bad to consumers when the

    • AT&T (Score:2)

      by Archfeld ( 6757 )
      is using a blind security system WITH no sort of verification. That is stupid insecure and bordeline criminal. As for not changing your SBC password, well DUH, sorry I have NO SYMPATHY for anyone who would use an issued password.

  • Thats not 'Real Phreaking'! (Score:5, Funny)

    by NETHED ( 258016 ) on Thursday April 17, 2003 @06:29PM (#5755166) Homepage
    Real phreaking is sneaking out of your parents house at ungodly hours to clip into your neighbor's line, or to build a BlueBox and scream 2600hz down the handset. Those were the days.

    • Re:Thats not 'Real Phreaking'! (Score:1, Funny)

      by Anonymous Coward
      Yeah, one good thing about phreaking was that it got you OUT OF THE HOUSE! Unlike computer hacking (yeah, its called hacking not cracking. FOAD ESR!) that keeps you locked up indoors, although the invention of Wardriving is thankfully changing that...
      • Yeah, one good thing about phreaking was that it got you OUT OF THE HOUSE!

        Well yea, so does car jacking, volunteering for charity or skateboarding, but I don't think mom is gonna tell little Johnie to take his blue box, and go outside and get some fresh air....
    • Wow! You too, huh?

      There was, and still is, great fun to be had with a 7/16" hex wrench.

      I'm not old enough to have played with the Blue Boxes, but I sure got my kicks from Red Boxing calls all over the planet, and screwing with the COSMOS system.

      • Re:Old Sk00l Phreaking (Score:2, Interesting)

        by Rinikusu ( 28164 )
        One of the more amusing things I've come across lately is that there's usually a telephone "access" box attached to the exterior of houses these days so the lineman and do some cursory checks without needed access to the interior. Standard jack on the "access" box, with no lock. Just walk up, plug in, dial away...
        • > box attached to the exterior of houses
          > Just walk up, plug in, dial away...

          and get shot by the homeowner who figures you are cutting the phones before robbing his house.
          I hope you have a "Plan B".

        • Even on older hosues with out that, it's pretty easy to strip off about 2 inches of the outer insultaion and then use clips taht can puncture the inner insulation without breaking the wire. 2 clips later you've got a dial tone. However watch out for being seen......homes are usually a bit better guarded the pay-phones :)

    • Re:Thats not 'Real Phreaking'! (Score:5, Interesting)

      by unicron ( 20286 ) <unicron AT thcnet DOT net> on Thursday April 17, 2003 @07:15PM (#5755440) Homepage
      Back in my day we stole our lineman's headsets from the MaBell truck. None of this pussy catalog order shit you little whipersnapers got these days. And they were even touch-tone! They were rotary! I still have a rotary lineman's headset lying around here somewhere. The rotary wheel is made of cast-iron, I shit you not. Thing weighs like 25lbs and looks like the meanest bludgening weapon ever made.

      • Re:Thats not 'Real Phreaking'! (Score:5, Funny)

        by Waffle Iron ( 339739 ) on Thursday April 17, 2003 @08:42PM (#5756010)
        Thing weighs like 25lbs and looks like the meanest bludgening weapon ever made.

        It was designed that way so that linemen could use it beat the crap out of teenaged punks who they caught trying to steal their equipment.

      • Who the hell spends ungodly amounts on linemans sets from catalogs, i think the cheapest "test set" in the telephony section of MCM was like $150, its much easier and cheaper to either steal a real one, or make your own damn beige box with a cheap fone and some gator clips.
      • LOL. I've got two of those. The outside is thick plastic, inside everything is waterproofed. These were designed to last forever.

        I've also got a really old one with the outside encased in rubber, and little prongs on the tiny rotary mech, so you could dial even with gloves on, at the top of a pole in any weather.

        Dad was a lineman for MTS (Manitoba Telephone System). When he died I got all of this stuff, and a bunch of other cool stuff like climbing spikes and safety belts.

        Note to all: don't install a
      • Shit - I just took the wires and touched them together in succession to dial rotary style. ;)

  • Not dead yet? (Score:3, Funny)

    by macshune ( 628296 ) on Thursday April 17, 2003 @06:29PM (#5755168) Journal
    It's just a flesh wound!

  • Automated System Culpable (Score:5, Insightful)

    by dtolton ( 162216 ) on Thursday April 17, 2003 @06:29PM (#5755171) Homepage
    It seems like AT&T is directly at fault here, even though they are warning people to change their default password, this type of scam wouldn't be possible if they didn't have an automated system processing collect calls.

    Not only that, but AT&T is the one that chooses the default password, by picking something that is easily guessable they are doubly guilty of allowing this to happen.

    Only paying 30% of a scam like this is shameful.

    • Re:Automated System Culpable (Score:4, Interesting)

      by British ( 51765 ) <british1500@gmail.com> on Thursday April 17, 2003 @06:36PM (#5755236) Homepage Journal
      Then ATT needs to decide if it costs less to issue a random factory-made default password or to handle the fraud costs.

    • Even worse (Score:3, Insightful)

      by zipwow ( 1695 )
      Its not just that the fact the system is automated that is causing the problem, its the fact that the system is automated stupidly that casues problems.

      Why can other systems (telemarketers, for example) tell that you've got an answering machine, but the phone company's can't?

      And the article claims that they're happy with it that way:

      Diamond said AT&T has no plans to change the automated system, "which has proven to be extremely reliable for many, many years."

      I'll bet the people with the $12k bills

      • Re:Even worse (Score:5, Interesting)

        by Zirnike ( 640152 ) on Thursday April 17, 2003 @07:11PM (#5755415) Journal
        Even just a minor change would be good.

        Example: "YOu are about to accept a collect call. DO you accept?" (wait for 'yes', 'yep', 'uh-huh', whatever, interpret it, continue) 'To verify, please say the following word: (random word from set A)' (verify)

        It wouldn't even take much effort. Suppose A includes 'toast', 'ummagumma', 'vaccum', 'moose', 'arbitrary', and of course, 'Forty-two'. They're all VERY distinctive, more so than 'nope' and 'yep', which they have to contend with anyway. Have, oh, 20 different lists, rotate them week to week (they're all on some server, not a problem there). Instant secure. Well, not absolute, but by an order of magnitude or 12.

        • > To verify, please say the following word: (random word from set A)

          This is similar to typing in a distorted word when signing up for a web site to prove you are a person and not a script.

          Isn't it interesting that we finally found a practical use for Turing Tests?

    • Re:Automated System Culpable (Score:4, Interesting)

      by stretch0611 ( 603238 ) on Thursday April 17, 2003 @06:47PM (#5755294) Journal
      It seems like AT&T is directly at fault here...
      ...Not only that, but AT&T is the one that chooses the default password

      Actually, SBC is at fault here. SBC is selling the voicemail system. SBC is setting the same default password for everyone.

      AT&T is at fault for allowing someone's voicemail to accept collect calls and also by billing people that never made the calls.

      Last, but not least, are the people that leave the default password on something.

    • (seems like Wired actually got /.ed?)

      We have had something like this happen at our company. The problem is not just the default password here...here is what happened (and yeah, this could be offtopic, but I found it interesting so maybe you will too)

      Precursors to the condition:

      1. We have multiple 800 numbers running into our phone bank.

      2. Phones may be set up to forward phone calls to a remote number, including numbers overseas, if the user has the 4-digit password. (Yes, we actually have a need for t
    • I am at a loss to take sides in this case. In my department, when you open a new email account, they assign the username and say that the password is the first 5 digits of your social security number.

      There are posters in the labs *strongly* advising one to change their password once they login for the 1st time. As far as I know it works just fine. If the user continues to use their social security no. and somebody hacks it, the user is totally at fault here.

      Since there is the question of huge monetary los

  • Phreaking (Score:5, Informative)

    by Cyno01 ( 573917 ) <Cyno01@hotmail.com> on Thursday April 17, 2003 @06:30PM (#5755178) Homepage
    For more about Fone Phreaking, check out the grand master... Phone Losers of America [phonelosers.org]

    • Re:Phreaking (Score:2, Informative)

      by moonbender ( 547943 )
      Short jargon file entry [hiroshima-u.ac.jp] on it. If you're bored some day, be sure to read the report/short story on phreaking in the anarchists's cookbook, it's quite entertaining.

      phreaking

      /freek'ing/ [from `phone phreak'] n. 1. The art and science of cracking the phone network (so as, for example, to make free long-distance calls). 2. By extension, security-cracking in any other context (especially, but not exclusively, on communications networks) (see {cracking}). At one time phreaking was a semi-respectable activi

  • can't get the site up, u figure wired could handle the traffic after only 7 posts

  • Losers (Score:4, Insightful)

    by blackmonday ( 607916 ) on Thursday April 17, 2003 @06:32PM (#5755198) Homepage
    Why would'nt the providers be concerned? Let's see, because they might lose money? Hmm..

  • Not really new ... (Score:5, Informative)

    by Anonymous Coward on Thursday April 17, 2003 @06:32PM (#5755199)
    The basic idea being used here is *really* old, phreaks have been changing OGM's to "- pause - yes, we accept that collect call" and suchlike for ages. The novel aspect is that it's essentially automated, no SE'ing skills required to make a convincing message, due to AT+T and SBC being retards. Still amusing though.

  • You tell me who is right... (Score:4, Insightful)

    by greenskyx ( 609089 ) on Thursday April 17, 2003 @06:33PM (#5755208)
    #1 --> "Victims say that AT&T and SBC know about the scam and are taking no
    concrete action to protect consumers from it."

    OR

    #2 --> "But AT&T spokesman Gordon Diamond said that AT&T has been instrumental
    in stopping the scam."

    CLUE :

    "Later Hatcher was told that AT&T would take 35 percent off her bill,
    but she'd have to pay $8,000"

    HMMMM.......

  • Quick summary of the exploit (Score:5, Informative)

    by Levine ( 22596 ) <levine@ g o a t s e . cx> on Thursday April 17, 2003 @06:33PM (#5755210) Homepage
    Users are given a brand new phone system, with some default password used to set voicemail messages. Users did not change that default password. Enterprising na'er-do-wells realize this is going on, use the default password to change the voicemail greetings to "yes, yes, I will accept the charges, yes, yes" and proceed to make free collect calls.

    We have a classic case of stupid users.

    It's not that I don't feel for them. And I certainly think AT&T/SBC will start provisioning these systems with pseudorandom passwords as defaults. But if you don't change your password, and someone else finds out about it... that's no one's fault but your own.

    Should the people who did this be punished? Absolutely, they clearly broke the law. But now, maybe people will begin to realize that security isn't something that they can leave up to third parties -- it's something they need to take in their own hands, lest they find themselves $12,000 up shit creek and lacking any means of locomotion.

    levine
    • How difficult is it for SBC to employ a password scheme which isn't so easy to crack?

      While it is foolish for the user to not change his/her password, that pales in comparison to the blatant negligence on the part of the voicemail provider, who presumably has plenty of resources and expertise at their disposal, though obviously not evidenced in this fiasco.

      Whoever is responsible for this scheme at SBC should be fired. And SBC should be responsible for the victims' bills.
      • While you're clearly a troll, I hate to see this sort of crap go unchallenged.

        It is an industry standard in the telecom world to provide a blatantly-obvious default password. As a poster mentioned below, cisco/cisco is pretty well known. I work for another large network equipment provider, and our default password is also our company name. Why? --because it saves us some headaches when we're doing initial installs, and it is the user's responsibility to insure their equipment is properly secured.

        Whoev
      • Ideally what would be in place is that when someone activates the voicemail service, they have to enter a password right then, or at most have a default password that expires in 24 hours. So long as AT&T knew about the default passwords, which I'm sure they did, I can't say SBC is to blame. AT&T *knew* the risk was there, they could have required their new users to set a new password.

    • Re:Quick summary of the exploit (Score:4, Interesting)

      by T-Kir ( 597145 ) on Thursday April 17, 2003 @06:51PM (#5755311) Homepage

      Well I suppose it's not really restricted to phone systems (me stating the obvious here).... all I have to say is:

      login: cisco
      password: cisco

      And then you can add 'stupid admins/BOFHs' to the list.

    • Users did not change that default password.

      I agree with you in principle. Users should ultimately be responsible for the security of their accounts. After all, you do usually change the locks after buying a new house, right? The problem with this point of view, however, is that, as a computer geek, I am completely aware of how important it is to have good passwords for any kind of system. For other people this is not so obvious, and that is especially true in this case.

      People are starting to realize that
    • Is why anyone would ever bother to do this. I mean, one guy mentioned confrence calls, but the calls should end up stored on the answering machine so you couldn't talk about anything identifying... It seems amazingly pointless to me.

      I can't belive ATT really wants to soak these people for $8k or whatever. it's idiotic.
    • Why can't AT&T have the users change the password immediatly after the first login? I.e, login for the first time with the default password, then FORCE a change of password before anything else can be done in the voicemail system. Combine this with a semirandom set of default passwords, then only accounts that are new would be even somewhat vulnerable.
    • No, it was a case of an uneducated user not changing the password. The instructions on changing the password should have been prominently displayed and not buried in the information packet. The system should have forced a password change once it was accessed. Especially when AT&T is expecting the customer to cough up the bill if the system is exploited.

      A secure system cannot assume that a user, even one given formal training, will follow best practices. In this case, not putting in a forced password ch

  • Before everyone starts talking.. (Score:5, Interesting)

    by bazmonkey ( 555276 ) on Thursday April 17, 2003 @06:33PM (#5755213)
    ...about how much they love to "phreak", keep in mind that a good deal of us thought girls had "koodies" when the real phreaking was going on.

    This ties in with our general hacker degredation. Phreaking is nearly gone, everything today is a DOS attack, a script kiddie, or a win32 virus, etc. Hell, I mutter "All your base..." in my compSci class and I am hard-pressed to find someone that can complete the phrase!

    Sad, sad world...

  • Passwords (Score:5, Interesting)

    by rf0 ( 159958 ) <rghf@fsck.me.uk> on Thursday April 17, 2003 @06:35PM (#5755228) Homepage
    Going from what I'm reading here it looks like they are using the default password that are shipped with systems. A quick search of google will chuck up the default for loads of systems. So bascically the adminstrators of the system aren't doing the job correctly or am I just misreading this?

    Rus

  • But here's the question (Score:5, Funny)

    by Chagatai ( 524580 ) on Thursday April 17, 2003 @06:38PM (#5755241) Homepage
    In the article, it discusses two individuals who failed to change their default password on their voicemail, leaving them vulnerable to a scam where people would make collect calls to their voicemail (after someone gained access to it), where the message was replaced by someone saying, "yes, I'll accept the charges". AT&T agreed that the individuals did not make the calls, but insist that the individuals (or their companies) still pay about two-thirds of the bill.

    Here's the real question-should the people be forced to pay the bill because they were too dumb to not understand the words, "change your default password immediately." I say that we have already made things in life enough idiot-proof and AT&T has every right to ask them for thousands of dollars. Call it a "Stupid Bill".

    • Here's the real question-should the people be forced to pay the bill because they were too dumb to not understand the words, "change your default password immediately." I say that we have already made things in life enough idiot-proof and AT&T has every right to ask them for thousands of dollars. Call it a "Stupid Bill".

      There is that bumper sticker, "Stupidity Should be Painful." Seems that finally is becoming the case.

      I love how people fail to find themselves accountability for their own mistakes.
    • A system administrator who runs an insecure website which gets hacked and becomes a warez server for a month untill he/she gets a huge bill for bandwidth usage. They have to pay up.

      Aunt May gets a voicemailbox last week and gets hacked, revceiving the similar sized bill as the sysadmin. Does getting a voicemail leave you with the same liability as running a website?

      (btw the obvious answer is 'no')

      And how DARE the phone company keep a collect call connected for over 6 hours, above ALL things this is the w
    • When you pay money for a service that is password protected, an average non-paranoid person will take it for granted. The fact is AT&T or whoever could have easily made it so you can't use the service until you change the password.. I mean, when I got my ATM card, I couldn't use it until *I* set a pin number and such for it.. Why can't the voicemail service people do the same thing? On the other hand.. If a thief picks my lock, I can't sue the lock company.. So I agree, at&t shouldn't be held ful

  • Don't pay that bill! (Score:5, Interesting)

    by fname ( 199759 ) on Thursday April 17, 2003 @06:44PM (#5755269) Journal
    My advice to the consumers: don't pay the bill. Write a letter and have your lawyer, stating why you will not pay the bill. There is no legal reason why the victim should be obliged to pay. The biggest joke is AT&T offering a 30% "discount," when there gross margins are probably in excess of 90% for these collect calls.

    Don't pay the bill. Call a lawyer, write your congressman, and tell AT&T you WILL NOT pay, and ignore the collection agency. They have no right to engage in a shakedown like this; AT&T is reaping huge profits from the scam victims. This scam costs AT&T almost no money, yet they are reaping giant rewards. Seems like AT&T is the one running the scam.
    • I agree, especially since AT&T had admitted she didn't accept the call. She can not be held responsible for a collect call she didn't accept. AT&T has to prove she accepted it.
    • There is no legal reason why the victim should be obliged to pay.

      And your basis for saying this is...? You have a copy of the contract they signed where...? Your degree is from which law school...?

      As someone said above... stupidity should be painful. This seems to be a step in that direction. Granted AT$T is making money off it, and it wouldn't be unwise to contest it. But sweeping generalizations about legality are just as silly as leaving the default password on your account.
      • Fair enough, but here's the problem. The voice-mail box owner (nee: victim) never accepted the charges. The only reason collect-calls can exist is that they rely on the callee (is that a word) to explicitly accept the charges. It seems to me that the flaw is AT&T's, as they do NOT have a system which reliably determines whether the person accepts the charges.

        Maybe the box-owners whould secure their systems better, but the basic flaw in the system is that AT&T cannot determine whether a person reall

  • Turing test for phones.. (Score:4, Interesting)

    by pres ( 34668 ) on Thursday April 17, 2003 @06:46PM (#5755284)
    I would think that something simple, like yahoo uses for account creation. Instead of "please say yes", it should be "please say XXXXX" where XXXX is randomly selected.
    • Please say supeclaifragilisticexpialidocious or Mr. MXPLTSK backwards.
    • Easily defeated.

      You just record & play back whatever they say. You could even use sox or something to fiddle with speed, noise, whatever, to make it sound less perfect.

      Asking people to spell words or to complete an easy password cycle (like "Who's the current president of the USA?" or "Knock, knock?", etc. etc.) would be a lot thougher to beat. Thougher to implement too.

  • Default Password (Score:4, Insightful)

    by SwansonMarpalum ( 521840 ) <{ude.ipr.mula} {ta} {anider}> on Thursday April 17, 2003 @06:47PM (#5755286) Homepage Journal
    I'm curious why everyone is pointing at the telcos when the users should have changed their passwords. While I wouldn't abdicate either party from being guilty, I think that the people who leave their voicemail wide open are just as irresponsible as the telephone companies using an automated system.

    There is a solution however and I feel that the easiest would be for SBC to require users to change their passwords upon logging in for the first time. I know that voicemail systems which I have used have made that the very first step, before even allowing you to record your "I'm away" message.

    Fix the problem and the rest will fall into place.

    • They're pointing at the telcos because it's resulting in multi-thousand dollar bills, and the telcos are telling them "tough" when they clearly didn't intend to authorize the calls.
    • it isnt the users responsibility to change a password.

      it is the phone companies responsibility to verify that the account holder has agreed to the charges.

      imagine if someone stole your visa and the excuse that they used was your signature was easy to copy. this isn't a valid excuse for allowing the call to take place.

  • An idea to improve the automated collect calls (Score:5, Insightful)

    by Ryu2 ( 89645 ) on Thursday April 17, 2003 @06:48PM (#5755298) Homepage Journal
    If AT&T is too stingy to use live humans for collect call acceptance, here should be some randomly chosen sort of challenge/response mechanism asked by the voice recognition system (eg, asking a simple question like "what day of the week is it?") or even "please repeat the word I say" (randomly chosen) to ensure that a simple pre-recorded static greeting can't work.

    Sort of like the "Turing tests" that services like Yahoo and even Slashdot itself set up to foil automated registrations.
    • Be careful on how you implement this, there will always a group of people that will not be able to use the feature. Lets take you example of yahoo registration, which is a word that is done via a picture. Well there is a group of people that have trouble registering at yahoo, the group of people who have that problem are the blind. I remember I had to go over to a friends place to help him register for yahoo because their screen reader can not read a image.
      How could there be a group of people that have
    • Another group that won't like your idea is: Lawyers. Some of us say "yes" on the outgoing greeting so as to be able to take voice mail from jail and prison inmates.
    • It doesn't need to be that complicated. Seems like currently you need multiple pauses with multiple replies, so just mix up the timing a little. Instead of a .5 second pause, put in a 2 second pause; instead of saying "Hello" right after someone picks up, say "This is an automated call;" things like that. That will make it harder to have a single prerecorded message do the trick.

      Ultimately all you have to do is keep trying until the pattern matches, but even if there are only 20 variations that means y

  • Of course it easy money for AT&T (Score:3, Interesting)

    by SmoothTom ( 455688 ) <Tomas@TiJiL.org> on Thursday April 17, 2003 @06:56PM (#5755335) Homepage
    Hmmmmm ... Who's to say AT&T really WANTS to fix this problem.

    Every time someone pulls this scam (not Phreak) AT&T makes money. In the two cases cited each one is worth about $8000 to AT&T.

    Yes, some will fight the bill, and even win out against AT&T and SBC, but for every one who fights the charge hard enough to win, I'll bet that ten more just swallow and pay.

    Uh, who knows, maybe SBS and AT&T are even making the calls, eh? ;o)

  • I'd sure like to take a look at the service agreements these people signed with AT&T and SBC. Generally, you are not responsible fraudulent acts, but it sure sounds like AT&T is trying to profit from them. Probably another good reason to dump their service.

    If this happened to me, I'd just tell the collection agency to take it to court. Then I'd explain what happened to a jury. Do you really think the average person would "buy" the argument from AT&T?

    Also, they should be warned that they'

  • Not just user neglagence (Score:3, Interesting)

    by Anonymous Coward on Thursday April 17, 2003 @07:04PM (#5755379)
    The thing is, even if you do change your password this kind of exploit is still wide open. A dedicated phreak can set up a wardialer (a program that will call repeatedly if necessary and perform simply touch tone codes to a number) to try all possible combinations. Just have it play something like 00010020030040050060070080090110120130140150160170 18019021022023024025025026028....etc and all possible three or four digit numbers will be hit, thereby cracking the code. A lot of VMBs have it so you can only try one set then call back for another, but this is no problem. Just set the wardialer to try four, then call back and try the next four. Many VMBs have been seized through this method.
    • Which is why at our office, I've set up the PBX to lock out accounts after so many failed logins in a row. Sure, if some dumb user doesn't remember his/her password 6 times in a row, I have to unlock it... but I'd rather do that then go to the CEO saying some 19 year old in {insert third world country here} got in through one of our employee's VMB's and dropped to dial-tone, racking up $8k in long distance. On top of the lockouts, I have a pretty anal password policy. No repeating (3 or more alike) or se

  • More on personal responsibility... (Score:3, Funny)

    by kerika ( 574943 ) on Thursday April 17, 2003 @07:11PM (#5755417)
    Let me get this straight. Person A orders voice mail. Said person: 1. never changes his password 2. never changes his voice message 3. never =listens= to his voice message 4. never gets told by his family/friends that he has an odd message, probably because he... 5. never receives calls May I ask why these people are ordering voice mail service in the first place?!

  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Thursday April 17, 2003 @07:29PM (#5755513)
    Comment removed based on user account deletion

  • AT&T's fault! (Score:3, Interesting)

    by rMortyH ( 40227 ) on Thursday April 17, 2003 @07:38PM (#5755561)
    You can use a radioshack scanner and plug it into a computer running pd with a DTMF decoder patch and get anyone's voicemail password who has a cordless phone. For some cordless phones, you can even use an old TV set that goes up to channel 83!

    You can also get long distance calling cards this way too, I'm paranoid and I now dial these on the cord phone, then pick up the cordless. Are user's responsible for using encrypted phones?

    AT&T is clearly at fault for accepting the charges. That is the part of the system that is the weak link, not the voicemail passwords. Someone could have hung an answering machine on their phone line. It's a ridiculous hole.

    As for SBC, Their system asks you for your password BEFORE your mailbox number, and if it's right for the phone you're using, it doesn't ask for the mailbox. So, if you have the same password as the person whose phone you're using, you hear THEIR messages, and there is no way to listen to your own! It's rare, but it happens. Telcos are lame.

    =Rich

    BTW, pd [ucsd.edu] is the greatest, coolest, amazingest piece of linux software there is and hardly anyone seems to use it. You can make a DTMF decoder in no time, or generate any tones you need, and so much more! See the examples.....
  • Simply saying "Yes, yes I'll accept" is way, way not legally binding in the first place. There has got to be some kind of legislation that places liability on the consumer in this case, or no one would ever have any reason to ever pay a bill for a collect call.

    Until someone explains the contractual obligation involved, we're just talking crap.
    • there is legislation about this, it is called contract law. there exists and agreement between you and your telco to provide service for a fee and you agree to pay charges that you accept. since your voicemail is not you you did not agree to accept the service, since you did not agree to the service you are not responsible for the charges. end of story. let them take you to court. the password doesnt matter, you could put your password on the wall of the subway and att doesn't have a claim. one place wh

  • current state of security sucks (Score:3, Insightful)

    by primus_sucks ( 565583 ) on Thursday April 17, 2003 @07:55PM (#5755701)
    Just today I forgot my online banking password. All I had to do was call the bank give them my ss#, date of birth, and mother's maiden name and bingo, they gave me a new password. This is information that plenty of ex-wives/girfriends would have access to, not to mention the person from the bank I just told.

    A couple of years ago someone apparently printed out checks from a laser printer with my name on them. Any jack-ass with a descent laser printer can make checks and a fake id.

    Also today my wife's purse was stolen. I was helping her call credit card companies to cancel her cards. But the credit card companies wouldn't let me cancel them because I obviously wasn't my wife even though I had the answers to all their lame "security" questions.

    The whole entire system is fucked up and easily beaten.

  • Watch out for fraud! (Score:4, Informative)

    by rice_burners_suck ( 243660 ) on Thursday April 17, 2003 @09:08PM (#5756166)
    Here's one to watch out for: Fraudulent calls to 900-like numbers in the U.S. Virgin Islands. Yup. Someone can call your house and leave a message, telling you that there is an important matter and you need to call them back. The phone number has an area code that looks NOTHING like 1-900. Kind of like those 877 and 888 numbers that are toll-free, except that these are toll-cost numbers. So you call back and hear a recording, the only purpose of which is to keep you on the line for as long as possible. Next thing you know, you get a phone bill for $1000.00 or so because this company charged you $500.00 a minute for two minutes. It's fraud but it's international, so you're screwed.

    I never call back numbers that I don't recognize. If it's important, they'll call me again.

    • 500 bones per minute is a little blown out of proportion, but what really counts is how ridiculous this is.

      For more info check out http://www.lincmad.com/telesleaze.html
    • There was a similar scam in the UK last year. People were text messaged a "call me" message to their mobile phone, to a similar toll number.

      The twist here was that when you phoned up, you heard a recording of an engaged tone. People would keep calling back until they gave up.

      Expect similar scams in the US as SMS becomes more common.

  • where is the contract? (Score:4, Interesting)

    by g4dget ( 579145 ) on Thursday April 17, 2003 @11:03PM (#5756805)
    Presumably, accepting third party charges involves some kind of contractual agreement. Normally, that happens when you say "yes" to another person. Can my answering machine, on its own, make legally binding decisions for me now? I don't think so.

    AT&T screwed up with deploying voice recognition for this purpose (and presumably continuing to charge operator assist rates); that's their problem. I hope the lawyers are going to have a field day with them.

  • Blame the victim? Are you nuts? (Score:5, Insightful)

    by ChaosDiscord ( 4913 ) on Friday April 18, 2003 @01:28AM (#5757485) Homepage Journal

    I see a hell of alot of posts to the effect "they kept the default password, they deserve the charges."

    That's just stupid and shortsighted.

    People balance security against realistic perceived risk. Realistic worst case risk for failing to reset my voice mail password: someone else hears my voice mail messages, deletes them without my ever hearing them, then records something embarrassing or damaging for my outgoing message. Bad, but perhaps I'm willing to live with that risk.

    Getting hit with a $12,000 bill (or a $8,000 bill after AT&T generously reduces it) is completely unreasonable. Prior to reading this article, I didn't realize that this was a potential attack at all. I would have assumed that no company was stupid enough to let an answering machine accept charges on a phone call! You can't assess risks on attacks you aren't aware of. It's simply not possible to protect against all attacks (is your computer TEMPEST secure? Do you shred any documents you throw out with your social security number on them?). People need to balance risks against the cost to defend against them. Some people apparently decided against changing their password. They misjudged the risks because they were unaware that AT&T was doing something insanely stupid that could cost them alot of money.

    Also remember that in many cases people are actively encouraged by their employers or service providers to not change the default passwords. I've specifically been told that in a number of cases. Depending on the reasonable risk level, I sometimes change the password anyway. I distinctly remember an ISP I was dealing with being shocked that I would want to change the factory standard password on the ISDN modem they sold us. If I changed it, how could they debug it remotely?)

  • About 12 years ago, a friend of mine showed me this number you could dial from local payphones (at the time 206, which encompassed most of western Washington... Seattle, Redmond, Bellevue, etc) it would ring a couple times, then it would play a never ending high pitched tone. A few seconds after you hung up the phone would ring, once you picked it up it would click a couple times, then allow you to call anywhere you wanted for free.

    My first attempt at phreaking was with a software tone generator and a wal

Slashdot Top Deals

God doesn't play dice. -- Albert Einstein

Close