Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: bioc1.txt

BIOC Agent 003's Basic Telecom Tutorial 1 of 7

*******BIOC Agent 003's course in******
*                                     *
*      ==========================     *
*      ==========================     *
*               PART I                *
In this course, I plan to cover as much
material as possible relating to tele-
communications.  First, in the syllabus
are the long-distance services, which
is the topic of part I.  In future
issues, such subjects as the Bell
Network, colored boxes, telephone
electronics, central office equipment,
computer hacking, and much, much more
will be covered.

In an attempt to offer lower prices,
alternatives to Bell have been set up.
Services such as Sprint, Metrofone,
ITT, MCI, Travelnet, and many others
are all familiar to us.
The basis of all these services are
that they own their own switching
equipment.  First, we will look at
those services which use a local
dial-up.  The principle of these are:
 1) You dial the local #.
 2) When it picks up you get a 2nd dial
    tone, you then enter a code.
 3) You then enter the # and whalla,
    you're connected, a free call!
Next, we will look at several of the
Sprint, also known as SPC, was one of
the first LD services.
Many boards contain SPC #'s and I plan
to include a list of them as an
appendix to this course so you can find
your local #.
The codes for SPC are 8 digits long.
SPC is not considered safe, since many
people have been busted on it!  It is
common knowledge that Sprint has
declared war on phone phreaks.  So,
fight back (with care)!
 [914 dial-up--> (914) 997-1616
Metrofone, owned by Western Union, is
very popular among phone phreaks due to
the large abundance of codes and it (at
the time of this writing) is considered
fairly safe.
The code is 6 digits long.
To find out the local dial-up for your
area, just call (800) 325-1403 and ask
the "nice lady" for the # for your
    FORMAT: At tone--> code+area code
            (NPA)+destination #
NOTE:  NPA & A/C are abbreviations for
       area code.
ITT is a little different in that upon
hearing the dial tone after calling the
local access #, you enter the a/c and
then the #.  You will then hear a short
tone, you then immediately enter your 7
digit access code.
[dial-ups:(212)248-0151, (914)997-8576]
    FORMAT:  At tone, destination # + 7
             digit access code.
    FORMAT:  At tone, 5 digit access
             code + destination #.
    FORMAT:  At tone, 7 digit access
             code + destination #.
[212 dial-up: 248-0151
NOTE:  You can usually call up the
       companies customer service #,
       and say you just moved or
       something and ask for the access
       # for your area code.  To find
       out the customer service # call
       dir. asst. at (800) 555-1212.
=950 Exchange=
The 950 exchange is a nationwide access
exchange, in most areas, that includes
such services as Skyline, Lexitel,
Allnet and others. All services on this
exchange are considered dangerous due
to the fact that they have the traced!
SBS Skyline is a new service owned by
IBM, Comsat and AEtna.  It has the same
local access # across the country:
950-1088.  It is supposed to have 6
(possibly 8) digit codes and is alleged
to be very dangerous.
Allnet is at 950-1044.  It has 6 digit
=Calling Cards=
Calling cards are Bell's version of
Sprint, MCI, etc.  Calling cards are
used primarily from pay fones.  The
format is:
NPA is usually the a/c of the billed #
that the call is to be billed to. This
may be replaced by a 3 digit RAO code
in some areas.
NXX-XXXX is the number that the call is
to billed to.
CCCC is a checkcode (or PIN--Personal
Identification Number) that adds the
security to Calling Cards.  The codes
used to be predictable until 1983.
Now CCCC appears to be sequentially
generated so the codes cannot be
calculated from a formula!
The easiest way to find these codes are
in a busy airport or college where
they are used alot.  Just get close and
copy down someones code (if you are
that unscrupulous!)  Don't rip off poor
people; go for the rich business pigs!

You usually call the operator to make a
CC Call but on some fortress fones, you
can dial 0+the number you want to call
and you will get a recording & tone
where you enter your calling card #.
By pressing the # sign (octothorpe)
after each call instead of hanging up,
you can make many calls at once without
having to retype the CC # each time.
This is good for busy numbers. Also, if
you want to call the # of the card, ie
the billed #, you just have to enter
the last 4 digits of the CC # at the
Now, suppose you do get a real
operator.  Since mostly business people
use calling cards, it is suggested that
you act a little like a business
person, ie, rushed, older,
businesslike, and SLIGHTLY pissed at
the operator (keyword: SLIGHTLY).  All
you have to tell her is the CC #.  If
she asks for the # you are calling
from, tell her, but change the last
digit or 2.  If you asks you more
questions, she is probably suspicious.
Hang up.  Although, you should make up
some answers to certain questions to
satisfy the operator that you are
legit.  The most important thing you
should know when making a CC call is
the area code and the city of the card.
Finally, in case the operator is
listening, always talk businesslike for
the first few seconds until the
operator clicks off (they have been
known to listen in on calls
(understatement)).  Also, always use
CC's from pay fones or Charge-A-Call
fones only!
CAUTION:  All the CC codes are now
          rapidly checked due to CCIS
          (Common Channel Inter-office
          Signaling) and ESS
          (Electronic Switching System)
          If you try to hack CC codes
          you can be fairly sure that
          Bell Security (affectionately
          known as the gestapo in the
          phreaking world) will get a
          message from the CO (Central
          Office, ie, exchange)!
=800 Services=

You are probably all familiar with
WATS. WATS #'s (Wide Area Telephone
Service, otherwise known as 800 #'s)
are very popular due to the fact that
they are toll-free.  They often contain
WATS extneders. Extenders were
originally used by salesmen in the
field who called up their company's 800
# (INWATS #) and then used the
company's low-priced OUTWATS line to
make the call.  This is cheaper to the
company than using the Bell calling
card which has a surcharge.
On the original extenders there were no
codes!  Companies soon realized that
their #'s were being used and added the
present day security codes.  The
salesman would then dial the 800 number
and enter the code (usually 4 digits),
he would then receive a second dial
tone from the companies PBX (Private
Branch eXchange - their own switching
equipment - ie, switchboard).  He would
then access the OUTWATS line by dialing
8 or 9 and then the #.  These codes
were originally hand-hacked, but
some pioneer phreak added an interface
to Charlie, his Apple II computer,
which was capable of generating DTMF
tones (Dual-Tone-Multi-Frequency - ie,
generic term for Touch-Tone (TM)) and
trying all the codes.  The only
problem was that Ma Bell got suspicious
when they saw that someone called the
Joe Blow Rubber Company 800 # in
California 4,568 times at 2 AM and each
call lasted for only 1 second!
Travelnet is a service that uses WATS
as well as local access #'s.
The 800 # is (800) 521-8400.
After the tone, enter the 8 digit code,
if the code was right you'll get a
second tone, then enter the area code
and number.
Travelnet is also unique in that it
accepts voice recognition for those
times when a touch-tone is not
available (How convenient!). If you
don't do anything after the tone, you
will hear a voice that says,
'authorization #, please.'  You then
say each digit SLOWLY.  It will beep 
after you say each digit.  After each
group of digits, it will repeat what
you have said.  Say yes if it is right,
otherwise, say no.  If the
authorization code is correct, it will
say thank you and it'll then ask for
the destination #.  Follow the same
procedure as above.  The voice system
is very user friendly and you should
have no problems with it.
TEL-TEC is at (800) 323-3026. In my
experiences, you usually get a very
shitty connection.  This I use for last
    FORMAT:  6 digit code + dest. #
CAUTION:  Like the 950 exchange, 800
          numbers can be easily traced.
          This doesn't mean that they
          trace everything, though.
There are many other 800 services and
PBX's (such as the Dimension 2000 at
800-848-9000).  There is just not
enough room to discuss them all.  As
you have probably noticed, I have
posted no codes.  Check the phreak
section of various BBS's to find the
latest codes or hack them yourself.
Hand-hack good possibilities or use a
"smart" modem with a hacking program
(contact your local pirate).
Besides suspicion and random checks, Ma
Bell sets up "trap numbers".  Trap
numbers were set up on certain dial-ups
such as Sprint, MCI, etc.  Whenever,
the dial-up is called a "trouble card"
is dropped at the central office.  This
means that a record of the called #,
the CALLERS #, and time are printed
out.  These cards (or printouts in an
ESS CO) are usually ignored unless SPC
or somebody detects fraud, ie,
unauthorized use of a customers acct.,
then they call Bell and find out the
name and number and instantly nail the
phreak who made the call.  They will
then either demand that you pay some
enormous fee and they'll forget the
whole matter; give them info on other
phreaks, boards, etc.; or prosecute you
on the federal rap of Theft of
Communications service, which carries
fines of upto 10 years in jail and/or
$10,000.  They usually don't go for
legal action first, though.
Why does Bell help their competion?
Actually, it is rather simple.  People
were using Sprint to break into Bell's
ESS computers.  Bell could only trace
the call back to Sprint.  So, Sprint
helps Bell catch the people it wants
and visa-versa.  ("You rub my back and
I'll rub yours" type of deal.)
By the way, trap numbers are also how
Bell catches people who make harrasing
phone calls to private residences.
Finally, do not forget that these
services have a copy of the number that
you called.  So, if a customer says he
didn't call a certain #, they will
usually call up that # and try to find
out who did call at that time.
So, to be safer on SPC, MCI, and
others, follow the following
 1) Use a fortress fone (pay fone)
whenever possible.  Although, they have
been know to stake out pay fones.  Just
don't use the same fone over and over
again.  In other words, move around.
 2) Only call institutional
switchboards, business that have no
record of your call, and friends who
are instant amnesiacs.
 3) Try to keep all calls under 15
minutes when possible.
NOTE:  No system is totally safe!  When
I classify something as safe or
dangerous, that is just with respect to
my opinion as well as that of several
other phreaks. These opinions are based
on how many people have been busted on
them, what type of equipment they are
using, and inside information.  I
cannot possibly guarantee that you will
or will not get caught.  Actually, with
CCIS and ESS nothing is really safe
anymore.  Besides, what phun would
there be in life without risks!
Coming soon:
In Part II, we will look at the special
Bell numbers such as CN/A, ATT
Newslines, loops, ANI, ringback, and
99XX scanning.
Until next time, I would like to leave
you with a quote from The Magician:
"Many people think of phone phreaks as
slime, out to rip off Bell for all she
is worth.  Nothing could be further
from the truth!  Granted, there are
some who get their kicks just by making
free calls, however they are not true
phone phreaks.  Real phone phreaks are
"telecommunications hobbyists" who
experiment, play with and learn from
the phone system.  Occasionally this
experimenting, and a need to
communicate with other phreaks (without
going broke), leads to free calls.  The
free calls are but a small subset of a
TRUE phone phreaks activities."
Have Phun,
NOTE:  This article was written in
       upper & lower case.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH