Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: eqacc.txt

Equal Access Hacking Guide

                     THE  EQUAL  ACCESS  HACKER'S  GUIDE

The axing of good ole Ma Bell has rendered wrong everything  you  now  know
about  phone  companies.  The procedure for placing a long distance call is
now above the understanding level of a good proportion of the  public,  and
the  various  companies  are  doing very little to educate them.  Thus this
attempt to inform the reader what new evil lives at the other  end  of  his

In areas that are now equal access, it is possible to place a long distance
call  using any of the carriers who will complete it for you.  You do *not*
have to have previously set up an account with the carrier, as in the past.
They will complete the call  and  pass  the  billing  back  to  your  local
operating company [LOC], which in turn bills you for the call.  So to place
the call via the "alternate" carrier, you pick up and dial:

10nnn + 1 + area code + number

The  nnn  is  magic:  it  allows you to select a different carrier for that
call.  There are a zillion little Mom-n-Pop carriers  in  different  areas,
but  here  are  some  of the major ones whose access codes should be fairly

220 Western Union     ;; consistently bad audio 90% of the time
222 MCI               ;; duplexey lines sometimes
288 AT&T              ;; you know the story
333 U.S.Telecom       ;; reasonably ok
444 Allnet            ;; a major reseller of others' services
488 ITT               ;; *bad* audio, useless for modems
777 GTE Sprint        ;; usually good quality -- rivals AT&T

When you complete a call this way,  via a carrier who "doesn't know who you
are", you are referred to as a "casual caller".  Most of the major carriers
will  complete  casual calls.  The smaller ones usually want an access code
and a pre-existing account.  Note that all  this  is  perfectly  legal  and
nobody  is  going  to come pound on your door and demand your firstborn for
making your calls this way.  The fun part starts when  one  considers  that
this  two-stage  billing  process  involves  a  lot  of  red tape and paper
shuffling,  and the alternate [i.e.  not AT&T] carriers often  have  poorly
designed  software.  This  can  often lead to as much as a 6-month lag time
between when you make the call and when you get the bill for it.  There  is
a  chance that you won't get billed for some calls at all,  especially real
short ones.  And if you do get billed,  the rates will be reasonable.  Note
that  if you don't have an account with a given company,  you won't be able
to take advantage of any bulk rates they offer for their known customers.

It is likely that for this reason,  i.e.  all the mess involved in  getting
the  billing  properly  completed,   that  the  local  Bell  companies  are
attempting to *suppress* knowledge of this.  Notice that when you get  your
equal access carrier ballots, nowhere do they mention the fact that you can
"tenex" dial,  i.e.  10nnn,  through other carriers.  They want you to pick
one and set it up as your 1+ carrier so you don't have  to  learn  anything
new.  Now,  it's  already  highly likely that the little carriers will fold
and get sucked up by AT&T and eventually everything will work right  again,
but  this  policy  is  pushing  the  process along.  The majority of people
aren't going to want to deal with shopping around for carriers,  are  going
to choose AT&T because it's what they've come to trust, and their lines are
still  the  best  quality  anyway.  However,  the more people become casual
callers,  the more snarled up the billing process is going to  become,  and
the resulting chaos will have many effects,  one of which may be free calls
for the customers,  and the  carriers  and  LOCs  being  forced  to  either
straighten  up  their  acts,  disable  casual  calls and lose business,  or
knuckle under completely.

So where can you get more info about equal access,  if not from your  local
company?  You  call  1  800 332 1124,  which AT&T will happily complete for
you,  and talk to the special consumer awareness group dedicated to helping
people out with equal access.  They will send you,  free of charge,  a list
of all the carriers  which  serve  your  area,  with  their  access  codes,
customer service numbers,  billing structure,  and lots of other neat info.
The LOCs will give out this number, but only under duress.  They will *not*
give out any information about other carriers,  including what  ones  serve
your central office,  so you shouldn't even bother trying.  It's apparently
been made a universal company policy, which is ridiculous, but the case.

Let's get into some of the technical aspects of this.  First off, you might
ask, why 10nnn?  Well, it could have been 11nnn too, but it wasn't.  If you
think about it, other numbers could be mis-parsed as the beginnings of area
codes.  3-digit carrier codes also leaves  plenty  of  room  for  expansion
[haw!].  Some  of  the  carriers won't complete casual calls,  and may even
give recordings to the effect of "invalid access code".  Basically when you
$ek this  way,  your  central  office  simply  passes  the  entire  packet
containing  your  number and the number you want to call to the carrier and
lets the carrier deal with  it.  You'll  notice  that  this  process  takes
longer  for  some  of  the  carriers.  The carriers have differing database
structures and hardware,  so it takes some time to figure out if  it  knows
who  the  calling number is,  if bulk rates apply,  and a few other things.
While it's doing this search, you get silence.  What's a lot of fun is that
in areas that have recently gone equal access,  the central offices do this
exact same process for public phones.  And since the carrier usually has no
idea  of  what a public phone is,  it happily completes the call for you as
though you dialed it from home.  It is unclear who gets the resulting  bill
from  this,  but  it  usually  doesn't  take  them  long  to  fix it.  It's
conceivable that the carriers can hold numbers to *not* complete calls from
in their database, as well as regular customer numbers.

Some carriers also handle 0+ calls.  If you dial 10nnn 0+  instead  of  1+,
the  office  will  hand  it  off  as usual,  and you'll be connected to the
carrier's switch,  which gives you a tone.  You are expected to enter  your
authorization  code at this point,  and then off the call goes.  This is so
you can complete equal-access style calls from friends' phones and use your
own billing.  It also requires that you have an account  with  the  carrier
already  and an authorization code to use.  Some carriers,  in places where
the public phone bug has been fixed,  will handle 1+ calls from  them  this
way as well.  This mechanism introduces a security hole,  because it's real
easy to determine the length of a valid authorization code from this  since
something  happens  right  after  the  last digit is dialed.  Carriers that
don't do this will sometimes tell you to dial "operator-assisted calls"  by
dialing  102880+  the number you want.  Already they're admitting that AT&T
is better than they are.

And as if this wasn't enough,  carriers that  do  this  will  also  usually
connect  you  straight  to  the  switch  if  you dial 10nnn#.  The LOCs are
finally getting around to using the # key as sort  of  an  "end-of-dialing"
feature,  so  you  can  reach  the switch directly without having to dial a
local number or 950-something.  Being able to get to the  carrier's  switch
is useful,  because they often have special sequences you can dial there to
get their customer service offices,  various test tones,  and other things.
If you get the switch and then dial # and the tone breaks, you may have one
of  these.  Another  #  should bring the tone back;  if digits have already
been dialed then # is a regular cancel or recall.  Some carriers use *  for
this.  Anyway,  if # breaks the tone,  an additional digit may start a call
to an office.  You can tell if it's working if #  has  no  further  effect;
you'll  eventually either hear ringing or nothing if that digit hasn't been
defined.  Many of the  carriers  have  magic  digit  sequences  that  would
otherwise look like authorization codes,  but go off immediately upon being
dialed and call somewhere.

Call timing and billing is a very hazy issue with the  alternates,  as  one
may see from the consumer group sheet.  AT&T is still the only one that can
return called-end supervision, i.e. the signal that tells your local office
that the called party has picked up.  The alternates,  although they may be
planning to install this through agreements with the LOCs  and  AT&T,  have
not  done  so  yet,  so they use timeouts to determine if billing should be
started yet.  These are usually the time that 8 rings takes;  assuming that
most  people will give up after 6 or 7.  So if you listen to your brother's
fone ring 20 times because he went out drinking last night and is now  dead
to the world,  you will get billed for the call whether he wakes up or not.
This is sort of a cheapo compromise, but since AT&T is so reluctant to hand
them supervision equipment,  their hands are sort of tied.  But notice that
it's  likely  that  you  won't  get  billed  for  a real short call that is
answered quickly, either.  With the advent of 9600 baud voice-grade modems,
this could have some interesting applications as far as message passing  is
concerned,  and avoids pissing off operators by trying to yell through non-
accepted collect calls or long lists of what  person-to-person  name  meant
what.  But  in  general,  you should keep your own records of what call and
what carrier and if it completed or  not,  so  you  won't  get  erroneously
billed by a silly timeout.

Carriers  often  use  their own switching equipment;  they also often lease
lines from AT&T Long Lines for their own use.  Allnet, for example,  leases
equipment  and  time  from  other  carriers  at  bulk rates and resells the
service to the customer.  So if you use Allnet,  you can never  tell  whose
equipment  you're  really  talking  on,  because it's sort of like roulette
between satellite,  microwave,  or landline and who owns it.  Some of  this
latter-generation  switching equipment is warmed-over AT&T stuff from a few
years ago, and therefore may be employing good old single-frequency trunks,
i.e.  2600 Hz will disconnect them.  In the early days of  carriers  before
equal  access,  2600  would  often  reset  the  local switch and return its
dial tone.  This is less common these days but there's a lot  of  equipment
still out there that responds to it.

When  you  select your default carrier,  there is another valid option that
isn't on the ballot.  It is called "no-pick",  and is not exactly  what  it
sounds  like.  If  you simply don't pick one or return the ballot,  you get
tossed into a lottery and you will wind up with any random carrier as  your
default  on  1+  dialing.  You still won't get bulk rates from this carrier
unless you call them up and create an account [or you may get a  packet  of
info  from  them  in the mail anyway,  because if they got selected for you
they will probably want you to sign up].  However, no-pick is the condition
where you *do not* have a default carrier,  so if you pick up and dial 1  +
area  +  number  the  call  will not complete.  This is great for confusing
people who attempt to make long distance calls on your phone and don't know
about tenex dialing.  Probably your best bet as far as saving money goes is
to sign up with *all* the carriers,  and examine their  billing  structures
carefully.  You can then choose the one that's cheapest for a given call at
a  given  time.  You  may  need  a  computer  to  do this,  however.  It is
surprising that nobody has yet tried to market a program that will do  this
for you.

Post-parse, or 10nnn0+ dialing, is not the only security hole that carriers
have to deal with.  There are often magic sequences that, when dialed after
a trial authorization code, will inform the caller if the code was valid or
not  without  having to dial an entire number.  These usually take the form
of invalid called area codes, like 111 or 0nn or *nn.  Most of the carriers
have fixed the problem in which an invalid code plus  some  sequence  would
return  silence  and  allow recall,  and a valid one would error out.  This
allowed valid codes to be picked out  very  quickly.  Longer  authorization
codes  and  improvements  in the software have largely eliminated this as a
major problem, but it took a few years for them to get the idea.  Note that
abuse of other peoples' authorization codes  *is*  illegal  and  they  will
probably come after people who do it.  However,  it is often interesting to
play around with a carrier you are interested in purchasing  service  from,
and  see  if  you  can break their security easily.  If you can,  then it's
clear that someone else can,  and this carrier is going to have  a  lot  of
problems  with fraud.  Someone may even find your code and then you'll have
to deal with bogus billing.  So if you find some algorithm which allows you
to come up with a 6 to 8 digit valid code,  one thing you might do is  call
the  carrier and tell them about it.  They'll thank you in the long run and
might even offer you a job,  a side benefit of which may be unlimited  free
calling via their equipment.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH