Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: pbxcpe.txt

Dealing with PBX/CPE Fraud

The following article was transcribed from Tele Mgr, a magazine for, you 
guessed it, managers of telecommunications systems. I thought everyone 
would like to get an idea of how the people on the other side see them. When 
reading over the article, be sure to take note of the methods that are not 
mentioned. And like any other writing on phreaks, this article is filled with 
over generaliztions and unfounded connections between p/hacking and 
organized crime. But despite the standard lies, the article is fairly 
informative. Feedback or comments can be directed to me at:

CybernetI [504] 272-1710, Johnny Rotten <Sysop>

By now the stories are all too familiar. Your PBX/CPE customer receives a 
long distance telephone bill in a huge box, rather than an envelope. 
Throughout the  bill are pages of calls from international locations and 
locations your customer doesn't do business with: The Dominican Republic, 
Mexico, Pakistan or Colombia. A total of $50,000 in international calls. 
Another victim of PBX/CPE fraud.

For as long as there has been direct dial long distance service, there have 
been ways to steal it. Methods have constantly evolved over the years. First, 
the "boxes" fraud. Blueboxes, Redboxes, Silverboxes. With the advent of 
competitive long distance service, a new avenue became available, Feature 

A FGA offers access to the interexchange carriers' network through a 
subscriber-type line connection rather than through a trunk. Thus the birth 
of "hackers" and "phreakers". Phreakers are aspiring hackers sharpening 
their skills by uncovering long distance authority codes.(auth codes). This is 
accomplished by breaking in to a company's telecommunications computer 
and uncovering the auth code identifying long distance customers to which 
phone calls are billed. The more experienced hackers are skilled in breaking 
into modem ports, including PBX/CPE.

With divestitures and advancements in monitoring systems, FGA became 
less of a problem. Carrier calling cards became the favorite method for 
stealing service. Calling cards were wonderfully easy to steal. You didn't 
need to hack. All you needed was to hang around the payphone banks at any 
major transportation facility, watch the legitimate users dial their code or 
listen to them repeat it to an operator, and you were in business. All the 
carriers eventually developed advance monitoring systems to detect calling 
card abuse. Now fraudulently used calling cards are good for a few hours at 
most before the card is deactivated.

The migration continued to the PBX/CPE environment, and extremely fertile 
area of attack. Many PBX/CPE owners were unaware of fraud potential. 
Systems were not in place to detect this fraud in a short time frame. The 
abuse could often continue unabated until the PBX/CPE owner received the 
aforementioned bill. 

As the years have passed, fraud migrated from one product to the next. What 
started as a problem with college students trying to call friends and family 
for free, or businesses trying to reduce their phone bill, has turned into a 
very lucrative market.  The "call sellers" stealing phone service are 
professionals. The resale of lang distance service at very low rates is their 
full time job. While the problem was once confined to domestic calls, it has 
evolved almost totally to international calls. These professionals work from 
their homes or from payphones on the street. For as little as $5, they will 
sell you a 15-minute telephone call to anywhere in the world.

Phreakers are still uncovering authcodes; however, this is no longer the only 
method employed to garner information . The migration has moved to 
technical expertise. Now, hackers no longer attack only dialtones, they 
attack modems that are the maintenance ports on PBX/CPE equipment. Once 
inside the equipment, the hackers reprogram features. They turn on function, 
such as Direct Inward System Access (DISA), that owners have turned off. 
They reprogram certain call processing features allowing outbound dialing 
from voice mail boxes or call attendants.

Previously, these two communities (call sellers and hackers) worked 
individually. Hockers posted codes on bulletin boards or pirated voice mail 
boxes, and call sell operators accessed for the information. Recent 
activities indicate this relationship has changed to one of direct 
cooperation. As PBX/CPE owners have become more aware of the fraud 
issues over the last two or three years, they have taken steps to protect 
their systems. EISAs have been removed, and international calling has been 
blocked. The PBX/CPE equipment can no longer be abused with simple keypad 
manipulation. This places call sell operators in a bind. They have customers 
to support and cannot provide the service those customers desire. As a 
result, hackers and call sell operators have joined forces. A call sell 
operator puts a hacker on the payroll. The hacker, armed with PBX/CPE 
manuals, accesses the equipment and modifies it to allow a fraudulent call 
to be placed. 

These crimes require total industry cooperation to be combated. It's no 
something that can be solved without a combined effort by the 
interexchange carriers (IXCs), PBX/CPE manufacturers and distributors, and 
end users. 


This is the area that has produced the best results to date. Over the last two 
years there have been many articles published in trade journals and the 
general media highlighting the problem. Seminars have been conducted by 
the Communications Fraud Control Association, American Society of 
industrial Security, and other organizations, highlighting potential exposure. 
The IXDs have all developed some form of customer awareness training, 
forcing the hackers call sell operators to resort to drastic measures. It's 
not as east to beat a PBX as it was two years ago.

Despite the advances made, however, the efforts need to be refocuses. 
Resources should be directed at law enforcement and the judicial system. 
Many believe telecommunications fraud is still a victimless crime being 
perpetrated against the "deep pockets" of the local and interexchange 
carriers. But as many PBX?CPE owners unfortunately know, industry tariffs 
hold the owner responsible for this type of fraud.

Law enforcers need to know the carriers will assist them in any way 
possible to put a case together. They must know that many times there is a 
connection between telecommunications fraud and everyday street crimes, 
including the drug trade.

Likewise, prosecutors and judges need to understand the impact of these 
crimes and to hand out appropriate sentences when a suspect has been 
convicted. In a recent case in New York City, a fraud suspect was convicted 
and sentenced to 300 hours of community service for over $375,000 of 
documented fraudulent phone calls attributed to this individual. That 
equates to over $1,000 stolen for each hour of community service, or 
something far less than an effective deterrent.


The federal laws most often used against hackers are Title XVIII Sections 
1029 and 1030. These laws offer reasonable penalties for the criminal. Many 
state laws lack teeth, however. In many states the best that can be done 
under existing laws is to charge the hacker with a misdemeanor offense.

The time for change is now. Hackers don't believe they are doing anything 
wrong. They think confidential and marketable information should be 
accessible and free. They rant and rave about their First and Fourth 
Amendment rights. Mitch Kapor, creator of LOTUS 1-2-3 has even started a 
fund to help arrested hackers defend themselves. The industry needs to 
regain the upper hand. These hackers are nothing less than thieves stealing 
information and services.


Security for PBX/CBE equipment must be developed. The first area to 
approach is the maintenance modem port. Dial-up access to a bare modem 
protected by only user IDs and passwords does not offer security. PBX/CBE 
manufacturers should assist their customers in finding a suitable security 
Access Unit (SAU) to protect the dial-up port or offer such a product 
themselves. These SAUs work with multiple authentication schemes and can 
cost anywhere from $200 to $1,000 per line. All these products provide an 
additional layer of security. The cost differences stem from additional 
features such as real time alarms and audit trails.

Manufacturers, suppliers and vendors must fully explain  to equipment 
owners the existing security features of their systems. These include call 
restriction capabilities, event logging, traffic reporting, and auth code 
management features, to name a few.

Emphasize to your customers that the key to protection against fraud is 
diligence. Customers are battling a very resourceful and tenacious enemy. 
Letting one's guard down for a minute could cost one's company literally 
thousands of dollars a day. Remember, we're up against a professional 
industry stealing $1 to $1.5 billion annually. It is unlikely the hackers/call 
sell operators will go away any time soon. They will uncover and develop 
methods we have yet to imagine. However, by addressing the legal issues 
and putting more teeth in our laws and sentences, we may be able to turn 
the corner on toll fraud. Until then, you must offer your customers not only 
great products and services, but advice on how to prevent the wrong hands 
from using them as well.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH