[ISN] $89,911 phone bill

From: InfoSec News (isnat_private)
Date: Thu Jun 21 2001 - 18:08:29 PDT

  • Next message: InfoSec News: "Re: [ISN] Insiders are main computer security threat"

    Michael E. Kanell - Staff
    Thursday, June 21, 2001
    Hackers from metro New York used a Covington company's toll-free line,
    slipping through a technological loophole to run up $89,911.80 in
    overseas calls.
    Now, it's a question of who pays the bill.
    Since no bad guys have been caught, the question of who ought to eat
    that cost --- racked up in one week of reaching out to several other
    continents in September 1999 --- depends on which version of events
    you believe and which interpretation of the law.
    Officials of the Covington company, Gerri Murphy Realty, say they bear
    no blame for the calls to Pakistan, India, Bangladesh and other spots
    outside metro Atlanta. Finding that the phone line was misused was
    unpleasant. Finding that the company is supposed to pay sent the trio
    who owns and runs Murphy Realty scrambling for lawyer Robert
    Stansfield. Ralph Murphy, corporate secretary for the realty company
    and also Gerri Murphy's husband, said he wants businesses to know they
    are vulnerable, but he is worried about his company's survival.
    "How many people have their britches down and they don't know it? The
    only thing we could do is go bankrupt if we got a judgment for
    $90,000," he said.
    While AT&T has offered to settle for $45,000, it has sued Murphy
    Realty in federal court because it believes the scam was carried out
    using the company's voice mail, said AT&T spokesman David Arneke. "The
    basic principle is that customers are responsible for calls made using
    their own phone lines. We told them it was their problem, and we told
    them they had responsibility for fixing the problem."
    It started Sept. 6 when Murphy's office manager was awakened at home
    by someone at AT&T who noticed unusual activity --- overseas calls ---
    on the real estate company's line. Thieves had already rung up about
    $6,000 in charges. Murphy said he was assured by AT&T it would do what
    it could to solve the problem. But hours and days slid by, and the
    numbers on the meter kept mounting.
    "Basically, we told them that whatever it takes, turn it off," Murphy
    said. "We thought at that point that they had pulled the plug, but
    they had not pulled the plug."
    That's not the way AT&T representatives remember it. The crooks were
    calling the toll-free number and using the Murphy voice mail to get an
    open line, Arneke said. "And if your system is being hacked, we can't
    fix it for you."
    AT&T did block international calls from the lines. But the hackers
    scooted around that. AT&T has since added protections to prevent
    hackers from taking that detour, but that doesn't absolve Murphy,
    Arneke said. His position is that the hackers were still getting an
    open line via the company's voice mail.
    No, no, no, insists Murphy Realty, which is convinced the hacker got
    the open line from a BellSouth switch. A Murphy technician has
    testified he did what AT&T suggested, eliminating any way a caller
    could get an open line from the voice mail.
    The international charges continued until Sept. 13 when AT&T blocked
    use of the toll-free line from anywhere in the continental United
    States. Murphy thought that was the end of it. Until the bill came.
    Accustomed to a phone bill of $400 to $500 a month, even AT&T's
    settlement offer looks steep, he said. "We are a mom-and-pop
    operation. We can't afford to pay $45,000."
    As it is, the company has rung up more than $15,000 in legal expenses,
    he said.
    The lawyer, Stansfield, wonders why AT&T didn't make the fix sooner.
    Why didn't AT&T offer Murphy Realty the option of turning off the 800
    line? Why did AT&T assure Murphy that it would not be liable --- at
    least after AT&T told them about the scam and Murphy Realty did what
    it was asked?
    Stansfield argues AT&T's inability to shut down the scamsters should
    absolve Murphy Realty of responsibility.
    Not when it was Murphy's responsibility, contends AT&T.
    AT&T sued Gerri Murphy Realty in federal court, an action placed on
    hold while the parties slug it out later this month before the Federal
    Communications Commission in Washington.
    No arrests have been made. The calls were made from pay phones in New
    York and New Jersey. The amount involved probably wouldn't justify an
    international investigation.
    Not paying a $90,000 bill meant a cutoff. So now, the two-office
    company has long-distance service from WorldCom's MCI unit, although
    Ralph Murphy said he doesn't think it has any more protection from a
    phone scam than before.
    The odds are against a repeat --- it's just not that common a scam.
    The phone hacking phenomenon is less frequent than before.
    For one thing, the feloniously tech-savvy person has more options ---
    the Internet, for example. And the Net itself provides a much cheaper
    way to make international calls.
    AT&T says it sees 1,400 to 1,500 cases a year amounting to $15 million
    in stolen services from AT&T and its customers out of a $4
    billion-a-year total fraud cost. A typical scam can easily be as
    costly as the $90,000 tab run up in the Murphy Realty case, Arneke
    But the company doesn't end up in court often, he said. "These cases
    are usually settled out of court now because there are such a
    significant number of rulings on this that customers realize that the
    law is well-established. We try to negotiate with the customer, as we
    did here. And what we would really like is to reach a point where the
    customer is satisfied and we are satisfied."
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 23:07:02 PDT