[ISN] Voicemail Hacking Leaves Ears Ringing

From: InfoSec News (isnat_private)
Date: Thu Apr 17 2003 - 00:39:31 PDT

  • Next message: InfoSec News: "[ISN] Swipe Card Hack Prompts Complaint"

    http://www.latimes.com/technology/la-fi-phonehack16apr16,1,6980247.story?coll=la%2Dheadlines%2Dtechnology%20.html
    
    By Kathy M. Kristof
    Times Staff Writer
    April 16, 2003 
    
    Voicemail can cost you. Just ask K.C. Hatcher, a San Francisco-based
    graphic artist.
    
    AT&T wants her to pay $12,000 in long-distance charges rung up by a
    hacker who apparently changed Hatcher's voicemail message to accept
    third-party billed calls to Saudi Arabia and the Philippines.
    
    "I am totally obsessing about this," said Hatcher, whose normal
    long-distance bill runs $35 a month. "I'm getting married in June. I
    want to buy a house, and I'm worried that this fraud is going to ruin
    my credit."
    
    Such voicemail hacking is on the rise -- and phone customers are
    wrongly being held liable for it, according to San Francisco-based
    Consumer Action.
    
    AT&T acknowledges that the scamming has become all too common and that
    people rarely know they have been had until company fraud
    investigators alert them to unusual activity on their phones. But
    AT&T, like some other long-distance providers, insists that consumers
    foot most of the bill.
    
    "It is the responsibility of the customer to secure their voicemail
    system," said Gordon Diamond, a spokesman for AT&T in San Francisco.
    
    Maureen Claridge, a San Francisco travel agent, doesn't see it that
    way but has been unable to persuade AT&T to let her off the hook. The
    company has sent her $8,000 long-distance bill -- generated by a
    voicemail hacker -- to a collection agent, Claridge said.
    
    Linda Sherry of Consumer Action maintains that telephone companies are
    largely to blame.
    
    Hackers take advantage of the voicemail offered by local phone
    companies -- including SBC Communications Inc., which provides the
    system Hatcher and Claridge use -- and long-distance companies'
    voice-activated operator services.
    
    What a hacker does is break into a person's voicemail and record a
    message so that it will respond affirmatively to an automated operator
    that calls the person's home phone seeking approval for third-party
    billing of a long-distance call.
    
    Sherry noted that at AT&T, the automated system always asks the same
    questions and waits a set interval for a response, making it fairly
    easy for a hacker to synchronize his fraudulent voicemail message.
    
    "That AT&T would permit third-party phone charges based only on the
    authority of a recorded message is beyond belief," Sherry said.  
    "Third-party billing should be allowed only when a real person answers
    the phone and is able to verify that they approve the charges."
    
    AT&T's Diamond countered that the company's automated system is
    "fairly sophisticated," adding: "If it was a live operator, I don't
    know that it would turn out any differently."
    
    AT&T suggests that consumers change their pass codes regularly; avoid
    pass codes that are intuitive, such as birth dates and addresses; and
    check their announcements to make sure they haven't been changed.
    
    Diamond said AT&T works on a case-by-case basis with customers who
    believe they have been defrauded but doesn't necessarily write off
    fraudulent charges.
    
    MCI Communications also offers automated operator assistance and has a
    similar policy, spokeswoman Audrey Waters said. Sprint Corp. handles
    calls billed to a third party manually, which Sprint says has stymied
    this particular fraud.
    
    Meanwhile, SBC said it recently changed its voicemail system so that
    default pass codes aren't so easy to guess. The company says it has a
    policy of reversing charges when a consumer is willing to file a
    police report claiming fraud.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 04:18:46 PDT