Voicemail Hacking Leaves Ears Ringing

[InfoSec News <isn () c4i org>]

http://www.latimes.com/technology/la-fi-phonehack16apr16,1,6980247.story?coll=la%2Dheadlines%2Dtechnology%20.html

By Kathy M. Kristof
Times Staff Writer
April 16, 2003 

Voicemail can cost you. Just ask K.C. Hatcher, a San Francisco-based
graphic artist.

AT&T wants her to pay $12,000 in long-distance charges rung up by a
hacker who apparently changed Hatcher's voicemail message to accept
third-party billed calls to Saudi Arabia and the Philippines.

"I am totally obsessing about this," said Hatcher, whose normal
long-distance bill runs $35 a month. "I'm getting married in June. I
want to buy a house, and I'm worried that this fraud is going to ruin
my credit."

Such voicemail hacking is on the rise -- and phone customers are
wrongly being held liable for it, according to San Francisco-based
Consumer Action.

AT&T acknowledges that the scamming has become all too common and that
people rarely know they have been had until company fraud
investigators alert them to unusual activity on their phones. But
AT&T, like some other long-distance providers, insists that consumers
foot most of the bill.

"It is the responsibility of the customer to secure their voicemail
system," said Gordon Diamond, a spokesman for AT&T in San Francisco.

Maureen Claridge, a San Francisco travel agent, doesn't see it that
way but has been unable to persuade AT&T to let her off the hook. The
company has sent her $8,000 long-distance bill -- generated by a
voicemail hacker -- to a collection agent, Claridge said.

Linda Sherry of Consumer Action maintains that telephone companies are
largely to blame.

Hackers take advantage of the voicemail offered by local phone
companies -- including SBC Communications Inc., which provides the
system Hatcher and Claridge use -- and long-distance companies'
voice-activated operator services.

What a hacker does is break into a person's voicemail and record a
message so that it will respond affirmatively to an automated operator
that calls the person's home phone seeking approval for third-party
billing of a long-distance call.

Sherry noted that at AT&T, the automated system always asks the same
questions and waits a set interval for a response, making it fairly
easy for a hacker to synchronize his fraudulent voicemail message.

"That AT&T would permit third-party phone charges based only on the
authority of a recorded message is beyond belief," Sherry said.  
"Third-party billing should be allowed only when a real person answers
the phone and is able to verify that they approve the charges."

AT&T's Diamond countered that the company's automated system is
"fairly sophisticated," adding: "If it was a live operator, I don't
know that it would turn out any differently."

AT&T suggests that consumers change their pass codes regularly; avoid
pass codes that are intuitive, such as birth dates and addresses; and
check their announcements to make sure they haven't been changed.

Diamond said AT&T works on a case-by-case basis with customers who
believe they have been defrauded but doesn't necessarily write off
fraudulent charges.

MCI Communications also offers automated operator assistance and has a
similar policy, spokeswoman Audrey Waters said. Sprint Corp. handles
calls billed to a third party manually, which Sprint says has stymied
this particular fraud.

Meanwhile, SBC said it recently changed its voicemail system so that
default pass codes aren't so easy to guess. The company says it has a
policy of reversing charges when a consumer is willing to file a
police report claiming fraud.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.