TTY phone fraud and abuse

• Previous message (by thread): TTY phone fraud and abuse
• Next message (by thread): TTY phone fraud and abuse
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <Pine.GSO.4.58.0404111748140.19031 at clifden.donelan.com>, Sean Donela
n writes:
>
>On Sat, 10 Apr 2004, Scott Call wrote:
>> My point was that my $20 GE telephone cannot be made into a liability for
>> my telephone provider without my explicit participation, whereas a $20 a
>> month dialup (or $50 a month DSL, etc) customer can be a liability for me
>> just by being turned on.
>
>Although Bell Labs avoided publishing papers about weakness in the
>telephone system, it doesn't mean they don't exist.  The Communications
>Fraud Control Assocation has a decent publication on communications
>fraud.
>
>http://www.cfca.org/CCSP_dictionary_orderform.htm
>
>They cover numerous opportunities for mischief which can occur with your
>explicit, implicit, and even without your participation.
>
>In most cases it is the equipment connected to the line (i.e. CPE), not
>the line itself vulnerable to mischief.  An answering machine with a
>default remote access code, a cordless telephone without "digital
>security", an insecure PBX, etc.  The telephone network also offers
>other mischief opportunites such as call forwarding, voice mail,
>conference bridges, calling cards, third-party billing, collect calls
>and more.
>
>> Can people abuse the phone system?  yes, of course it can, but the
>> criteria for response are much higher, and in general the nature of the
>> network (low concurrent session limit, point to point, voice only) as it
>> is exposed to most people limits the damage that can be casually incurred.
>
>There is a difference between crimes against the telephone system
>and crimes using telephones.  The Department of Justice estimates
>Telemarketing fraud is a $40 Billion a year problem. But telemarketing
>fraud doesn't necessarily reflect a security vulnerability in the
>telephone system per se.  Or at least not a security vulnerability
>that can be solved solely by the telephone system.

As Sean knows very well, the world of telephony fraud is very big and 
very lucrative for the fraudsters.  I don't work on that directly, but 
I've had plenty of contact with people who do.  

The big issue in the U.S. is international toll fraud -- calls to some 
countries are very expensive because of artificially high settlement 
charges imposed by the receiving countries' telcos (i.e., their PTTs).  
In fact, for some Third World countries such revenue is a substantial 
part of their hard currency income.

Naturally, miscreants (to use robt's terminology) try to find ways to 
make such calls from the U.S. more cheaply.  Sometimes, this involves 
hacking PBXs, other times, it involves subscription fraud, or a variety 
of other kinds of misbehavior.  The responses are similar to those we 
use on the Internet -- traffic analysis (similar to looking at 
NetFlow), blacklisting calls to certain countries from, say, pay 
phones, etc.

The networks are different, so the types of fraud are different -- but 
they occur, and they're very big business indeed.  Note that U.S. 
telcos are obligated, by contract, law, and treaty, to pay real dollars 
to the receiving telcos, even if the call is fraudulent and the telcos 
can't collect.  At this point, domestic U.S. toll fraud is much less 
interesting, because the real dollar outflow per minute for such calls
is generally a couple of orders of magnitude less.  And then there are 
900 numbers -- but that's another story for another day.  Grab me in 
the bar at NANOG some time...


		--Steve Bellovin, http://www.research.att.com/~smb

• Previous message (by thread): TTY phone fraud and abuse
• Next message (by thread): TTY phone fraud and abuse
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]