Printer Friendly

Disconnecting phone fraud.

New phone company programs are helping businesses pull the plug on phone fraud scams. Sprint has led the way.

WHAT WOULD YOUR COMPANY do if it received a phone bill with $430,000 in fraudulent calls? Would it pay the charges? Is it legally obligated to pay the charges?

The answer to the latter question is currently being examined in a hotly debated court case between Mitsubishi International Corporation and AT&T. The case, currently before the Federal District Court for the Southern District of New York, is thought to be the first where a user has filed suit against a vendor over toll fraud.(1) Businesses--particularly phone companies--are closely following this case as the outcome is certain to have enormous impact on the entire industry.

The dispute began in 1990 when Mitsubishi received two phone bills containing $430,000 in fraudulent charges. The company refused to pay. Mitsubishi says its carrier, AT&T, knew its private branch exchange (PBX) system was vulnerable to fraud but did not warn the company or move quickly once the fraud surfaced. It is suing AT&T for $10 million for punitive damages plus $30,000 for every month since September 1990 for the cost of replacing its equipment.

AT&T's defense is that fraud occurs when a user has poor security. The company points to previous Federal Communications Commission rulings that place liability on users, not carriers.

Mitsubishi is not alone. Consider some of the losses other companies and government agencies have been hit with in the last five years:

* NASA--$12 million

* Drug Enforcement Administration--$2 million

* United Nations--$1 million(2)

* New York City Human Resources Administration--$700,000

* Philadelphia Newspapers Inc.--$90,000(3)

These cases represent a mere sampling of the hundreds of businesses that have been victimized. Accurate statistics about the scope of the problem are hard to come by. Industry officials estimate the problem ranges anywhere from $1.2 billion to $3.8 billion annually. The US Secret Service, which investigates telecommunications crimes, sets the figure near the middle at $2.23 billion a year.

ASIS's Information Resources Center (IRC), which maintains information on a variety of security topics, has recently set up a separate category for telecommunications fraud data as more information has become available.

"Telecommunications fraud is out there," says Eva Giercuszkiewicz, manager of the IRC. "The problem is companies don't want to talk about it."

Events, however, are forcing businesses to change their thinking, and telephone companies are beginning to reconsider the need to work with customers to secure their phone systems.

Last summer the House Energy and Commerce Committee's Subcommittee on Telecommunications and Finance began hearings on telephone toll fraud. Testifying before the subcommittee were representatives from businesses victimized by toll fraud, the US Secret Service, and telephone companies.

The committee learned that securing phone systems can be difficult. As Robert H. Rasor, special agent in charge of the Financial Crimes Division of the Secret Service, told committee members, "The telecommunications system is designed for legitimate use and, by nature, is further designed for easy access to consumers."(4)

Telephone industry deregulation has further complicated the issue. "Prior to the breakup of AT&T in 1984, toll fraud was a phone company problem, and carriers enacted the necessary security measures and bore all the liability," Rep. Edward J. Markey (D-MA), chairman of the subcommittee, said at the hearings.

"Now, with the advent of customer premises equipment (CPE), where customers can purchase their own telephone gear from a variety of vendors, users face unlimited liability," Markey explained. "I believe that given this change in circumstances, the equation needs to be reexamined in terms of fairness and who is in the best position to solve the problem."(5)

Sprint, which participated in the hearings, has taken the lead on the issue of shared responsibility. Last spring, the Kansas City, MO, company introduced a customer protection program to its business customers limiting their liability for toll fraud to the first $25,000.

Sprint then assumes liability for the cost of fraudulent calls up to $1 million. After $1 million, the liability goes back to the customer. The move made Sprint the first carrier to acknowledge that it will share responsibility for customer fraud losses. The plan includes a range of preventive features.

"We are offering this program because of a definite need our customers had," says Robert F. Fox, assistant vice president of corporate security for Sprint. "They said, 'Don't just tell us we've got a problem coming out of Cleveland. We want to see reports. We want to see when it started, where the calls were going, times, dollars. We want details. And we want someone dedicated to us throughout the whole problem.'

"My feeling is that if we didn't help our customers, they would have gone to another carrier and gotten the help," Fox explains.

Not long after Sprint announced its program, AT&T introduced a similar plan. MCI followed, offering a one-time discount of 30 percent on fraudulent charges to its clients.

FOX CAME TO WHAT WAS THEN GTE Sprint from GTE Corporation in 1987 to set up the corporate security department. What Fox discovered when he arrived at the Kansas City office was such massive amounts of telecommunications fraud that setting up the security organization took a backseat to the more immediate issue at hand: getting fraud under control.

"For the first year and a half to two years, we spent probably 99 percent of our time just working on telecommunications fraud," recalls Fox.

"We hired a lot of investigators," he says. Computer experts and other specialists were also brought in to help with the problem.

During that time Sprint investigated what ended up being a $20 million case. The case involved a group of individuals who were hacking Sprint's long-distance access codes, then passing them off as their own. To appear legitimate, the group formed a number of companies and was even so bold as to distribute flyers and advertise in newspapers and magazines.

For a while, the scam worked. Companies went to these people in good faith and signed up for their services. Eventually Sprint uncovered the illegal operation and prosecuted the group of 10 to 15 individuals, most of whom are in prison now.

"During that period, Sprint began to recognize the significant financial loss it was incurring as a result of toll fraud," says Fox, "and great effort was made to bring it under control."

Since Fox joined Sprint five years ago, fraud has decreased by nearly 90 percent through the efforts of many Sprint departments. But that is only half the story. It concerns only the fraud for which Sprint assumes liability--phone card fraud and fraudulent accounts.

"If somebody steals or hacks your phone card and uses it," says Fox, "there was no way for you to control that. We assume the liability."

Sprint's solution to calling card fraud was to make card numbers longer--14 digits to be exact--and implement sophisticated network fraud detection systems. That makes the crime more difficult to commit.

The problem is that computer hackers and abusers do not go away, says Fox. They migrate.

When Sprint made phone card fraud more difficult, criminals moved on to the second type of fraud--fraud for which the business customer is responsible--PBX and voice mail. It is this type of fraud that has been the subject of so much controversy.

Businesses do not think they should have to pay the charges if someone hacks into their system. Phone companies say they certainly are not to blame if a customer's security is not adequate enough to stop criminals. Sprint's customer protection program strikes a compromise for companies willing to take security precautions and pay a fee.

"The program was designed to be sold to customers who are truly concerned about their financial exposure to fraud," says Fox. "It is designed to cover the big hit, the catastrophic, the $200,000 frauds, the $500,000, the millions, the $1.5 million hits."

In addition to an activation fee of $100 per location and a monthly maintenance charge of $100 per location, businesses must sign a two-year contract. Ten Fortune 100 companies have signed up for the program. An additional 100 major corporations have expressed interest in the plan, according to Fox.

Prevention is a big part of Sprint's new program. Businesses that sign up must agree to take some responsibility by implementing the following security measures:

* Use a minimum of eight digits for each direct inward system access (DISA) code. If the customer premises equipment (CPE) does not support eight digits, Sprint corporate security will determine an alternative security method.

* Eliminate all voice mail external call-transfer capabilities, including the ability to transfer or route traffic to the trunk level.

* Install a security system (for example, call-back) on all CPE remote maintenance ports.

* Delete all manufacturer- and vendor-installed default passwords.

Although these measures are what Fox terms "basic telecom security," he is amazed how many businesses do not have these measures in place. "Hackers are lazy," he says. "They want an easy way in and a fast way out. If you don't do these types of things, you're easy. They are going to get through your system and cause you a lot of pain. If you do these things, they're going to go after somebody else."

Lax security is one of the reasons phone fraud is so rampant. It is far easier to break into a corporation's voice mail system and access an outside phone line for free international calls than it is to break into the mainframe computer and access data. That is "because you're usually dealing with four- and five-digit codes," explains Fox. "When you try to get into a mainframe, there are usually a lot of barriers to keep you out. You've got to really know what you're doing."

Fox does not see fraud for which the business customer is currently responsible disappearing anytime soon, in part because not all of the thousands of corporations facing the problem will be willing to take adequate measures to stop it.

SPRINT WAS ABLE TO PROVIDE ITS CUStomer protection program because the security department employs several full-time computer programmers on staff. Alan Ballew, Sprint's manager of security LAN (local area network) systems, actually designed and wrote the network fraud analysis programs.

Says Fox, "Because we are in the telecommunications industry and all of our switches are large, sophisticated computer systems, the corporation is very computer literate. It's common-place for us to say, 'Let's build a new system to do this.'"

Sprint's corporate security department monitors a business's traffic via sophisticated computer programs. For businesses who qualify to sign up for the protection program, Sprint monitors and analyzes their traffic seven days a week and alerts them when a problem arises.

When a problem surfaces, Sprint electronically transmits the information directly to customers so they can see for themselves what is happening. For example, when Sprint sees multiple short-duration attempts that exceed a certain number followed by an unusually long attempt, that often indicates a system was being hacked and the hacker got through.

Calls to certain countries--such as the Dominican Republic, Peru, and Colombia--are red flags. While a lot of legitimate business calls are placed to these countries, a significant number of the calls made to that part of the world are fraudulent, according to Fox. The type of business a company conducts, however, needs to be considered.

Take Colombia. Many calls placed to that country, says Fox, are fraudulent. But he cautions against jumping to conclusions. "Colombia is also one of the world's largest providers of flowers," he notes. "The United States buys a lot of flowers from distributors in Colombia."

If a problem is discovered and corrected, Sprint pays particularly close attention to all of the customer's PBX systems for the next 30 days to ensure the hacker has truly gone away.

In the case of voice mail fraud, when a hacker breaks into the system and hits on an extension code, it is usually not enough to shut down just that extension number, says Fox. Because extension numbers are usually in sequence, when one is shut down, the hacker will leave a particular system, only to return a few days later and hit the company again by accessing the next extension number in the sequence.

Hackers can be sophisticated. Some understand telecommunications switching systems. And with the proliferation of home computers, Fox predicts they are going to become even more sophisticated. "We've got to get more sophisticated in the way we build our preventive programs," says Fox.

On average, eight or nine types of scams are probably in operation at any one time, according to Fox, who has been in the industry for 15 years. Two or three of those are major operations. Whenever schemes are no longer profitable, new ones develop.

The two major ploys currently in use are Amigo and call-sell operations. Both, says Fox, are sophisticated and extremely difficult to get a handle on.

The Amigo operation, named after the Middle Easterner credited with starting the scam, is the newest fraud to hit the streets. Although the individual was arrested more than a year ago, "his disciples and trainees are here," says Fox.

The scam grew out of the ongoing turmoil in the Middle East. When governments sever ties with their neighbors, citizens have no way of communicating with relatives in other countries. What has resulted is a sort of underground communication relay system, with the United States serving as the go-between or switching station.

Amigo operatives come to the United States on visas. They quickly rent apartments and set up phones. People who want to talk to relatives in a country where communications have been severed call the apartment in the United States, and the call is then routed to the other country. It appears the call is originating from the United States.

Business is apparently thriving. "We have heard a rumor that a small country is putting in a telephone switch to handle this illegal activity," says Fox. "It's big-time international fraud. People will pay a lot of money to talk to their relatives in another country."

The call transfer itself is not illegal, but the operatives change locations every five to seven days and then leave the country without paying the phone bills. Replacements enter the country with new visas, and the process begins anew.

The second scheme, a call-sell operation, is popular in neighborhoods that have large immigrant populations. For a price--usually $10 to $15--a call-sell operator sells a long-distance phone call to an individual.

Using a stolen PBX access number, the call-sell operator punches in the code and dials the number for his or her customer. The person is allowed to talk to his or her party for a set period of time.

During the past year, call-sell operations have received considerable media attention, perhaps because they are so blatant. Forbes magazine ran a feature story last August, where it reported that in cities such as New York, Los Angeles, and Chicago, immigrants actually line up at pay phones on the streets, waiting to make their calls.

The problem is so bad in New York City that last summer New York Telephone started blocking all international calls from about 3,500 public pay phones in Times Square and other locations in midtown Manhattan.

In the city's Port Authority Bus Terminal area and around Grand Central Station, the call-sell operations problem is still serious. "You can go there anytime day or night and buy a long-distance call," says Fox. "And if you use your own calling card, I guarantee you somebody's going to be reading the number over your shoulder."

Of the two scams, Amigo operations are more ingenious and the most difficult to prevent because the operations are so well thought-out. "They truly understand how to switch apartments, how to switch carriers, how to flimflam the landlords," says Fox. "We've also seen how they have perfected the way they order their services from the local phone companies."

Trying to identify these criminals is next to impossible. "When someone comes into this country on a visa," says Fox, "you don't know what his or her intentions are. And these people move in and out of the country so fast."

While less ingenious, call-sell operations are no easier to shut down. Like Amigo operators, call-sell operators move their operations to different locations weekly.

"It's difficult to react fast enough," says Fox. "You're going to catch some, but they just multiply. It's like going into the Port Authority Bus Terminal in New York and New Jersey and arresting someone for selling stolen codes. When that person is arrested and taken away from a phone, 10 people are waiting to take over that territory."

Fox estimates that a good call-sell operator can make $100,000-plus a year--tax-free. The hacker who steals PBX access numbers for call-sell operators also fares well, making up to $3,000 per stolen code.

And the people who are making calls to their homeland are getting cut-rate phone calls. Many of these individuals, whose English-speaking skills are poor to nil, are not even aware that what they are doing is illegal. Their friends are also doing it, and they think this is how the phone system operates in the United States.

IT ALL COMES BACK TO PREVENTION, says Fox. "The answer is to make yourself less vulnerable than anybody else."

Sprint has managed to do that in terms of controlling the fraud for which it is liable. Fox tells of a recent case involving an operation with the Port Authority police in New Jersey in conjunction with MCI and AT&T.

"After it was all over, we discovered no Sprint phone cards were used," says Fox. "When we asked those who were arrested why not, they said they didn't like Sprint's phone cards because they did not stay up, they did not last long. And we replied, 'Why, thank you.'"

Sprint is confident the steps it has taken to protect its customers from fraud are also working. In the first year of the program's operation, Sprint does not expect to pay out any money to its customers. "We're catching the problem so far below $25,000," says Fox, "I think it will be a rarity that it will go above $25,000, much less get into the hundreds of thousands of dollars."

A case in point is DISA fraud, which enables an employee who is out of the office to call in on a local or 800 line and make long-distance calls as if he or she were inside the building.

"That fraud has really died off about 95 percent in the last six to eight months," says Fox. "But voice mail fraud has taken its place, though it is not going up at the same pace as other types of fraud. Through our analysis programs, we're seeing the problem early on and telling customers, so their losses are minimal."

But, as Fox reiterates, computer hackers and abusers do not go away. They migrate.

"Hackers and abusers look for the most vulnerable opportunity, and right now," says Fox, "that is cellular phones. You are going to see a significant effort within the cellular industry to deal with the problem. If not, it's going to run rampant."

Sprint has already begun working with its customers on new programs, several of which Fox reports are in the developmental stage.

"I know of no one who has the resources in their organization to have people sitting around trying to identify every single vulnerability in their system," says Fox. "What usually happens is the hacker finds the new hole.

"My measure of success is when that happens, how fast do we see it? How fast can we plug it? How fast can we protect our customers? That," says Fox, "is our goal."

1 Barton Crockett, "User Hits AT&T with $10m Toll Fraud Suit," Network World, June 24, 1991.

2 William G. Flanagan and Brigid McMenamin, "For Whom the bells Toll," Forbes, August 3, 1992, p. 60.

3 Mark Lewyn, "Does Someone Have Your Company's Number?" Business Week, February 4, 1991, p. 90.

4 Corporate Security Digest, Vol. 6 No. 25, June 22, 1992, p 6.

5 Corporate Security Digest, pp. 1, 4.

Karen K. Addis is assistant editor of Security Management and editor of Dynamics.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Addis, Karen K.
Publication:Security Management
Date:Oct 1, 1992
Previous Article:The downside of downsizing.
Next Article:Unifying Europe's security standards.

Related Articles
Doing time on the telephone line.
Toll fraud, when will the bell toll for thee?
Toll fraud: multimillion-dollar telecomm problem.
Telecommunications fraud.
South Africa: Still the king of the hill. (The Regions).
Dexma offers LexisNexis anti-fraud services.
It's for you: hidden gold in telecom bills: telecom billing errors cost the apartment industry millions of dollars every year. Here's what can be...

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters