Printer Friendly

Costly callers: prosecuting voice mail fraud.

ON AUGUST 17, 1990, LESLIE LYNNE Doucette, also known as Kyrie, age 36, was sentenced to 27 months in prison by Judge Milton I. Shadur of the United States District Court in Chicago. Her sentence, one of the most severe ever given to a computer hacker in the United States, was based on her role as the head of a nationwide voice mail computer fraud scheme and her unauthorized possession of 481 access codes as part of that scheme.(1)

Doucette's unauthorized access codes(2) included credit card numbers from Visa, MasterCard, American Express, and Discover Card; telephone calling card numbers from AT&T, MCI, Sprint, and ITT; private branch exchange (PBX) long-distance access codes(3); and computer passwords. In pleading guilty, she admitted that she had trafficked these and other access codes on compromised voice mail computers to 152 computer hackers around the United States, causing fraud losses of $595,941.(4)

Evidence developed during the investigation and disclosed in pretrial proceedings revealed that the case was part of a broader trend toward voice mail computer abuse by hackers. This article examines the telecommunication technology involved and the ways computer hackers use and abuse that technology, and it summarizes the investigation that led to Doucette's conviction and the convictions of other hackers in her group.

VOICE MAIL COMPUTERS ARE THE CURRENT darlings of the computer and telecommunication industries. At present they are an $800 million per year business with a projected 40 percent annual growth rate pushed by the big three companies: Octel, AT&T, and Rolm.(5)

A voice mail computer operates like a highly sophisticated answering machine and frequently is attached to an 800 (toll-free) number. From the caller's viewpoint, the technology is largely transparent. An incoming call activates the system only when the person being called does not answer the telephone before a certain number of rings. The caller is then transferred to the voice mail computer, which explains how to leave a message or transfer to another telephone line for assistance. Instead of recording these messages on audiotape, the computer stores them in digital form.

From the user's viewpoint, the voice mail computer provides more flexibility than an answering machine. From any location in the world, the user can reach the company's 800 number and receive and store his or her own messages and reroute messages from callers to other voice mailboxes on the same system. These functions are controlled by entering the appropriate numerical commands on the telephone keypad in response to computer prompts.

Security on voice mail computers is accomplished through numeric passwords assigned by the computer administrator. To retrieve messages, the user calls the voice mail computer and dials the assigned confidential numeric password, which acts as a key to unlock his or her voice mailbox.

Unlike many other types of computer abuse, hacking voice mail computers frequently is not an end in itself. Rather, hackers use voice mail as a means to a specific end: undetected, high-volume traffic in illegal access codes throughout the hacker underground.

Their motive is clear. Hacking can be an expensive hobby. Computer hacking, by definition, involves one computer user's unauthorized intrusion through telephone connections and modems into someone else's computer.(6)

Such intrusion often involves hundreds of long-distance telephone calls a month and a correspondingly high long-distance phone bill. As an illegal cost-cutting measure, hackers use stolen access codes to pay for their long-distance calls. Thus, hacker attacks on computers across the country and around the world are unwittingly sponsored by innocent victims whose calling cards, PBX extender codes, and credit cards are being abused.

Of course, individuals and companies learn of the abuse when their telephone bills are delivered, if not sooner. They then immediately deactivate the codes. Therefore, hackers have to exchange large numbers of "hot" (valid) access codes continuously to obtain those free long-distance calls.

For years the principal trading centers for stolen access codes were underground or pirate computer bulletin boards. Hackers merely contacted pirate bulletin boards and exchanged illegal codes.

The problem with this practice was that telecommunication security officials and law enforcement agents began reading the bulletin boards and noting the posted access codes.(7) Posted codes were then quickly invalidated, and steps were taken to trace and catch the hackers who posted the codes. Hackers then began migrating to compromised voice mail computers as a safer and more dynamic vehicle for exchanging access codes.

How do hackers gain access to and compromise the security on voice mail computers? The same way they beat any other computer system: by exploiting lax security on the part of system administrators and users. Hackers also learn voice mail computer passwords from other hackers, from "Dumpster diving," and by programming "war dialers" to dial and record toll-free 800 numbers automatically. They then redial those numbers to identify the voice mail computers.

Once they locate voice mail computers, hackers use special password-cracking programs or "finger hacking" procedures to decipher the numeric passwords of some or all of the voice mailboxes.(8) Hackers then enter the computers and change the voice mailbox passwords so that they, and not the legitimate users, control access to the boxes.(9)

Having gained control over various voice mailboxes, hackers then contact their friends and begin posting stolen access codes in the compromised voice mailboxes. In this way, a wide variety of access codes are exchanged on compromised voice mail computers, including credit card numbers, computer passwords, diverters,(10) loops,(11) bridges,(12) radiuses,(13) the telephone numbers for other code lines,(14) and most significantly PBX long-distance codes.

HACKER ABUSE OF VOICE MAIL COMPUTERS causes two kinds of losses: direct and indirect. As a rule, the direct monetary losses suffered by a company whose voice mail computer is attacked are slight because hackers use only a few voice mailboxes on the computer and seldom preclude legitimate customers or employees from using their own voice mailboxes. (15) Moreover, the cost of each illegitimate 800 telephone call to the voice mail computer may be only a few cents.

The more substantial problem is the indirect losses that fall on companies whose access codes are traded on the compromised voice mail computers. Abuse of the remote access codes used with PBX systems, often referred to as PBX long-distance codes or extender codes, can be especially expensive.

A PBX is a customer-operated, computerized telephone switching system. It provides internal telephone communications between stations located on a premises as well as telephone communications between the company and other public or private telephone networks.

As noted, many PBXs are also equipped with remote access units. By calling these access units and entering a numeric password (extender code) on a telephone keypad, a remote caller can obtain a dial tone that enables him or her to make long-distance telephone calls through the PBX at the expense of the company operating the PBX computer switch.

The losses through this type of fraud can be dramatic. One telecommunications provider has documented a case in which computer hackers involved with a "call sell" operation made more than $1.4 million worth of telephone calls against one PBX owner's extender code over a four-day holiday period.

Moreover, hackers have testified in court that such gang attacks on PBX systems are the result of deliberate action by the hacker community. The hackers reason that if a large number of hackers act simultaneously against one number and generate a substantial bill against that number, prosecution of those hackers will be almost impossible. Hacker logic dictates that if the authorities trace them, each hacker will be just one of a large group of hackers too numerous to be prosecuted effectively.(16)

AS A RULE, HACKER ACTIVITY ON VOICE mail computers quickly comes to the attention of the system administrator (sysop) of the computer under attack. The sysop's immediate response is to eliminate the hackers by changing the codes on the mailboxes.

However, hackers can easily overcome this step unless the sysop also substantially increases the number of digits in each numeric password. If the hackers regain access to the voice mail computer, they often enter the sysop's personal voice mailbox and leave terse warnings to leave them alone.

Frequently, aggressive hackers also attempt to extort "safe" voice mailboxes from the sysop on the voice mail computer. They tell the sysop that unless they are given use of several of the boxes on the voice mail computer, they will take control of the entire computer system.(17) This is a form of hacker hardball that presents the sysop with a dilemma.

As with all extortion demands, the options are not attractive. On one hand, the sysop can stand up to hacker demands and face the prospect of losing control over his or her voice mail computer. One such situation was documented in California during the Doucette investigation.

In that case the hacker told the sysop that unless voice mailboxes were made available to him within 30 minutes, he would take over sysop or " super user" privileges on the computer and lock the sysop out of his own computer. When the sysop hesitated, the hacker proved he was better than his word. He waited only 25 minutes before he followed through on his threat and took over the system. The sysop had to "hack" into his own system to regain control.

On the other hand, a sysop who appeases hackers by allowing them to use voice mailboxes on his or her computer to trade illegal codes invites enormous civil consequences for his or her corporation. Hackers converge on these systems and set up code lines to exchange hundreds of access codes each day. These codes in turn are abused by large numbers of other hackers and generate large telephone bills.

As a result, individual victims and victim companies are faced with enormous losses on these telephone bills and little chance of recovering their losses from hackers. However, the appeasing company and its compromised voice mail computer offer a deep pocket that the victims can sue to recover losses. Thus, if it can be proved that hackers used the appeasing corporation's voice mail computer with the knowledge of the corporate sysop to illegally trade codes whose use resulted in losses, then the appeasing corporation becomes liable for the losses on the other companies' phone bills. The appeasing corporation also runs the risk of being portrayed in the press as a corporation that aids and abets hackers-not exactly the type of publicity companies savor.

THE DOUCETTE CASE, THE FIRST FEDeral prosecution ever mounted against abuse of voice mail computers, began in Chicago on February 9, 1989, when the president and owner of a Rolling Meadows, IL, real estate company telephoned the US Secret Service and complained that his company's voice mail computer was being attacked by hackers. In fall 1988, the company had installed a voice mail computer system to serve its customers and employees. The voice mailbox numbers and entry codes on the voice mail computer were personally assigned by the company owner. He told the Secret Service that while the 800 number to his voice mail computer was published, the mailbox numbers and the access codes to the mailboxes were known only to him and the individual mailbox users.

The owner also told the Secret Service that in November 1988, during his daily review of messages on the computer, he noticed that hackers had broken into the system and were leaving messages. Initially the hacker intrusions were infrequent. However, in December 1988 the intrusions increased, and by January 1989 the hacker attacks had become so frequent that they completely filled the voice mail computer's memory, virtually taking over the system.

The owner noted that the monthly bill for the 800 number had jumped at least $1,600 as a result of the hacker activity. He also noted that he incurred an additional expense in February 1989, when he was forced to hire a consultant to resecure the computer. While the losses involved were relatively minor, the Secret Service continued the investigation because of the extensive traffic in illegal access codes through the voice mail computer.

Secret Service agents in Chicago analyzed the access codes traded on the Rolling Meadows voice mail computer and identified other compromised voice mail computers in other states.(18) The agents contacted the other sysops, who verified that they too had been compromised by hackers trafficking additional illegal access codes on their systems.

In reviewing messages stored on the compromised voice mail computers in Rolling Meadows and elsewhere, investigators frequently heard both from and about a woman who referred to herself as "Kyrie" and, alternatively, "Long-Distance Information." Because the evidence showed she was operating a code line that generated substantial access code losses, law enforcement efforts focused on identifying and locating her.

In early March 1989, MCI security officials in Chicago advised the Secret Service that Canadian Bell security officials knew "Kyrie" as an alias for Leslie Lynne Doucette, a Canadian citizen. Canadian Bell officials said Doucette had been an active hacker for at least six years and that in 1987 she had been convicted of telecommunications fraud in Canada.(19)

Officials also reported that after her release she left that country with her two children. They also indicated that Doucette supported herself and her children with her hacking activities, which included running illegal code lines on compromised voice mail computers. These code lines, according to the Royal Canadian Mounted Police, contained stolen or counterfeit access code numbers supplied by various hackers.

Investigators received additional information about Doucette from Arizona Assistant Attorney General Gail Thackeray, who received and recorded an unusual "chutzpa" call from Kyrie, in which she bragged to Thackeray that she had seven years' worth of extensive records documenting her contacts in the hacker underground.

During the conversation Thackeray heard what sounded like pages turning in a book while Kyrie said she was looking up information about various hackers. Kyrie bragged that she was too smart for law enforcement officials and was always able to keep two steps ahead of the FBI. Thackeray provided the tape and a transcript to the Secret Service.

Thackeray also gave the agents a transcript of a telephone call between Kyrie and an Arizona hacker named Ray Bishop that had taken place on December 11, 1988. The transcript, which was based on a cassette tape recording seized during the execution of an Arizona state search warrant at Bishop's residence in February 1989, showed Kyrie tutoring Bishop on how to fraudulently obtain calling card numbers from people with AT&T calling cards.

IN LATE MARCH AND EARLY APRIL 1989, MCI security offices in Chicago and Denver began receiving tips from various informants that Doucette had just moved to the Chicago area and was using a certain telephone number on North Ashland Street in Chicago.

On April 19, 1989, a court-authorized pen register (also known as a dialed number recorder or DNR) was placed on that telephone number. Investigators immediately observed a large volume of illegal telephone calls emanating from that number, including the unauthorized use of numerous voice mail computer systems, long-distance calling codes, and corporate PBX networks.

They also noticed a large number of one-minute or shorter calls to "chat lines" with the 900 prefix. From prior investigations the federal agents recognized that someone at the North Ashland address was using the chat line calls to test the validity of credit card numbers and telephone access codes obtained from the hacker underground.

From April 19, 1989, through Doucette's arrest on May 24, 1989, the DNR disclosed heavy activity, including frequent calls to telephone "bridges" (conference calls), loops, and voice mail computers. Investigators contacted the sysops of these other voice mail computer systems and discovered that Doucette was using voice mail systems in Long Beach, CA, and Mobile, AL, to operate hacker code lines on each system, which in turn hackers used for trafficking large volumes of telephone calling card numbers, PBX access codes, and credit card information.

On May 24, 1989, Secret Service agents used that information to obtain search warrants, which they executed at Doucette's apartment and the homes of seven other major hackers in her ring.(20) The search warrants prepared in the Doucette case followed the outline used in prior computer and telecommunication cases in Chicago.

After introducing the affiant and the experts relied on by the affiant, the warrants gave a summary of the alleged criminal activity, discussed the technical expressions used, set forth the chronology of the investigation, summarized the evidence to be found, and concluded with the reasons for suspecting that the evidence would be found at the search location. Additionally, the warrants requested authorization for the searching agents to "seize and read" any computer-stored information on the premises.

During the Doucette search in Chicago, agents found a series of notebooks with credit card numbers and telephone calling card numbers. One book alone contained 71 AT&T calling card numbers; 287 Visa, American Express, and MasterCard numbers; 24 other calling card numbers (including numbers belonging to MCI, Sprint, and ITT); 32 PBX numbers; 42 loops (conference call numbers); and 24 diverters.

WHEN THE WARRANTS WERE EXECUTED, Doucette acknowledged that she was, in fact, Kyrie. Later, in the Secret Service offices, Doucette provided an extensive oral and written confession that described her method of operation.

Doucette acknowledged that her principal job was operating code lines, where hackers could trade stolen access codes. She said she received access codes from hackers through illegal telephone conference calls, known as loops and bridges, and on illegal code lines that she ran from voice mailboxes on various compromised voice mail computers. She also received codes from computer hackers through pay telephones that she designated in the cities she visited.

After receiving the codes Doucette checked their accuracy and validity by calling "900 chat line" telephone numbers. The owners of these 900 numbers unknowingly verified the usability of the stolen access codes by accepting them as a method of payment for using the 900 numbers. Doucette also checked credit card numbers belonging to such companies as Visa and MasterCard by making pretext calls to various credit card verification numbers she had obtained.(21)

Doucette then grouped the access codes according to their type (MCI cards together, PBX long-distance codes together, etc.) and placed them on a rough script, which she would later read into a voice mail computer. Her scripts also included the "handles" of hackers who had contributed codes to her list, warnings to hackers about suspected law enforcement activity and undercover operations, and the identities of hackers who were thought to be giving information to law enforcement or telephone security agents.

When the scripts were code lines Doucette called one of the code line she surreptitiously operated on a voice mail computer. After introducing herself as either "Kyrie" or "Long-Distance Information," she read the script into the voice mailbox.

By reading the prepared script into the voice mail computer, Doucette was able to get the maximum amount of accurate information onto the code line in the shortest amount of time. At the conclusion of the script, Doucette invited hackers who used her service to provide her with additional codes, which she could then pass along in future sessions on the code line.

To raise cash, Doucette said she used her hacker contacts to operate a scheme using unauthorized credit card numbers to obtain money through Western Union. Doucette explained that after she obtained credit card numbers from various voice mail computer systems, she checked the validity of those credit card numbers and gave the still-valid account numbers to hackers with the agreement that they would use those credit card numbers to purchase Western Union money orders payable to an alias Doucette designated. The hackers then contacted Western Union and requested money orders payable to the alias, charging the money orders to the credit card numbers without the card-holders' knowledge. Doucette said she received around $1,000 in cash during 1988 in this manner.

AT THE TIME OF SENTENCING THE GOVERNMENT argued that Doucette merited incarceration for several reasons. First, the number of access codes in her possession (at least 48 1) and the financial losses attributable to her conduct (at least $595,941) were substantial.

Second, her actions reflected careful preparation. She orchestrated an elaborate scheme involving up to 152 hackers to obtain and transfer access codes to the largest number of people in the shortest possible time to maximize the number of codes she could obtain and minimize her chances of being caught. Moreover, many of the hackers she involved in her scheme were juveniles, an aspect of the case that caused her to be dubbed "the female Fagin" by the media.

Third, Doucette's actions were not isolated activities. As she admitted, she had been trafficking access codes since 1985. Illegal access code trafficking had provided a substantial part of her income for six or seven years before her arrest.

Fourth, all Doucette's friends were members of the hacker underground. Without the actions of MCI corporate security officials and federal agents, it was clear Doucette would still be trafficking large numbers of access codes on code lines to the computer hacker underground.

Finally, the government emphasized that computers and the access codes that drive many computerized transactions form an integral part of the American government and business communities. The rise of computer and telecommunications technology has spawned a new breed of technologically sophisticated criminals who traffic in access codes and sneak into computers to steal access codes and data files.

These high-tech street gangs frequently travel electronically as a group and are able to destroy individuals and institutions from any location in the world. The government urged the court to impose a sentence on Doucette that would send a message to these criminals that their activities would be met by prosecution and punishment.

On August 17, 1990, Doucette was sentenced to 27 months in prison, one of the most severe sentences ever given for computer and telecommunication fraud. The judge's sentence was governed by the new federal sentencing guidelines, which apply to all crimes committed on or after November 1, 1987. While Doucette's attorney expressed concerned about the personal impact of a prison sentence, the judge pointed out that the sentencing guidelines mandated harsh punishment.

On a larger scale, the Doucette case and the punishment she received reflect a new reality for hackers and computer crime victims in the 90s. Persons convicted of computer-related crimes now face federally mandated prison terms and restitution, depending on the magnitude of the fraud. As a result, individuals and corporations who report computer and telecommunication crimes can now expect that their cooperation with federal law enforcement will result in meaningful punishment. must report computer-enhanced crimes if they want prosecutors and the courts to protect their rights to the tangible and intangible property developed and stored on computers. Hopefully, an era of increased cooperation will produce substantial reductions in the enormous annual cost of telecommunication crime, now estimated to range from $555,000 (Computerworld) to $55 billion (Ernest & Whinney). The magnitude of voice mail computer fraud clearly calls for aggressive federal investigation and prosecution.

About the Author . . . William J. Cook is a trial attorney with the US Attorney's Office in Chicago. He specializes in prosecuting white-collar, computer, and telecommunications crimes. He is the head of the US Attorney,'s Computer Fraud and Abuse Task Force, and he prosecuted the Doucette case with Assistant US Attorney Colleen Coughlin, who reviewed this article along with Assistant US Attorney? Dave Glockner.

(1) The facts discussed in this article regarding United States v. Doucette are matters of public record. Nevertheless, the opinions expressed in this article are the personal opinions of the author and do not necessarily represent the views of the Department of Justice or the United States Attorney's Office in Chicago.

(2) The term "access code" or "access device" is defined in Title 18, United States Code, Section 1029(e)(1), as any card, plate, code, account number, or other means of account access that can be used to obtain money, goods, services, or any other thing of value.

(3) A PBX is a computer that operates as a telephone switching system to provide internal telephone communications between stations located on a premises as well as telephone communications between a company and other public or private telephone networks. By calling a PBX number equipped with a remote access unit or extender and entering a numeric password (extender code) on a telephone keypad, a remote caller can obtain a dial tone that enables him or her to make long-distance telephone calls through the PBX at the expense of the company operating the PBX computer switch.

(4) Doucette also acknowledged that the $595,941 loss figure included a scheme in which she and other hackers fraudulently obtained air travel and lodging expenses from the unauthorized use of credit card numbers and obtained Western Union money orders that she and her accomplices then cashed.

(5) Fortune 1991 Investment Guide, Fall 1990.

(6) United States v. Riggs, et al., 739 F. Supp. 414, 423-424 (N.D. Ill., Judge Bua, 1990).

(7) While some challenge the actions of state and federal law enforcement officials in logging onto computer bulletin boards and reading posted codes, the Electronic Communication Privacy Act of 1986 clearly exempts such bulletin boards from protection. (8) "'Finger hacking" involves determining the voice mailbox entry numbers simply by trying groups of numbers on the telephone keypad until a voice mailbox number is found. (9) To further complicate law enforcement efforts, hackers usually work three or more compromised voice mail computers at the same time. Access codes left by a hacker on one voice mail computer are picked up by another hacker, who leaves additional codes for the first hacker on a second voice mail computer, and so on. By rotating between as many as four voice mail systems in various states, the hackers ensure that security and law enforcement personnel in one location will see only part of the picture.

(10) A diverter is a mechanical or computer-based switching device, such as an answering service (or call forwarding), used to forward telephone calls from one telephone to another. Design flaws in some diverters enable remote callers to the diverted number (the original company called) to regain a dial tone from the diverted number several seconds after the called party (the answering service) hangs up the telephone. After regaining a dial tone, the original caller is able to make local or long-distance calls at the expense of the company operating the diverter.

(11) "Loops are confidential telephone-company test numbers between central offices. Generally they are two different telephone numbers that connect to each other when dialed and permit a conference call.

(12) "A bridge is a telephone number that can be called by several persons at the same time to form a conference call. Telephone numbers that form bridges are generally owned or leased by corporations and are accessed through a PBX.

(13) A radius is a telephone-service access code that operates in a limited geographic region.

(14) A code line is a specific location or voice mailbox on a voice mail computer that hackers use without authorization to provide stolen access devices to other hackers. The code line is frequently located on the greeting part of the computer and can be heard by each hacker calling the computer. After hearing the message, hackers are then invited to leave additional access devices there.

(15) Hackers prefer to use unassigned boxes. They do so not out of concern for the victim but so that legitimate traffic on the voice mail computer does not interfere with or supersede hacker messages before they are picked up by other hackers.

(16) See William J. Cook, "Uncovering the Mystery of Shadowhawk," Securi Management, May 1990, p. 26.

(17) "Sysops gain access to their codes by using longer numeric passwords than the other users on the system. Hackers gain control of computers by running password-cracking programs against those passwords.

(18) Disclosure of the hacker voice mail traffic to federal agents by the sysop was clearly authorized under the Electronic Communication Privacy Act of 1986. Under 18 USC Section 2702(b)(6), the traffic was properly disclosed because the traffic was not generated by a customer or subscriber of the voice mail system, it was inadvertently obtained by the voice mail system, and it appeared to pertain to the commission of criminal activity.

(19) "The Royal Canadian Mounted Police advised the Secret Service in Chicago that on March 12, 1987, Leslie Lynne Doucette was convicted of telecommunications theft in Canada and sentenced to 90 days in custody and two years' probation.

(20) Other hackers connected with these warrants were prosecuted as juveniles and convicted. Because of their status as juveniles, their identities are not disclosed in this article.

(21) "This method of operation was substantiated by the DNR placed on Doucette's telephone while she resided on the north side of Chicago. By using the DNR, the agents were able to track each of the numbers entered into the telephone keypad at Doucette's residence.
COPYRIGHT 1991 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:communication security
Author:Cook, William J.
Publication:Security Management
Date:Jul 1, 1991
Words:4853
Previous Article:Are you ready? We are.
Next Article:Property movement made easy.
Topics:


Related Articles
Doing time on the telephone line.
Meet and beat the ego-driven systems hacker.
Electronic messaging.
Telephone security checklist.
Toll fraud: multimillion-dollar telecomm problem.
Voice-mail fraud.
Voice mail found guilty of customer alienation.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters