Printer Friendly

Who ya gonna call? Holiday Fair's 'tail' on voice mail hackers.

Sometimes, in a world fraught with toll fraud, the good guys can find themselves running around in circles with nobody to protect their backs. Such was the case with Holiday Fair, an accessories company headquartered in Manhattan's garment district.

They broke new ground by identifying voice mail hacking, and in the process acquainted the local telco, police department, and even the Secret Service with the ins and outs of voice mail hacking.

Holiday Fair refers to the incident as "Operation Mousetrap." The firm has several locations, with one being a warehouse and distribution facility in North Bergen, N.J. They had installed the TollGuard Plus system on their Premier model 2260 PBX, which is maintained by Inter-Tel of New Jersey.

Telstar Resource Group, in New York City, provides 24-hour detection and central station monitoring on a real-time basis for toll fraud detection with their TollGuard Plus service. They use both the TelTrol Fraud finder and Western Telematics Pollcat II + PBX Data Recorder to monitor clients' toll data.

The "tail" begins on July 21, 1992, less than a week after the system was installed. Telstar personnel notified Holiday Fair's MIS Director Paul Coraggio that there were an unusually high number of high-volume short-duration incoming calls to the voice mail system connected to the PBX. They were being made out of normal working hours.

Records indicate that as part of their toll fraud audit, Telstar, in conjunction with InterTel, had previously disabled the client's "forward to the public network" voice mail feature which can be used by hackers to make fraudulent outgoing calls.

A plan was put in place to increase surveillance and to trap the perpetrators. The following is a synopsis of "Operation Mousetrap."

July 21: At 9:15 p.m. New Jersey Bell is notified of voice mail hacking. Holiday Fair was advised by a New Jersey Bell supervisor to report the incident to the North Bergen, N.J. Police Department.

Within the half hour, the North Bergen Police are contacted. The sergeant on duty says he is not familiar with high technology but will log the call. He also asked the company to have someone come in the next day and file a complaint.

July 23: Paul Coraggio, Holiday Fair's MIS director, goes to the police department. There he is told that the police only handle cases like kidnapping. He is advised to call New Jersey Bell Security.

Back at the office, the company calls New Jersey Bell Security. The telco advises them to call the North Bergen Police. When told that the police were already called, New Jersey Bell Security agrees to bring in their Annoyance Call Bureau.

Later that day, the Annoyance Call Bureau sets up a trace. Holiday Fair must call in the times of out-hour voice mail calls to them each day by 11 a.m. The trace is put on for a two-week period.

July 23-August 6: Out-hour voice mail calls are monitored and called into the Annoyance Call Bureau. Joseph Messina, Holiday Fair's chief financial officer, is trained on how to access the Pollcat III+ unit and to view all calls which it monitors.

August 6: New Jersey Bell's Annoyance Call Bureau announces that the trace has been successful and that the results can be obtained by calling the North Bergen Police.

Police advise that the calls are originating mainly from two residences and from two pay phones near the residences. However, the detective assigned to the case is off until August 10, and Holiday Fair is told to call back on August 11. So, the U.S. Secret Service is called in.

The agent tells the company that they only credit card toll fraud. When the agent is informed that the Secret Service does have jurisdiction, the agent asks, "Why would anyone use voice mail in this manner?" Finally convinced that it is at least unauthorized access to a system, he advises a call to the U.S. Attorney General's office.

Arrangements are made with InterTel, the vendor for the Premier PBX voice mail, to provide an audit trail of the voice mail boxes accessed. This allows the firm to match incoming, time-stamped messages, with the box accessed.

Further research reveals that some of the unauthorized calls are coming from an ex-employee who was fired. Others are coming from the address of a current employee.

August 11: Finally able to speak with the North Bergen detective, the firm is advised that he has never seen anything like this in 20 years and there really is nothing he can do. His advice - call the phone company.

August 12: Barry Bendes, general counsel with Parker Duryee Rosoff & Haft, and an expert in computer crimes, enters the case. He moves to untangle the legal issues and define the crimes being committed.

This case illustrates the confusion and lack of knowledge in voice mail and toll fraud hacking. It also shows that toll fraud is not taken seriously. The hackers are ahead and the law can not catch up.

The question to be answered in advance is: "Who ya gonna call?"
COPYRIGHT 1993 Nelson Publishing
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Network Security
Publication:Communications News
Date:Jun 1, 1993
Previous Article:Safe sending: protecting clients and yourself.
Next Article:Rules for playing the fast Ethernet over copper wire game.

Related Articles
Costly callers: prosecuting voice mail fraud.
Meet and beat the ego-driven systems hacker.
Disconnecting phone fraud.
How two users fight fraud with call accounting.
Toll fraud, when will the bell toll for thee?
Toll fraud: multimillion-dollar telecomm problem.
Voice-mail fraud.
HACKERS RING UP BUSINESS BILLS\Court orders firm to pay $35,000 tab for illicit phone calls.
Voice mail via exchange.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters