Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xxi Lucent Technologies Toll Fraud Crisis Intervention Lucent Technologies Toll Fraud Crisis Intervention If you suspect you are being victimized by toll fraud or theft of services and need technical support or assistance, call the appropriate Lucent Technologies BCS service: NOTE: These services are available 24 hours a day, 365 days a year. Consultation charges may apply. Intervention services are performed at no charge for equipment covered by warranty or service agreement. Helplines nIf you require application support assistance or have questions regarding feature functions for the DEFINITY ECS, DEFINITY G1, G2, and G3, System 75, or System 85 Communications Systems, associated voice mail systems, or other adjuncts, contact the DEFINITY Helpline: 800 225-7585 Toll Fraud Intervention Hotline800 643-2353 All systems and products; DEFINITY ECS and DEFINITY Communications Systems, System 75, System 85, MERLIN II, MERLIN LEGEND, MERLIN Plus, PARTNER II, PARTNER Plus, and System 25 Communications Systems (including associated voice mail systems and other adjuncts) Technical Service Center (TSC):800 242-2121 DEFINITY ECS, DEFINITY Communications System, System 75, and System 85 (including associated voice mail systems and other adjuncts) National Service Assistance Center (NSAC):800 628-2888 MERLIN II, MERLIN LEGEND, MERLIN Plus, PARTNER II, PARTNER Plus, and System 25 Communications Systems (including associated voice mail systems and other adjuncts)
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xxii Related Documentation nFor assistance with the DEFINITY AUDIX System, call: 800 562-8349 nFor assistance with the MERLIN II, MERLIN LEGEND, MERLIN Plus, PARTNER II, PARTNER Plus, or System 25 Communications Systems, or their associated voice mail systems or other adjuncts, call: 800 628-2888 NOTE: The above services may result in an additional charge. Intervention services are performed at no charge for equipment covered by warranty or service agreement. Related Documentation The security risks and preventive measures presented in this document relate specifically to toll fraud. This handbook is designed to work with the documentation for the products described in this document, and it is not intended as a replacement for any of the documentation available for these products. Refer to the Business Communications Systems Publications Catalog, 555-000-010, for more information.
Introduction Page 1-1 Background 1 BCS Products Security Handbook 555-025-600 Issue 6 December 1997 1 1Introduction Background Telecommunications fraud is the unauthorized use of a company’s telecommunications service. This type of fraud has been in existence since the 1950s when Lucent Technologies first introduced Direct Distance Dialing (DDD). In the 1970s Remote Access became a target for individuals seeking unauthorized network access. Now, with the added capabilities of voice mail and automated attendant services, customer premises equipment-based toll fraud has expanded as a new type of communications abuse. Today, security problems are not just limited to toll fraud. There have been sharp increases in reported incidents of hackers: criminals skilled in reprogramming computer systems, accessing telecommunications systems through remote administration or maintenance ports. These ports cannot be used to place phone calls, but hackers can gain control over the setup of the system. Through these ports, hackers create security “holes” to allow unauthorized calling — a serious form of electronic vandalism. A company’s “information resources” are yet another target for modern criminals. They are invading voice mailboxes and eavesdropping on cellular phone calls to obtain proprietary information about your products or your customers.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Introduction Page 1-2 Who is the Enemy? 1 Who is the Enemy? Hackers and Phreakers Hackers and “phreakers” (phone freaks) use personal computers, random number generators, and password cracking programs to break into even the most sophisticated customer premises equipment-based system if it has not been adequately secured. Once a hacker penetrates a network and provides instructions to toll call sellers, large volumes of unauthorized calls can be made from the switch. Severe cases of communications abuse can also reduce revenue and productivity when employees are unable to dial out and customers are unable to call in. These people are criminals, as defined by the United States Secret Service and Title 18 Section 1029 of the United States Criminal Code. They attempt to find your weakest link and break it. Once they have compromised your system, they will use your system resources to break into another system, and/or advertise that they have broken your system and how they did it. They will also sell this information to a call sell operator. Some hackers command up to $10,000.00 a week for stolen codes. Call Sell Operations Most of the high dollar theft comes from call sell operations. These operations vary from a pay phone thief, who stands next to a pay phone and “sells” discount calls through your system, to a full-blown call sell operation. A full-blown operation might involve a one-room apartment (rented under an assumed name) with 30 to 40 phones (lines from the phone company are under the same assumed name). The general pitch is that for a flat fee you can call anywhere in the world and talk as long as you like. The seller takes the money and places the call for the buyer, and then walks away so he will not get caught. Needless to say, a victimized company is paying for the actual call. The call sell operation is open round-the-clock, and when the victimized company stops the abuse, the call sell operator moves on to the next number. In a month or two the call sell operator just disappears (and will usually resurface at another apartment with another 30 phones and a way into your system). The toll fraud industry is growing fast. Originally, the majority of toll fraud was based in New York, NY. Now call sell operations are springing up in Miami, FL, Chicago, IL, Los Angeles and San Francisco, CA, and other locations around the country, even throughout the world. Call sell operations are dependent on calling card numbers or other means to fraudulently use a customer premises equipment-based system. The major calling card vendors monitor calling card usage and shut down in a matter of minutes
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Introduction Page 1-3 What is in a Loss? 1 after detecting the fraud. However, call sell operators know that the traffic on most customer premises equipment-based systems is not monitored. That is why a calling card on the street sells for $30.00 and a customer premises equipment-based system code (called a Montevello) sells for up to $3,000.00. Drug Dealers Drug dealers want phone lines that are difficult to trace so they can conduct their illicit narcotic dealings. For this reason, drug dealers are more likely to route their calls through two or more communications systems (PBXs) or voice mail systems before a call is completed. This is called “looping.” Law enforcement officers believe that drug dealers and other criminals make up a sizeable chunk of toll fraud. What is in a Loss? Cost of the Phone Bill There are no real numbers showing exactly how much money companies have lost due to toll fraud. Since some companies are not willing to disclose this information, it is difficult to know who has been hit and at what cost. Both small and large companies have been victims of what is one of the nation’s most expensive corporate crimes. Lost Revenue The cost of operational impact may be more severe than the toll charges. Employees cannot get outbound lines, and customers cannot call in. Both scenarios result in potential loss of business. Expenses Additional expenses may be incurred, such as changing well-known, advertised numbers, service interruptions, and loss of customer confidence. Known Toll Fraud Activity Understanding how hackers penetrate your system is the first step in learning what to do to protect your company. Be aware that hackers communicate very well, are extremely resourceful, and are persistent. The following is a list of known methods hackers use to break into systems.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Introduction Page 1-4 Known Toll Fraud Activity 1 nPBX-Based Activity —Maintenance Port Maintenance ports are the most recent target of abuse. In this scenario, hackers find a PBX maintenance port number with their “war dialer,” a device that randomly dials telephone numbers until a modem or dial tone is obtained. They then “hack” the user ID and password, sometimes just by using the PBX default passwords, to enter your system. Good password selection decreases the possibility of being hacked via the maintenance port to virtually zero. This is the most dangerous type of abuse because once in your system, the hackers have control over all the administrative commands. While in your system, they have been known to: — Turn on Remote Access or Direct Inward System Access (DISA). (On some communications systems, this is a “yes” or “no” option.) These situations can be difficult to detect. Hackers have been known to change the system at 8:00 p.m. to allow fraudulent calls. Then, at 3:00 a.m., they reprogram the system back to its original configuration. One company was hit three weekends in a row before they realized what was happening. — Turn off Call Detail Recording (CDR) or Station Message Detail Recording (SMDR) and hack your system all weekend, and then turn it back on before Monday morning. This is especially disturbing to managers who are security conscious and check the CDR/SMDR reports every morning looking for suspicious activity. They will not see records of the calls because CDR/SMDR was turned off by the hackers. The administrator may notice the absence of CDR/SMDR records for evening, night, and weekend calls made by employees. —Voice Mail There are two types of voice mail fraud. The first type, which is responsible for the bulk of equipment-related toll fraud loss, relies on misuse of the call transfer capabilities of voice mail systems. Once thieves transfer to dial tone, they may dial a Trunk Access Code (TAC), Feature Access Code or Facility Access Code (FAC), or extension number. If the system is not properly secured, thieves can make fraudulent long distance calls or request a company employee to transfer them to a long distance number. The second type of voice mail fraud occurs when a hacker accesses a mailbox to either take it over or simply access the information stored within it.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Introduction Page 1-5 Known Toll Fraud Activity 1 In the first situation, a hacker dials either 9 or a TAC that allows the call to be transferred to the outgoing facilities. In the second situation, a hacker typically hacks the mail password and changes it along with the greeting. This gives the hacker access to proprietary corporate information. —Automated Attendant Auto Attendants are used by many companies to augment or replace a switchboard operator. When an Auto Attendant answers, the caller is generally given several options. A typical greeting is: “Hello, you’ve reached XYZ Bank. Please enter 1 for Auto Loans, 2for Home Mortgages. If you know the number of the person you are calling, please enter that now.” In some Auto Attendants, option 9 is to access dial tone. In addition, when asked to enter an extension, the hacker enters 9180 or 9011. If the system is not properly configured, the Auto Attendant passes the call back to the PBX. The PBX reacts to 9 as a request for a dial tone. The 180 becomes the first numbers of a 1-809 call to the Dominican Republic. The 011 is treated as the first digits of an international call. The hacker then enters the remaining digits of the phone number and the call is completed. You, the PBX owner, pay for it. This hacker scenario works the same way with a voice mail system. —Remote Access/Direct Inward System Access (DISA) Remote Access or DISA is designed to allow remote users to access a PBX to place long distance calls as if they were at the same site as the PBX. Because of the potential cost savings, many PBX owners use DISA instead of calling cards; however, Remote Access opens the door for fraudulent calls by thieves. Hackers are able to locate the DISA feature with the use of a war dialer, explained previously. After finding a number, the device searches for barrier codes. If the system allows uninterrupted, continuous access, a war dialer can crack a 6-digit code within 6 hours. The codes are then distributed via bulletin boards or pirated voice mailboxes, or are sold to call sell operators. Some systems hang up after a specified number of invalid access attempts, thereby extending the amount of time required to crack the code. However even if a hacker is disconnected, he or she may call back repeatedly in an attempt to crack the code.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Introduction Page 1-6 Known Toll Fraud Activity 1 nNetwork-Based Activities —Shoulder Surfing Network hackers use video cameras in airports supposedly to take pictures of their family, but they are actually taking pictures of people using their calling cards. Hackers may also use an audio tape recorder to capture calling card numbers as they are spoken to an operator. This technique is known as “Shoulder Surfing.” —Social Engineering “Social Engineering” is a con game hackers frequently use. It is sometimes referred to as “Operator Deceit.” The success of this con requires gullibility or laxity on the part of the operator or employee, of which the hacker takes full advantage. For example, hackers call an employee, claim to have the wrong extension number, and ask to be transferred back to the operator. The call looks to the operator like an internal call. The hacker then asks for an outside line. Often, because operators do not know any better, they will connect the hacker to an outside line. Another example of social engineering is a hacker calling the operator and pretending to be a telephone maintenance repair person. They make statements like: “I am a qualified telephone repairman testing your lines. Please transfer me to 900 or 9#;” or “I need to verify your DID number range.” An untrained operator may provide the requested transfer or information, giving the hacker more ammunition with which to crack your system. — Dumpster Diving Hackers obtain switch and security information by browsing through company trash cans. They are looking for discarded phone bills, corporate phone directories, and access codes. The “found” information can be used to make fraudulent calls. —Alternate Carrier Access If your system is not secure, hackers can dial out by using carrier codes that bypass routing restrictions you have placed on your primary carrier’s features. —Looping Looping is a method that call sell operators use to circumvent restrictions that IXCs (Interexchange Carriers) put in the networks to control calling card fraud. All carriers block calling card calls bound for the 809 area code (to the Dominican Republic) that originate in New York, NY. This is because the Dominican Republic is a common destination for stolen phone calls. If call sell operators are able to obtain a dial tone from a PBX but are not able to dial 809 or 011 directly, they will revert to looping. They could dial an 800 number outbound from the PBX. The 800 number could be to another PBX or could be a calling card or operator access number.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Introduction Page 1-7 Known Toll Fraud Activity 1 Examples include, but are not limited to the following 800 numbers: 1 800 COLLECT, 1 800 CALLATT, and 1 800 GETINFO. They could also dial 950 carrier access numbers. Lastly, they can dial various 10xxx carrier access codes. In any case, they can still use the PBX to place a fraudulent call. If the PBX is not in New York, NY, they can use the calling card. Use of the 10xxx codes could allow for direct billing to the PBX. It is not uncommon for hackers to “loop” through as many as five communications systems before completing the fraudulent call. — Call Diverters A call diverter is a device used to forward calls to a different location, usually after business hours. These are normally used for smaller businesses who forward their calls to an answering service after hours. When hackers find a number they suspect is using a call diverter, they call the number. When the call is answered, the hacker claims to have misdialed or remains silent. Then when the caller hangs up, the call diverter sometimes gives the hacker dial tone before the disconnect is completed. The hacker then seizes the dial tone and uses it to place fraudulent long distance calls. — Beeper and/or Pager Scam A scam directed at pagers and beepers is as follows. Many of the Local Exchange Carriers (LECs) have run out of numbers in the 976 prefix, so they are using other prefixes that work the same as 976. That is, the calling party gets charged for the call at a rate set by the owner of the number. The 976-look-alike numbers are constantly expanding. They include, but are not limited to the following: 202-915-xxxx 315-970-xxxx 516-970-xxxx 716-550-xxxx 206-960-xxxx 401-940-xxxx 518-540-xxxx 716-970-xxxx 207-940-xxxx 402-960-xxxx 518-550-xxxx 718-540-xxxx 208-960-xxxx 410-915-xxxx 518-970-xxxx 718-550-xxxx 212-540-xxxx 412-556-xxxx 602-676-xxxx 718-970-xxxx 212-550-xxxx 413-550-xxxx 603-940-xxxx 719-898-xxxx 212-970-xxxx 413-940-xxxx 605-960-xxxx 801-960-xxxx 215-556-xxxx 504-636-xxxx 607-540-xxxx 804-268-xxxx 301-915-xxxx 505-960-xxxx 607-550-xxxx 804-844-xxxx 303-960-xxxx 507-960-xxxx 607-970-xxxx 817-892-xxxx 307-960-xxxx 508-940-xxxx 617-550-xxxx 914-540-xxxx
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Introduction Page 1-8 Known Toll Fraud Activity 1 The fee charged for calling these numbers can range upwards of $250 per call. As already stated, the fee is set by the owner of the number. Unscrupulous people who own these numbers call around the country inserting these numbers into pagers to get the users to return the call so that they can collect the fee. Consult your LEC for a list of 976-look-alike numbers in your exchange. This same scam could also easily apply to messages left on voice mail. The person could state, “I’m John Doe calling from XYZ. Please return my call at 212-540-xxxx.” When you return the call, you are charged $50.00. Another slant to this scam is carried out by messengers who deliver parcels to your office. They will ask to use your company’s phone to call their office. Then they call one of these 976-look-alike numbers and stay on the line for a minute or two. Your company then gets the bill for a $250 call that lasted only a couple of minutes. — Internal Abuse Unfortunately, not all toll fraud is generated from “outsiders.” Many times it can be traced to internal employees who either sell the information or abuse the system for their own gain. —Call Forwarding Off-Premises Call forwarding can be programmed to forward calls internally (within the PBX) or off-premises. If off-premises call forwarding is allowed, unscrupulous employees can take advantage of it. They forward the phone to a number (usually their home number). They tell their friends and family to call the company’s 800 number and insert the employee’s extension number. The call is forwarded to the employee’s home phone, and the company foots the bill for the call. 308-960-xxxx 512-766-xxxx 617-940-xxxx 914-550-xxxx 315-540-xxxx 516-540-xxxx 703-844-xxxx 914-970-xxxx 315-550-xxxx 516-550-xxxx 716-540-xxxx