Hacked Business Owner Stuck With $52k Phone Bill 300
ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.
ScuttleMonkey doesn't even read TFS (Score:4, Informative)
Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.
Dude, it wasn't the phone company's equipment - hence the "outrageous" charge to the consumer.
Why would they do that? (Score:5, Informative)
This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.
As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.
Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.
http://www.schneier.com/blog/archives/2007/01/information_sec_1.html
http://www.schneier.com/blog/archives/2006/03/credit_card_com.html
http://www.schneier.com/blog/archives/2005/10/preventing_iden.html
Re:Bulgaria? (Score:5, Informative)
Often times, the thief sells calls at clusters of payphones in low income urban areas. The calls are made to wherever the immigrants in the area came from. These rings have phone systems like this that they hijacked, stolen prepaid phone card lists, stolen credit card lists that they can use to place calls, and so on. This is where a lot of phishing leads to. If they think anyone is on to them, they can just walk away. The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough. It's a great scam because it's easy and they don't have to risk taking delivery of anything. The minutes turn into cash.
Re:Have Teleco Block Outgoing International Calls? (Score:3, Informative)
The problem is, that 52K phone bill is not all going to this guy's phone company's coffers. They're going to pass on some amount of that to their upstream provider who will pass some amount on to someone else and on and on. It's not like the phone company can waive that 52K charge and nobody's hurt. The phone company still has to pay someone else for that call.
Sorry, but I can't side with the guy in this case. He setup his own equipment instead of using the phone company's and that implies, in the absence of an agreement otherwise, that you're taking the responsibility to make sure it is setup correctly.
Re:WTF? (Score:5, Informative)
I am in the same business (Score:3, Informative)
...and there is no, I mean, NO excuse for what this guy allowed to happen, from the perspective of a telephony engineer.
Point #1: how weak is your security that an external entity can log in and gain access?
Point #2: why in the world does his voice mail system have a class of service that allows outdialing? Typically a telephony engineer restricts the class of service on the ports connecting to the phone system so that they can only pass calls to the phone system itself, not to the outside world.
This guy is unbelievably lazy, and the fact that he wants someone else to pay for his mistakes is insane. He fails at life.
Happened to me for $14K (Score:2, Informative)
Re:The phone company? (Score:3, Informative)
Why should the phone company be responsible for their customer's incompetence?
If they installed it... maybe... but they didn't.
Why are credit card companies responsible for their customers' incompetence? If I leave my credit card on a bench at the mall, and call to report it lost within a reasonable amount of time, I'm not liable for most of the charges. That's a legal limitation, too... not just customer service. The credit card company didn't leave my card lying around, or make it easier to lose in some way, but they still have to eat the charges.
Several years ago, our electric bill jumped suddenly. Our deadbeat tweaker roommate decided to run the AC 24/7 "Like they do in Hawaii." The (municipal) power department computers automatically detected the change in usage, flagged it, stopped our bill from being issued, and sent it to CS to contact us and find out if there was a physical problem. (Then something got dropped so they didn't contact us, and didn't send a bill... four months later they came knocking on our door, all apologies.)
So, yeah, I think it's reasonable for a utility company to auto-flag aberrant usage. Though true, the guy *should* have configured his phone system correctly too...
Pfff. Florida Power & Light happily and without any warning sent me a $500 bill the month after a neighbor in the triplex I lived in had been stealing power from an outside outlet via extension cord. My usual bill was about $125/mo.
Lucky for me my landlord was nice enough to eat the difference since it was his tenant. The guy was kicked out shortly after paying rent the following month. Needless to say, FPL didn't give a shit, like they typically never do.
Re:WTF? (Score:4, Informative)
this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".
The customer equipment that got compromised was a goddamn PBX. He should have been watching it himself for signs of abnormal usage.
I agree fully with that statement. I worked for a small company (400 people) and our telecom folks watched the usage patterns like a hawk, and stopped several hack attempts cold. The only one I know of that they didn't stop was one where a calling card number was shoulder surfed; and they kept getting either no answer or VM at the phone company's fraud desk. The phone company ate that bill.
Re:Have Teleco Block Outgoing International Calls? (Score:3, Informative)
If you're in the US and you provide the last link then YOU ARE RESPONSIBLE. Welcome to the wonderful world of CALEA [digestiblelaw.com]. By providing wifi you're at fault, plain and simple. It's one of the legal hassles of anyone providing wifi.
Having helped similar problems like this I can give a few case studies. The best I can say you WILL be responsible until they figure out it wasn't you. But you may very well have months of sleepless nights.
I had RIAA send a notice about one of my client IPs putting a pre-release CD up on IRC. They sent the scary legal pre-format letter spelling out doom and gloom. The client was found to have a trojan allowing the system to upload the info. All steps were documented, screenshots, and sent back to lawyer. No further contact so it must have been enough for them. Overall I found this more amusing than anything.
I know someone who was investigated for child porn. He had an unsecured wifi unit living along a busy road. The police swooped in and took all the computers in his home. They grilled him on "having found some child porn videos on one computer". He kept asking for outside experts to verify their claims. After a few months they finally returned all the equipment, said they were incorrect on having found anything, and agreed it must have been the open wifi. In the meantime he had months of utter stress from being lied to by police.
Guilty until proven innocent is what you should expect.
Re:Good luck with MTS. Seriously. (Score:3, Informative)
There's one easy solution to this. Call and threaten to cancel your service. Bell, Telus, Rogers all the same. Whomever you speak to first in 'Customer Service' will try to talk you out of it. Be persistent without actually canceling, unless you REALLY want to. In no time, you'll be transferred to another department. These are their customer saving or retention team people. They're there to save you from selling your soul to the competition. With these guys, you can get better and cheaper plans, better and faster service and every effort will be made to help you in the future. If you have some really mucked up billing issue save yourself of the hundreds of phone calls: threaten to cancel. I almost guarantee it will be fixed in 2 business days and not 2 months.
I just thought I'd share this information with others. I'm willing to bet our southern neighbours will enjoy this nugget too. If the big companies cannot provide good service, let their CEOs see how many people are threatening to cancel service. Shareholders wouldn't be too happy would they?