Hacked Business Owner Stuck With $52k Phone Bill

ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.

WTF?

[fuzzyfuzzyfungus]

Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?

"Oh hi, I got my PBX hacked (possibly because of my 4 character PIN "security") and lost 50 grand on calls to Bulgarian criminals, how about paying me to set up your computers?"

The phone company?

[Tdawgless]

Why should the phone company be responsible for their customer's incompetence? If they installed it... maybe... but they didn't. Now, as far as a compassion standpoint... the company should at least help out some.

bewildering...

[Dzimas]

It is strange that MTS doesn't monitor extreme spikes in phone use. They claim that they don't have the resources to monitor anomalies, but it should be relatively straightforward to write a report that queries billing totals that are n times a customer's long term average. After all, few companies would see a legitimate spike of 20 or 30x normal billing from month to month. What it boils down to is that MTS doesn't want to be responsible for identifying fraudulent billing (lest the victim use that as grounds to get the charges waived), and the easiest way to avoid legal responsibility is to bury their heads in the sand.

Some Math

[Anonymous Coward]

Let's assume these calls cost $3.00 for a minute.

$56,000 / 3.00 = 18667 Minutes.

18667 / 60 (min/hr) = 311 Hrs.

So that means nobody noticed as this guy called for almost 2 full weeks of talk-time??

($3.00 is an assumption as I have no idea what actual international rates are)

Still, if this is even in the ball-park, that's a hell of a lot of talk time going unnoticed. You'd think the system would flag if you suddenly doubled your usage over a period of time.

Re:Not astonishingly suprising...

[jellomizer]

Or the old quote.
The Carpenters house is always the one that is in least repair.

Ha ha

[DeadManCoding]

Sorry, but no sympathy for this guy. It's his company's equipment which was hacked. His telecom company isn't responsible for his equipment, and if they're nice, they'll alert him to the calls. They make money when those calls are made, and why should they be responsible for alerting a customer who's making phone calls. Yes, the calls are going to Bulgaria, but that doesn't mean a telco should alert every person when they make a phone call overseas.

Have Teleco Block Outgoing International Calls?

[Zymergy]

Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?
If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?

I was also under the impression that YOU had to be the one that actually 'in good faith' placed the calls for it to legally billed to you. I am not sure about US/Canadian telecom laws?

If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
I would simply be responsible for getting a better protected router or some other commonplace and reasonable standard process of WiFi protection.

Similarly, this firm likely had made reasonable efforts to NOT have their phone system hacked, and therefore did not make the calls and thus should not be made responsible for them. The phone company should protect their customers 'in good faith'.

Why ask MTS for compensation?

[e9th]

He should be looking to the company that installed the system for compensation, not MTS.

Re:bewildering...

[Anonymous Coward]

It's not strange at all. Monitoring would cost money (even if it is only someone writing the query) that they don't have to spend.

Or as Lilly Tomlin put it "We're the phone company. We don't care; we don't have to."

Re:Not astonishingly suprising...

[That's Unpossible!]

After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

Hint - the mechanic's car is usually fixed last, if ever.

Care to try and back that statement up?

I happen to work in the automotive repair industry. Good automotive techs know better than most that it's far cheaper to maintain their vehicle than it is to repair damage later.

Re:Have Teleco Block Outgoing International Calls?

[GrenDel Fuego]

If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).

There's a difference between criminal liability and financial. You wouldn't be convicted of downloading child porn (or shouldn't be at least), but if your internet access was pay as you go, you may still be required to pay for the bandwidth used.

Re:Ha ha

[Creepy Crawler]

In most civilized countries, possession of stolen property is a criminal offense, as is selling said property. Service is also seen as the same.

How is it not fraudulent behaviour to collect on services that amounted from theft?

Re:Have Teleco Block Outgoing International Calls?

[Anonymous Coward]

Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?

If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?

Every phone provider has this feature.... you just need to call in and get it added. This would be the customers fault, why would MTS or any other phone company have this on by default?

I am totally with MTS on this one, if you are in the business of installing VOIP phones and securing them, then you get hacked, tough luck buttercup. The way I see it, YOU are responsible for your own shit, end of story. If someone breaks into your wireless router and hacks the planet you better bet that heat is coming down on you. Maybe in your world the cops would brush you off in a few seconds, but the reality of the situation is that it will be quite different, I assure you :)

Re:Bulgaria?

[Frosty Piss]

The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough.

$50K not high enough? Huh.

But anyway, given that it can't have cost the Canadian telecom anywhere *near* $50K, and it was clearly fraud, shouldn't they prorate this guys bill to *cost* or a little more? Demanding the full $50K is unfair.

Re:ScuttleMonkey doesn't even read TFS

[michaelwv]

"It is not as useful or profitable for a telco to do the same, because " they are not legally on the hook. Thanks to some consumer-friendly legislation passed a while back, the credit card companies are specifically liable for fraudulent transactions above a $50 limit. The phone companies are not. Figuring out whether or not the marginal cost to the phone company was comparable to $52k (they're probably paying some other company to call Bulgaria) is complicated. But I'll agree that it's likely much less, whereas the marginal cost to the CC company is the numeric amount. But really I think the liability protection has made the biggest difference in how attentive CC companies are to these things. Other practices aside, this is something that most CC companies do very well in striking a balance between usability and minimizing fraud.

Re:What's with the law?

[IceCreamGuy]

Because the water company doesn't own the pipe six inches to the left, and the company that got their water hijacked was a "pipe security" company.

Re:Ha ha

[Richard_at_work]

In most civilized countries, possession of stolen property is a criminal offense, as is selling said property. Service is also seen as the same.

How is it not fraudulent behaviour to collect on services that amounted from theft?

Because it should not be the service providers responsibility to police their customers (come on guys, doesnt that sound awfully familiar?), especially when their customers can provide their own equipment and the service provider cannot legally force equipment limitations.

In short, the telephone company in this instance did *exactly* what they were contracted to do - why the hell should they suffer (and they will suffer, they are out of pocket on the international termination charges) through no fault of their own?

Its time the customer starts taking *some* responsibility. Secure your system or pay the penalty.

hmmmm

[dissolved]

I work for a Telco. We flag to clients when they accrue silly spends to foreign numbers. This happens around the $100 mark generally. Why did this go unnoticed for so long? Incidentally this is completely the responsbility of the end client. Anyone could ring Bulgaria for hours on end and then blame "teh criminalz!!!11". Secure your equipment better.

Re:Not astonishingly suprising...

[Anonymous Coward]

>> "Hint - the mechanic's car is usually fixed last, if ever."
> Care to try and back that statement up?

I can't back that statement up, but in Norway we have a saying that goes:

"Skomakerens barn"

Which means "The shoemakers children". And is a reference that the shoemakers children never has good shoes. Which of course is just a saying - but the implication is that if you work with something, you don't take care of yourself/your family - in the field of your speciality.

It's just like us computer people. We don't repair our family-members computers after leaving our teenage years.

Re:Some Math

[LackThereof]

Well, there's three reasons I can see.

This company probably didn't have an international calling plan of any sort, so they were stuck paying whatever obscene rate the local phone company charges for international calls, a la carte.

Also, the phreakers probably had multiple lines in action at any given time, so it wouldn't have taken too terribly long to rack up a large number of minutes.

Lastly, HUB probably didn't notice that anything was going on, until they got the paper bill in the postal mail. With a monthly billing cycle, plus an extra two or three weeks to receive the bill after the end of the cycle (and then a few weeks past that for the accounts payable clerk to bring it to the attention of the owner), I can imagine that this slipped by unnoticed for a long time.

Re:WTF?

[poot_rootbeer]

this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

The customer equipment that got compromised was a goddamn PBX. He should have been watching it himself for signs of abnormal usage.

Re:WTF?

[fm6]

He's reporting a $50,000 fraud. Exactly how does one go about keeping that out of the news?

Re:ScuttleMonkey doesn't even read TFS

[NeuralAbyss]

The real issue there is that receiving a message, with no way to block it, costs the recipient money.

In what sort of world does that make sense?

Re:Not astonishingly suprising...

[Myrddin Wyllt]

Either you don't know any mechanics personally, or the mechanics you deal with are shitty ones. Ive seen engines so spotless that you can eat off them, with brand new bolts everywhere.

That may be true when they start out - beautifully prepared and maintained, usually quite highly tuned, always immaculate; by the time they get to their mid-forties and are running their own business, working long hours to make ends meet, their own cars get just enough attention to keep running.

My brother's first car was a beaut - Austin A35 with an MG Midget engine and a Marina back axle - hundreds of hours of work just for the joy of it. That was followed by a stream of Escort Mexicos and RS200s. As the years have passed, his own cars have become just a means of transport - minimal maintenance to keep them running then scrap 'em. Maybe he's a shitty mechanic, but since he used to service crew for WRC teams, maybe not - perhaps he's just a family man who would rather spend his spanner time putting food on the table.

Re:WTF?

[Dan541]

By not reporting it, sometime you need to decide what's more important. $50k or your business.

Re:WTF?

[socsoc]

Yeah, because many small businesses have $50k in liquid assets just waiting to pay to a utility.

I'm not saying that he isn't responsible, but your reasoning is a bit off.

Secure Cisco VoIP Systems?

[Anonymous Coward]

He's a select certified cisco partner. That takes a few tests which you take online, and a call to your Channel Account Manager. I got Select Status in 4 hours..

Hardly someone is who going to secure Unified Communications Manager for the Enterprise. He can't even buy full out call manager lol.

Food for thought... Don't give this guy as much credit as he is getting.

PS.
Feature 36 is not a Cisco feature, so I'm sure he couldnt afford a Demo-in-the-box you can get when you are a select partner. UC520/Couple of IP Phones/Wireless etc.