Toll Fraud: What the Big Boys Are Nervous About ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Count Zero Toll fraud is a serious problem that plagues the telecommunications industry. Recently l have acquired a collection of trashed documents detailing what AT&T and Bellcore are doing to stop these "thefts."l found these papers very enlightening and occasionally humorous. A few insights into what's bugging the telco. Toll Fraud Prevention Committee (TFPC): This is an industry-wide "forum" committee set up in conjunction with Bellcore that deals with, guess what, toll fraud. The TFPC has "super elite" meetings every once in awhile. All participants are required to sign non-disclosure agreements. Fortunately, the participants frequently toss their notes in the POTC (Plain Old Trash Can -- see. I can make stupid acronyms just like Bellcore!). As far as I'm concerned, once it's in the POTC, it's PD (public domain)! The "open issues" concerning the TFPC currently are Third Number Billing Fraud, International Incoming Collect Calls to Payphones, and Incoming Collect Calls to Cellular. Apparently, they have noticed a marked increase in third number billing fraud in California. To quote a memo, "The most prevalent fraud scams include originating from coin/copt (aka COCOTs) phones as well as business and residence service that is fraudulently established." Third party billing from COCOTs is an old trick. Another type of COCOT abuse discussed 10XXX (where XXX is the code for a certain LD carrier), the caller on the COCOT gets to choose their LD carrier. However, in some cases the LEC (Local Exchange Carrier) strips off the 10XXX and then sends the call to the lXC (Inter-Exchange Carrier, the guys that place the LD call) as a 1 + directly dialed call. So, when you dial 10XXX+O11+international number, the LEC strips the 10XXX and the IXC sees the call as directly dialed international and assumes the call has been paid for by coin into the COCOT. Dialing 10XXX+1+ACN also sometimes works for LD calls within the United States. Anyway, COCOT providers are wigging out a bit because, while they must provide 10XXX+O service, they want to block the 10XXX+1 and 10XXX+011 loopholes, but LEC's have chosen to provide COCOTs with a standard business line which is not capable of distinguishing between these different situations, which is why central offices have been typically programmed to block all types of 10XXX calls from COCOTs. Thanks to the FCC, they can't do that anymore; it's breaking the law. So COs have been reprogrammed into accepting these 10XXX calls from all COCOTs, and the burden of selectively blocking the 10XXX+1 and 10XXX+011 loopholes often falls upon the COCOT manufacturer. They gotta build lt into the COCOT hardware itself! Well, many early COCOTs cannot selectively unblock 10XXX+O, so their owners face a grim choice between ignoring the unblocking law (thereby facing legal problems), unblocking all 10XXX calls (thereby opening themselves up to massive fraud), or replacing their COCOTs with expensive, more sophisticated models. Other LECs have begun offering call screening and other methods to stop this type of fraud, but the whole situation is still pretty messy. By the way, for a comprehensive list of 10XXX carrier access codes, see the Autumn 1989 issue of 2600, page 42 and 43. While they are constantly changing, most of these should still be good. Incoming international Collect to Cellular: according to the notes when a cellular phone is turned on, it 'checks in' with the local cellular office. When this happens, a device that 'reads' radio waves can capture the identification of the cellular phone. A tremendous volume of 'cloned' fraudulent cellular calls are going to Lebanon." Same old trick, grabbing the cell phone's ESN/MIN as it's broadcast. The only twist is that you call someone's cellular phone collect in order to get them to pick up and broadcast their ESN/MIN (they will probably refuse the call, but they will have broadcast their ESN/MIN nevertheless!) But why Lebanon? The American Public Communications Council mentioned "a desire for the TFPC to be involved in the resolution of clip-on fraud." Maybe you guys should try better shielding of the phone line coming out the back of the COCOT?? Apparently, clip-on fraud has really taken off with the recent flux of new COCOTs. COCOTs operate off a plain old customer loop, so clipping onto the ring and tip outside the body of the COCOT works nicely. That is, assuming you can get at the cables and get through the insulation. Incoming International Collect: This is a big issue. A person from overseas calls a payphone collect in the United States. His/her buddy answers the payphone and says, "Sure, l accept the charges." Believe it or not, this trick works many times! Here's why. In the United States, databases containing all public telephone numbers provide a reasonable measure of control over domestic collect abuse and are available to all carriers for a per-use charge. These databases are offered and maintained by the local telephone companies (LTC). Domestic collect-to-coin calling works well, because most operator services systems in the United States query this database on each domestic collect call. Most Local Exchange Carriers in the United States also offer this database service to owners of COCOTs (for those few that accept incoming calls). However, international operators across the world do not share access to this database, just as United States international operators do not have database access overseas! The CCITT, the international consortium of telecommunications carriers, recognized this serious problem many years ago with its strong recommendation to utilize a standardized coin phone recognition tone (commonly called the cuckoo tone) on every public telephone line number. Such a tone would be easily recognized by operators worldwide, and is currently in use by many foreign telcos. The United States decided to ignore this logically sound recommendation, having already employed a numbering strategy for public telephones which, together with a reference document called the "Route Bulletin", alerted foreign operators that the called number should be checked for coin with the United States inward operator. This simple procedure greatly reduced the number of times that the foreign operator had to check with the United States operator, yet was effective at controlling abuse. Everyone slept soundly. But after the bust-up of AT&T in 1984, the local telephone companies, operating independently and under pressure to offer new services (cellular, pagers, etc.), abandoned the public phone fixed numbering strategy! In addition, in June of 1984 the FCC decided to allow the birth of private payphones (COCOTs). And, up until 1989, nothing was done to replace the fraud prevention system. Can you say "open season"? In 1989, the TFPC began seeking a solution to the growing volume of fraudulent collect calls resulting from this void in the fraud prevention architecture. Numerous solutions were explored. A primary solution was chosen. Validation database! Yes, the TFPC chose to support 100 percent the LEC database solution, with the cuckoo payphone recognition tone as one of a number of secondary solutions. This decision caused problems, problems, problems, since it was evaluated that a great number of foreign telcos would be unable to implement this database-checking routine (for a variety of technical reasons). Furthermore, because this TFPC "solution" to the United States' problem is not in conformance with international requirements, the foreign telcos view it with strong opposition as an unacceptable solution due to the additional worktime that would be incurred and the blatant unwillingness on the part of the United States to follow an effective and longstanding international standard (shit, we balked at using metrics, why not this too?). To this day, the TFPC is still bouncing around ideas for this. And the susceptibility of United States payphones to intemational incoming collect calls remains wide open. Various phone companies are currently fighting the cuckoo tone system, because they are cheap mothers and dont want to spend the estimated $500-700 per payphone to install the cuckoo tone technology. If the cuckoo tone were implemented, it would virtually eliminate the problem of international incoming collect calls. But it hasn't been .... Other brilliant "secondary" solutions recommended by the TFTP are: 1) Eliminate the ringer on the payphone. 2) Route all such calls thru a United States operator. 3) Eliminate incoming service to payphones altogether. And so on. As you can see, this is a fascinating story, and the latest TFTP meeting ended with the note "The issue was discussed at some length with the end result of it becoming a new issue." Truly the work of geniuses. In closing, I want to share with you a quote from an article I dug out from a pile of coffee grinds. It's from Payphone Exchange Magazine. The fewer the number of people aware of a primary line of defense coming down, the better. Any qualified person reading the hacker and underground publications knows that many of their articles are written by current LTC and IXC employees [or people like me who go through their garbage!]. Loose lips sink ships. Unrestricted distribution of sensitive information permits fraud. Both cost dearly. Let's stop them both today." All can say is... fuck that.