Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xxi Lucent Technologies Toll Fraud Crisis Intervention 
Lucent Technologies Toll Fraud Crisis 
Intervention
If you suspect you are being victimized by toll fraud or theft of services and need 
technical support or assistance, call the appropriate Lucent Technologies BCS 
service:
NOTE:
These services are available 24 hours a day, 365 days a year. Consultation 
charges may apply. Intervention services are performed at no charge for 
equipment covered by warranty or service agreement.
Helplines
nIf you require application support assistance or have questions regarding 
feature functions for the DEFINITY ECS, DEFINITY G1, G2, and G3, 
System 75, or System 85 Communications Systems, associated voice mail 
systems, or other adjuncts, contact the DEFINITY Helpline:
800 225-7585
Toll Fraud Intervention Hotline800 643-2353
All systems and products; DEFINITY 
ECS and DEFINITY Communications 
Systems, System 75, System 85, 
MERLIN II, MERLIN LEGEND, MERLIN 
Plus, PARTNER II, PARTNER Plus, and 
System 25 Communications Systems 
(including associated voice mail 
systems and other adjuncts)
Technical Service Center (TSC):800 242-2121
DEFINITY ECS, DEFINITY 
Communications System, System 75, 
and System 85
(including associated voice mail 
systems and other adjuncts)
National Service Assistance Center 
(NSAC):800 628-2888
MERLIN II, MERLIN LEGEND, MERLIN 
Plus, PARTNER II, PARTNER Plus, and 
System 25 Communications Systems 
(including associated voice mail 
systems and other adjuncts) 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xxii Related Documentation 
nFor assistance with the DEFINITY AUDIX System, call:
800 562-8349
nFor assistance with the MERLIN II, MERLIN LEGEND, MERLIN Plus, 
PARTNER II, PARTNER Plus, or System 25 Communications Systems, or 
their associated voice mail systems or other adjuncts, call:
800 628-2888
NOTE:
The above services may result in an additional charge. Intervention services 
are performed at no charge for equipment covered by warranty or service 
agreement.
Related Documentation
The security risks and preventive measures presented in this document relate 
specifically to toll fraud. This handbook is designed to work with the 
documentation for the products described in this document, and it is not intended 
as a replacement for any of the documentation available for these products. Refer 
to the 
Business Communications Systems Publications Catalog, 555-000-010, for 
more information. 
						

							Introduction 
Page 1-1 Background 
1
BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
1
1Introduction
Background
Telecommunications fraud is the unauthorized use of a company’s 
telecommunications service. This type of fraud has been in existence since the 
1950s when Lucent Technologies first introduced Direct Distance Dialing (DDD).
In the 1970s Remote Access became a target for individuals seeking 
unauthorized network access. Now, with the added capabilities of voice mail and 
automated attendant services, customer premises equipment-based toll fraud has 
expanded as a new type of communications abuse.
Today, security problems are not just limited to toll fraud. There have been sharp 
increases in reported incidents of hackers: criminals skilled in reprogramming 
computer systems, accessing telecommunications systems through remote 
administration or maintenance ports. These ports cannot be used to place phone 
calls, but hackers can gain control over the setup of the system. Through these 
ports, hackers create security “holes” to allow unauthorized calling — a serious 
form of electronic vandalism.
A company’s “information resources” are yet another target for modern criminals. 
They are invading voice mailboxes and eavesdropping on cellular phone calls to 
obtain proprietary information about your products or your customers. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Introduction 
Page 1-2 Who is the Enemy? 
1
Who is the Enemy?
Hackers and Phreakers
Hackers and “phreakers” (phone freaks) use personal computers, random 
number generators, and password cracking programs to break into even the most 
sophisticated customer premises equipment-based system if it has not been 
adequately secured. Once a hacker penetrates a network and provides 
instructions to toll call sellers, large volumes of unauthorized calls can be made 
from the switch. Severe cases of communications abuse can also reduce revenue 
and productivity when employees are unable to dial out and customers are unable 
to call in.
These people are criminals, as defined by the United States Secret Service and 
Title 18 Section 1029 of the United States Criminal Code. They attempt to find 
your weakest link and break it. Once they have compromised your system, they 
will use your system resources to break into another system, and/or advertise that 
they have broken your system and how they did it. They will also sell this 
information to a call sell operator. Some hackers command up to $10,000.00 a 
week for stolen codes.
Call Sell Operations
Most of the high dollar theft comes from call sell operations. These operations 
vary from a pay phone thief, who stands next to a pay phone and “sells” discount 
calls through your system, to a full-blown call sell operation.
A full-blown operation might involve a one-room apartment (rented under an 
assumed name) with 30 to 40 phones (lines from the phone company are under 
the same assumed name). The general pitch is that for a flat fee you can call 
anywhere in the world and talk as long as you like. The seller takes the money 
and places the call for the buyer, and then walks away so he will not get caught. 
Needless to say, a victimized company is paying for the actual call.
The call sell operation is open round-the-clock, and when the victimized company 
stops the abuse, the call sell operator moves on to the next number. In a month or 
two the call sell operator just disappears (and will usually resurface at another 
apartment with another 30 phones and a way into your system).
The toll fraud industry is growing fast. Originally, the majority of toll fraud was 
based in New York, NY. Now call sell operations are springing up in Miami, FL, 
Chicago, IL, Los Angeles and San Francisco, CA, and other locations around the 
country, even throughout the world.
Call sell operations are dependent on calling card numbers or other means to 
fraudulently use a customer premises equipment-based system. The major calling 
card vendors monitor calling card usage and shut down in a matter of minutes  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Introduction 
Page 1-3 What is in a Loss? 
1
after detecting the fraud. However, call sell operators know that the traffic on most 
customer premises equipment-based systems is not monitored.
That is why a calling card on the street sells for $30.00 and a customer premises 
equipment-based system code (called a Montevello) sells for up to $3,000.00.
Drug Dealers
Drug dealers want phone lines that are difficult to trace so they can conduct their 
illicit narcotic dealings. For this reason, drug dealers are more likely to route their 
calls through two or more communications systems (PBXs) or voice mail systems 
before a call is completed. This is called “looping.” Law enforcement officers 
believe that drug dealers and other criminals make up a sizeable chunk of toll 
fraud.
What is in a Loss?
Cost of the Phone Bill
There are no real numbers showing exactly how much money companies have 
lost due to toll fraud. Since some companies are not willing to disclose this 
information, it is difficult to know who has been hit and at what cost. Both small 
and large companies have been victims of what is one of the nation’s most 
expensive corporate crimes.
Lost Revenue
The cost of operational impact may be more severe than the toll charges. 
Employees cannot get outbound lines, and customers cannot call in. Both 
scenarios result in potential loss of business. 
Expenses
Additional expenses may be incurred, such as changing well-known, advertised 
numbers, service interruptions, and loss of customer confidence.
Known Toll Fraud Activity
Understanding how hackers penetrate your system is the first step in learning 
what to do to protect your company. Be aware that hackers communicate very 
well, are extremely resourceful, and are persistent. The following is a list of known 
methods hackers use to break into systems. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Introduction 
Page 1-4 Known Toll Fraud Activity 
1
nPBX-Based Activity
—Maintenance Port
Maintenance ports are the most recent target of abuse. In this 
scenario, hackers find a PBX maintenance port number with their 
“war dialer,” a device that randomly dials telephone numbers until a 
modem or dial tone is obtained. They then “hack” the user ID and 
password, sometimes just by using the PBX default passwords, to 
enter your system. Good password selection decreases the 
possibility of being hacked via the maintenance port to virtually zero.
This is the most dangerous type of abuse because once in your 
system, the hackers have control over all the administrative 
commands. While in your system, they have been known to:
— Turn on Remote Access or Direct Inward System Access 
(DISA). (On some communications systems, this is a “yes” or 
“no” option.) These situations can be difficult to detect.
Hackers have been known to change the system at 8:00 p.m. 
to allow fraudulent calls. Then, at 3:00 a.m., they reprogram 
the system back to its original configuration. One company 
was hit three weekends in a row before they realized what 
was happening.
— Turn off Call Detail Recording (CDR) or Station Message 
Detail Recording (SMDR) and hack your system all weekend, 
and then turn it back on before Monday morning. This is 
especially disturbing to managers who are security conscious 
and check the CDR/SMDR reports every morning looking for 
suspicious activity. They will not see records of the calls 
because CDR/SMDR was turned off by the hackers. The 
administrator may notice the absence of CDR/SMDR records 
for evening, night, and weekend calls made by employees.
—Voice Mail
There are two types of voice mail fraud. The first type, which is 
responsible for the bulk of equipment-related toll fraud loss, relies on 
misuse of the call transfer capabilities of voice mail systems. Once 
thieves transfer to dial tone, they may dial a Trunk Access Code 
(TAC), Feature Access Code or Facility Access Code (FAC), or 
extension number.
If the system is not properly secured, thieves can make fraudulent 
long distance calls or request a company employee to transfer them 
to a long distance number.
The second type of voice mail fraud occurs when a hacker accesses 
a mailbox to either take it over or simply access the information 
stored within it. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Introduction 
Page 1-5 Known Toll Fraud Activity 
1
In the first situation, a hacker dials either 9 or a TAC that allows the 
call to be transferred to the outgoing facilities. In the second 
situation, a hacker typically hacks the mail password and changes it 
along with the greeting. This gives the hacker access to proprietary 
corporate information.
—Automated Attendant
Auto Attendants are used by many companies to augment or 
replace a switchboard operator. When an Auto Attendant answers, 
the caller is generally given several options. A typical greeting is: 
“Hello, you’ve reached XYZ Bank. Please enter 1 for Auto Loans, 
2for Home Mortgages. If you know the number of the person you 
are calling, please enter that now.”
In some Auto Attendants, option 9 is to access dial tone. In addition, 
when asked to enter an extension, the hacker enters 9180 or 9011. 
If the system is not properly configured, the Auto Attendant passes 
the call back to the PBX. The PBX reacts to 9 as a request for a dial 
tone. The 180 becomes the first numbers of a 1-809 call to the 
Dominican Republic. The 011 is treated as the first digits of an 
international call. The hacker then enters the remaining digits of the 
phone number and the call is completed. You, the PBX owner, pay 
for it. This hacker scenario works the same way with a voice mail 
system.
—Remote Access/Direct Inward System Access (DISA)
Remote Access or DISA is designed to allow remote users to 
access a PBX to place long distance calls as if they were at the 
same site as the PBX. Because of the potential cost savings, many 
PBX owners use DISA instead of calling cards; however, Remote 
Access opens the door for fraudulent calls by thieves.
Hackers are able to locate the DISA feature with the use of a war 
dialer, explained previously. After finding a number, the device 
searches for barrier codes.
If the system allows uninterrupted, continuous access, a war dialer 
can crack a 6-digit code within 6 hours. The codes are then 
distributed via bulletin boards or pirated voice mailboxes, or are sold 
to call sell operators. Some systems hang up after a specified 
number of invalid access attempts, thereby extending the amount of 
time required to crack the code. However even if a hacker is 
disconnected, he or she may call back repeatedly in an attempt to 
crack the code. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Introduction 
Page 1-6 Known Toll Fraud Activity 
1
nNetwork-Based Activities
—Shoulder Surfing
Network hackers use video cameras in airports supposedly to take 
pictures of their family, but they are actually taking pictures of people 
using their calling cards. Hackers may also use an audio tape 
recorder to capture calling card numbers as they are spoken to an 
operator. This technique is known as “Shoulder Surfing.”
—Social Engineering
“Social Engineering” is a con game hackers frequently use. It is 
sometimes referred to as “Operator Deceit.” The success of this con 
requires gullibility or laxity on the part of the operator or employee, 
of which the hacker takes full advantage.
For example, hackers call an employee, claim to have the wrong 
extension number, and ask to be transferred back to the operator. 
The call looks to the operator like an internal call. The hacker then 
asks for an outside line. Often, because operators do not know any 
better, they will connect the hacker to an outside line.
Another example of social engineering is a hacker calling the 
operator and pretending to be a telephone maintenance repair 
person. They make statements like: “I am a qualified telephone 
repairman testing your lines. Please transfer me to 900 or 9#;” or “I 
need to verify your DID number range.” An untrained operator may 
provide the requested transfer or information, giving the hacker 
more ammunition with which to crack your system.
— Dumpster Diving
Hackers obtain switch and security information by browsing through 
company trash cans. They are looking for discarded phone bills, 
corporate phone directories, and access codes. The “found” 
information can be used to make fraudulent calls.
—Alternate Carrier Access
If your system is not secure, hackers can dial out by using carrier 
codes that bypass routing restrictions you have placed on your 
primary carrier’s features.
—Looping
Looping is a method that call sell operators use to circumvent 
restrictions that IXCs (Interexchange Carriers) put in the networks to 
control calling card fraud. All carriers block calling card calls bound 
for the 809 area code (to the Dominican Republic) that originate in 
New York, NY. This is because the Dominican Republic is a 
common destination for stolen phone calls. If call sell operators are 
able to obtain a dial tone from a PBX but are not able to dial 809 or 
011 directly, they will revert to looping. They could dial an 800 
number outbound from the PBX. The 800 number could be to 
another PBX or could be a calling card or operator access number.  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Introduction 
Page 1-7 Known Toll Fraud Activity 
1
Examples include, but are not limited to the following 800 numbers: 
1 800 COLLECT, 1 800 CALLATT, and 1 800 GETINFO. They could 
also dial 950 carrier access numbers.
Lastly, they can dial various 10xxx carrier access codes. In any 
case, they can still use the PBX to place a fraudulent call. If the PBX 
is not in New York, NY, they can use the calling card. Use of the 
10xxx codes could allow for direct billing to the PBX. It is not 
uncommon for hackers to “loop” through as many as five 
communications systems before completing the fraudulent call.
— Call Diverters
A call diverter is a device used to forward calls to a different location, 
usually after business hours. These are normally used for smaller 
businesses who forward their calls to an answering service after 
hours.
When hackers find a number they suspect is using a call diverter, 
they call the number. When the call is answered, the hacker claims 
to have misdialed or remains silent. Then when the caller hangs up, 
the call diverter sometimes gives the hacker dial tone before the 
disconnect is completed. The hacker then seizes the dial tone and 
uses it to place fraudulent long distance calls.
— Beeper and/or Pager Scam
A scam directed at pagers and beepers is as follows. Many of the 
Local Exchange Carriers (LECs) have run out of numbers in the 976 
prefix, so they are using other prefixes that work the same as 976. 
That is, the calling party gets charged for the call at a rate set by the 
owner of the number.
The 976-look-alike numbers are constantly expanding. They 
include, but are not limited to the following:
202-915-xxxx 315-970-xxxx 516-970-xxxx 716-550-xxxx
206-960-xxxx 401-940-xxxx 518-540-xxxx 716-970-xxxx
207-940-xxxx 402-960-xxxx 518-550-xxxx 718-540-xxxx
208-960-xxxx 410-915-xxxx 518-970-xxxx 718-550-xxxx
212-540-xxxx 412-556-xxxx 602-676-xxxx 718-970-xxxx
212-550-xxxx 413-550-xxxx 603-940-xxxx 719-898-xxxx
212-970-xxxx 413-940-xxxx 605-960-xxxx 801-960-xxxx
215-556-xxxx 504-636-xxxx 607-540-xxxx 804-268-xxxx
301-915-xxxx 505-960-xxxx 607-550-xxxx 804-844-xxxx
303-960-xxxx 507-960-xxxx 607-970-xxxx 817-892-xxxx
307-960-xxxx 508-940-xxxx 617-550-xxxx 914-540-xxxx 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Introduction 
Page 1-8 Known Toll Fraud Activity 
1
The fee charged for calling these numbers can range upwards of 
$250 per call. As already stated, the fee is set by the owner of the 
number. Unscrupulous people who own these numbers call around 
the country inserting these numbers into pagers to get the users to 
return the call so that they can collect the fee. Consult your LEC for 
a list of 976-look-alike numbers in your exchange.
This same scam could also easily apply to messages left on voice 
mail. The person could state, “I’m John Doe calling from XYZ. 
Please return my call at 212-540-xxxx.” When you return the call, 
you are charged $50.00.
Another slant to this scam is carried out by messengers who deliver 
parcels to your office. They will ask to use your company’s phone to 
call their office. Then they call one of these 976-look-alike numbers 
and stay on the line for a minute or two. Your company then gets the 
bill for a $250 call that lasted only a couple of minutes.
— Internal Abuse
Unfortunately, not all toll fraud is generated from “outsiders.” Many 
times it can be traced to internal employees who either sell the 
information or abuse the system for their own gain.
—Call Forwarding Off-Premises
Call forwarding can be programmed to forward calls internally 
(within the PBX) or off-premises. If off-premises call forwarding is 
allowed, unscrupulous employees can take advantage of it. They 
forward the phone to a number (usually their home number). They 
tell their friends and family to call the company’s 800 number and 
insert the employee’s extension number. The call is forwarded to the 
employee’s home phone, and the company foots the bill for the call.
308-960-xxxx 512-766-xxxx 617-940-xxxx 914-550-xxxx
315-540-xxxx 516-540-xxxx 703-844-xxxx 914-970-xxxx
315-550-xxxx 516-550-xxxx 716-540-xxxx