Toll Fraud

What the Big Boys Are Nervous About

by Count Zero

    Toll fraud is a serious problem that plagues the telecommunications
industry. Recently l have acquired a collection of trashed documents detailing
what AT&T and Bellcore are doing to stop these "thefts."l found these papers
very enlightening and occasionally humorous. A few insights into what's
bugging the telco.

    Toll Fraud Prevention Committee (TFPC): This is an industry-wide "forum"
committee set up in conjunction with Bellcore that deals with, guess what,
toll fraud. The TFPC has "super elite" meetings every once in awhile. All
participants are required to sign non-disclosure agreements.  Fortunately,
the participants frequently toss their notes in the POTC (Plain Old Trash
Can -- see. I can make stupid acronyms just like Bellcore!). As far as I'm
concerned, once it's in the POTC, it's PD (public domain)!

    The "open issues" concerning the TFPC currently are Third Number
Billing Fraud, International Incoming Collect Calls to Payphones, and Incoming
Collect Calls to Cellular. Apparently, they have noticed a marked increase in
third number billing fraud in California. To quote a memo, "The most prevalent
fraud scams include originating from coin/copt (aka COCOTs) phones as well as
business and residence service that is fraudulently established."  Third
party billing from COCOTs is an old trick. Another type of COCOT abuse
discussed 10XXX (where XXX is the code for a certain LD carrier), the caller
on the COCOT gets to choose their LD carrier. However, in some cases
the LEC (Local Exchange Carrier) strips off the 10XXX and then sends the call
to the lXC (Inter-Exchange Carrier, the guys that place the LD call) as a 1 +
directly dialed call. So, when you dial 10XXX+O11+international number, the
LEC strips the 10XXX and the IXC sees the call as directly dialed
international and assumes the call has been paid for by coin into the COCOT.
Dialing 10XXX+1+ACN also sometimes works for LD calls within the United
States. Anyway, COCOT providers are wigging out a bit because, while they must
provide 10XXX+O service, they want to block the 10XXX+1 and 10XXX+011
loopholes, but LEC's have chosen to provide COCOTs with a standard business
line which is not capable of distinguishing between these different
situations, which is why central offices have been typically programmed to
block all types of 10XXX calls from COCOTs. Thanks to the FCC, they can't do
that anymore; it's breaking the law.  So COs have been reprogrammed into
accepting these 10XXX calls from all COCOTs, and the burden of selectively
blocking the 10XXX+1 and 10XXX+011 loopholes often  falls  upon  the  COCOT
manufacturer. They gotta build lt into the COCOT hardware itself!

    Well, many early COCOTs cannot selectively unblock 10XXX+O, so their
owners face a grim choice between ignoring the unblocking law (thereby facing
legal problems), unblocking all 10XXX  calls  (thereby  opening themselves up
to massive fraud), or replacing their COCOTs with expensive, more
sophisticated models. Other LECs have begun offering call screening and other
methods to stop this type of fraud, but the whole situation is still pretty
messy.  By the way, for a comprehensive list of 10XXX carrier access codes,
see the Autumn 1989 issue of 2600, page 42 and 43. While they are constantly
changing, most of these should still be good.

    Incoming international Collect to Cellular: according to the notes when
a cellular phone is turned on, it 'checks in' with the local cellular office.
When this happens, a device that 'reads' radio waves can capture the
identification of the cellular phone. A tremendous volume of 'cloned'
fraudulent cellular calls are going to Lebanon." Same old trick, grabbing the
cell phone's ESN/MIN as it's broadcast. The only twist is that you call
someone's cellular phone collect in order to get them to pick up and broadcast
their ESN/MIN (they will probably refuse the call, but they will have
broadcast their ESN/MIN nevertheless!) But why Lebanon?

    The American Public Communications Council mentioned "a desire for the
TFPC to be involved in the resolution of clip-on fraud." Maybe you guys should
try better shielding of the phone line coming out the back of the COCOT??
Apparently, clip-on fraud has really taken off with the recent flux of new
COCOTs. COCOTs operate off a plain old customer loop, so clipping onto the
ring and tip outside the body of the COCOT works nicely. That is, assuming you
can get at the cables and get through the insulation.

    Incoming International Collect: This is a big issue. A person from overseas
calls a payphone collect in the United States. His/her buddy answers the
payphone and says, "Sure, l accept the charges." Believe it or not, this trick
works many times! Here's why. In the United  States, databases containing
all public telephone numbers provide a reasonable measure of control over
domestic collect abuse and are available to all carriers for a per-use charge.
These databases are offered and maintained by the local telephone companies
(LTC). Domestic collect-to-coin calling works well, because most operator
services systems in the United States query this database on each domestic
collect call. Most Local Exchange Carriers in the United States also offer
this database service to owners of COCOTs (for those few that accept incoming
calls).

    However, international operators across the world do not share access to
this database, just as United States international operators do not have
database access overseas! The CCITT, the international consortium of
telecommunications carriers, recognized this serious problem many years ago
with its strong recommendation to utilize a standardized coin phone
recognition tone (commonly called the cuckoo tone) on every public telephone
line number. Such a tone would be easily recognized by operators worldwide,
and is currently in use by many foreign telcos.

    The United States decided to ignore this logically sound recommendation,
having already employed a numbering strategy for public telephones which,
together with a reference document called the "Route Bulletin", alerted
foreign operators that the called number should be checked for coin with the
United States inward operator. This simple procedure greatly reduced the
number of times that the foreign operator had to check with the United States
operator, yet was effective at controlling abuse. Everyone slept soundly.

    But after the bust-up of AT&T in 1984, the local telephone companies,
operating independently and under pressure to offer new services (cellular,
pagers, etc.), abandoned the public phone fixed numbering strategy! In
addition, in June of 1984 the FCC decided to allow the birth of private
payphones (COCOTs). And, up until 1989, nothing was done to replace the fraud
prevention system. Can you say "open season"?

    In 1989, the TFPC began seeking a solution to the growing volume of
fraudulent collect calls resulting from this void in the fraud prevention
architecture. Numerous solutions were explored. A primary solution was chosen.

    Validation database! Yes, the TFPC chose to support 100 percent the LEC
database solution, with the cuckoo payphone recognition tone as one of a
number of secondary solutions. This decision caused problems, problems,
problems, since it was evaluated that a great number of foreign telcos would
be unable to implement this database-checking routine (for a variety of
technical reasons). Furthermore, because this TFPC "solution" to the United
States' problem is not in conformance with international requirements, the
foreign telcos view it with strong opposition as an unacceptable solution due
to the additional worktime that would be incurred and the blatant unwillingness
on the part of the United States to follow an effective and longstanding
international standard (shit, we balked at using metrics, why not this too?).

    To this day, the TFPC is still bouncing around ideas for this. And the
susceptibility of United States payphones to intemational incoming collect
calls remains wide open. Various phone companies are currently fighting the
cuckoo tone system, because they are cheap mothers and dont want to spend the
estimated $500-700 per payphone to install the cuckoo tone technology. If the
cuckoo tone were implemented, it would virtually eliminate the problem of
international incoming collect calls. But it hasn't been  ....

    Other brilliant "secondary" solutions recommended by the TFTP are:
    1) Eliminate the ringer on the payphone.
    2) Route all such calls thru a United States operator.
    3) Eliminate incoming service to payphones altogether.

    And so on. As you can see, this is a fascinating story, and the latest TFTP
meeting ended with the note "The issue was discussed at some length with the
end result of it becoming a new issue." Truly the work of geniuses.

    In closing, I want to share with you a quote from an article I dug out from
a pile of coffee grinds. It's from Payphone Exchange Magazine.

    The fewer the number of people aware of a primary line of defense coming
down, the better. Any qualified person reading the hacker and underground
publications knows that many of their articles are written by current LTC and
IXC employees [or people like me who go through their garbage!]. Loose lips
sink ships. Unrestricted distribution of sensitive information permits fraud.
Both cost dearly. Let's stop them both today."

 All can say is... f*ck that.