Long Distance Theft - Your Best Line of Defence

Telus, 8/98

As your business grows, it could be attacked by Long Distance thieves. Theft of long distance service is big business in North America. In the United States alone, losses to toll fraud amount to billions of dollars annually.

Know the enemy

Two types of phone criminals generate the majority of toll fraud. The first are organized groups who sell stolen long distance for profit. Call-sell operations are a growing phenomenon and can result in massive losses in a very short time. Many of these operations involve seasoned cons who not only sell stolen long distance and voice-mail services, but use the services for their own illegal activities. The second type are the "Phone Phreaks" - hackers who do it for entertainment and, sometimes, for profit.

Take defensive action

Both types of these fraud criminals can, in a very short time, steal huge volumes of long distance, causing a serious financial blows to your business or organization. Knowledge is your most effective weapon in combating toll fraud. If you know your enemies and their tactics, then you can take a defensive line of action to protect your organization.

Know the enemy's tactics

• Toll fraud comes in many different forms. These are some of the ways that thieves steal long distance.
• They break into your PBX, Centrex and voice-mail system and place calls as if they originated from your system.
• They use your Direct Inward System Access (DISA) to make network calls.
• They use remote access and maintenance ports to reconfigure your PBX or voice-mail system.
• They use your toll-free numbers (1-800 & 1-888) and make calls that you did not intend to, or want to pay for.
• They use your voice-mail system to provide service for others.
• They use your voice-mail system to make collect calls.
• They use your automated system to call your own security department and advise them to ignore the alarms.
• They use your modem ports to gain access to your PBX.
• They use your company Calling Card numbers to place international calls.
• They go through your trash - commonly know as dumpster diving - searching for access and authorization codes.
• They use your printed internal phone directory to contact and attempt to recruit your employees.
• They con your switchboard and reception staff into accepting and putting through long distance calls, a technique known as "social engineering".
• They make international calls on your telephone number by employing a third-number billing scam.
• They "shoulder surf" using payphones at airports or other public locations to obtain Calling Card numbers and authorization codes by looking over callers' shoulders.

Understand the danger

One of the most serious threats of toll fraud for a business is remote access fraud. Any company with a PBX or voice-mail system is vulnerable. The most commonly used PBX entry point is the Direct Inward System Access (DISA). DISA privileges are generally intended for traveling employees who call into their company's PBX, enter an authorization code, and then make long distance calls using the corporate network.

Thieves gain access to a PBX by obtaining valid DISA numbers and corresponding authorization codes. They acquire these by hacking through the system themselves, shoulder surfing, buying them from other hackers, or by digging through your trash looking for call-detail reports that list access or authorization codes and any other information that will help them break into a PBX. They may also call employees and ask for authorization codes, claiming to work for the telephone company or to be the telecom manager. Once inside the system, they can place a host of long distance calls that will be billed to the company.

Remote system administration is another area that can be vulnerable to unauthorized access. Remote system administration, or maintenance ports, allow PBX technicians to access, adjust and troubleshoot both system software and hardware components. Without proper safeguards thieves can dial into the remote access port and, once they crack the password, can reprogram the system memory to allow international calls, enable the DISA feature, turn off Call Detail Recording, and create authorization codes.

The same applies for voice-mail systems. Without proper safeguards, thieves can access these systems, and from there the public telephone network. There are also cases of thieves taking over voice-mail systems using mailboxes to exchange lists of long distance codes, coordinate drug shipments, sell stolen bank cards and Calling Card numbers, and solicit customers for prostitution rings.

Once a system has been breached, the theft of long distance can occur at an alarming rate. Some Canadian businesses have been hit for $25,000 to $30,000 in a single weekend. In the United States, one company incurred a loss of $250,000 before discovering the fraud.

Understanding the liability

Our tariffs state that if a call has passed through, or originates with the customer's equipment, the customer is liable for the charges associated with the call.

If you do become a casualty

Unfortunately, even employing the measures outlined here cannot offer a 100 percent guarantee that your company will not be attacked by long distance thieves and hackers. While a good security program will vastly reduce your risk, these criminals are persistent and resourceful.

Therefore it is important that your battle plan includes a set of policies and procedures to be followed in the event that you suspect you are a victim of toll fraud. The key is to establish your company policy ahead of time, because the meter of your long distance bill will still be running while you decide what to do.

Some actions to consider

• Use your PBX trouble report contact number to report that your PBX has been compromised.
• Close down your system immediately.
• Change all passwords.
• Call your long distance carrier:
• TELUS Residential Customers 310-2255
• TELUS Business Customers 310-3100
• Call your equipment supplier.
• Call the police. You are under no obligation to make a report to the police, this is a decision your company must make. While many companies fear negative publicity, reporting the incident is the only way that prosecution can be initiated in the event that the thieves are caught. Even if they do not solve your case, the evidence the police gather may assist them in solving or prosecuting other cases.
• Gather and share evidence.
• Advise all staff of the situation.

Reporting TELUS Calling Card fraud

If you suspect that any of your company TELUS Calling Card numbers have been compromised, or if an employee has actually lost a card, report it immediately by calling 1-800-561-8888, 24 hours-a-day. We will flag the card as stolen, and take measures to stop calls from being billed to it. We will also make arrangements to issue you a new TELUS Calling Card.

For more information

If you have any questions or require advice on setting up your own telephone security measures, TELUS can help. Our experts are here to assist you and answer any questions you may have about toll fraud. If you require more information, Residential Customers call 310-2255 and Business Customers call 310-3100 or contact your TELUS account representative.