*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -=[SD]=- Sepulchral Darkness -=[SD]=- presents : French PBX Toll Fraud Brought to you by : ---=[AZTECH]=--- Sepulchral Darkness '95 All Rights Worth Shit *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- In France it is estimated that PBX trunk fraud (toll fraud) costs companies over $220 million a year. Criminal phreakers figure out how to access PBXs owned by businesses and then sell long-distance calling capacities provided by these systems to the public. In European markets where PSTN to PSTN connections are illegal it has not to date been such an issue. However, for a number of reasons this is likely to change. Trunk to trunk connection barring through PBXs is expected to be deregulated throughout Europe. The telecom industry has done more this year to prevent toll fraud than any other time. Yet, toll fraud losses will top more than $2 billion again this year. If you aren't doing anything to prevent being hit, it's not a matter of if you'll be hit, it's when you'll be hit and for how much. So, here are some low-cost ways to stop toll fraud-or at least lessen the blow if you do get hit. Increasing numbers of international companies have private networks and provide DISA (Direct Inward System Access) access to employees. Such companies are prime victims for phreaking. For example, a phone hacker can access the network in the UK, France, or Germany and break out in another country where it is legal to make trunk to trunk calls, and from that point they can call anywhere in the world. Voice mail is taking off across Europe. This, together with DISA, is one of the most common ways phreakers enter a company's PBX. Raising these issues now and detailing precautionary measures will enable companies to take steps to reduce such frauds. The following looks at the current situation in France. In France a whole subculture, like a real phone underground culture, of these technology terrorists is springing up on city streets. Stolen access codes are used to run call-sell operations from phone booths or private phones. The perpetrators offer international calls for circa FF 20, which is considerably less than it could cost to dial direct. When calls are placed through corporate PBXs rather than carrier switches, the companies that own the PBXs end up footing the bill. What are the warning signs that your own communication systems are being victimized by toll fraud? In inbound call detail records, look for long holding times, an unexplained increased in use, frequent use of the system after normal working hours, or a system that is always busy. In records of outbound calls, look for calls made to unusual locations or international numbers, high call volumes, long duration of calls, frequent calls to premium rate numbers and frequently recurring All Trunks Busy (ATB) conditions. Toll fraud is similar to unauthorized access to mainframe computers or hacking. Manufacturers such as Northern Telecom have developed security features that minimize the risk of such theft. Telecommunication managers, however, are the only ones who are ensure that these features are being used to protect their systems from fraud. Areas of Intrusion Into Corporate Systems: PBX features that are vulnerable to unauthorized access include call forwarding, call prompting and call processing features. But the most common ways phreakers enter a company's PBX is through DISA and voice mail systems. They often search a company's rubbish for directories or call detail reports that contain a companies own '05' numbers and codes. They have also posed as system administrators or France Telecom technicians and conned employees into telling them PBX authorization codes. More sophisticated hackers use personal computers and modems to break into data bases containing customer records showing phone numbers and voice mail access codes, or simply dial '05' numbers with the help of sequential number generators and computers until they find one that gives access to a phone system. Once these thieves have the numbers and codes, they can call into the PBX and place calls out to other locations. In many cases, the PBX is only the first point of entry for such criminals. They can also use the PBX to access company's data system. Call-sell operators can even hide their activities from law enforcement officials by using PBX-looping-using one PBX to place calls out through another PBX in another state. Holding the Line-Steps That Reduce Toll Fraud: Northern Telecom's Meridian 1 systems provide a number of safety features to guard against unauthorized access. It is the most popular PBX phreaked in France. The following information highlights Meridian 1 features that can minimise such abuse. DISA Security: The DISA feature allows users to access a company's PBX system from the public network by dialing a telephone number assigned to the feature. Once the system answers the DISA call, the caller may be required to enter a security code and authorisation code. After any required codes are entered, the caller, using push button tone dialling, is provided with the calling privileges, such as Class of Service (COS), Network Class of Service (NCOS) and Trunk Group Access Restrictions (TGAR), that are associated with the DISA DN or the authorisation code entered. To minimize the vulnerability of the Meridian 1 system to unauthorized access through DISA, the following safeguards are suggested: 1) Assign restricted Class of Service, TGAR and NCOS to the DISA DN; 2) Require users to enter a security code upon reaching the DISA DN; 3) In addition to a security code, require users to enter an authorization code. The calling privileges provided will be those associated with the specific authorization code; 4) Use Call Detail Recording (CDR) to identify calling activity associated with individual authorization codes. As a further precaution, you may choose to limit printed copies of these records; 5) Change security codes frequently; 6) Limit access to administration of authorization codes to a few, carefully selected employees. Meridian Mail Security: Northern Telecom's Meridian Mail voice messaging system is also equipped with a number of safeguarding features. The features that allow system users to dial out; Through Dial, Operator Revert and Remote Notification (Outcalling) should be controlled to reduce the likelihood of unauthorised access. The following protective measures can be used to minimise tool fraud: Voice Security Codes - Set security parameters for ThroughDial using the Voice Security Options prompt from the Voice Systems Administration menu. This prompt will list restricted access codes to control calls placed using the Through-Dial function of Meridian Mail. An access code is a prefix for a telephone number or a number that must be dialled to access outside lines or long-distance calling. If access codes are listed as restricted on the Meridian Mail system, calls cannot be placed through Meridian Mail to numbers beginning with the restricted codes. Up to ten access codes can be defined. Voice Menus - With the Through-Dial function of Voice Menus, the system administrator can limit dialling patterns using restricted dialling prefixes. These access codes, which are defined as illegal, apply only to the Through-Dial function of each voice menu. Each Through-Dial menu can have its own restricted access codes. Up to ten access codes can be programmed. Meridian Mail also allows system administrators to require that users enter an Access Password for each menu. In this way, the Through-Dial menu can deny unauthorized callers access to Through-Dial functions, while allowing authorised callers access. Additional Security Features - The Secured Messaging feature can be activated system-wide and essentially blocks external callers from logging to Meridian Mail. In addition, the system administrator can establish a system-wide parameter that forces user to change their Meridian Mail passwords within a defined time period. Users can also change their passwords at any time when logged in to Meridian Mail. System administrator can define a minimum acceptable password length for Meridian Mail users. The administrators can also determine the maximum number of times an invalid password can be entered before a log-on attempt is dropped and the mailbox log-on is disabled. Some of the features that provide convenience and flexibility are also vulnerable to unauthorized access. However, Meridian 1 products provide a wide array of features that can protect your system from unauthorised access. In general, you can select and implement the combination of features that best meets your company's needs. General Security Measures: Phone numbers and passwords used to access DISA and Meridian Mail should only be provided to authorized personnel. In addition, call detail records and other reports that contain such numbers should be shredded or disposed of in an appropriate manner for confidential material. To detect instances of trunk fraud and to minimize the opportunities for such activity, the system administrator should take the following steps frequently (the frequency is determined on a per site basis according to need): 1) Monitor Meridian 1 CDR output to identify sudden unexplained increases in trunk calls. Trunk to trunk/Tie connections should be included in CDR output; 2) Review the system data base for unauthorised changes; 3) Regularly change system passwords, and DISA authorisation and security codes; 4) Investigate recurring All Trunks Busy (ATB) conditions to determine the cause; 5) If modems are used, change access numbers frequently, and consider using dial-back modems; 6) Require the PBX room to be locked at all times. Require a sign-in log and verification of all personnel entering the PBX room. Two Practical Cases: Bud Collar, electronic systems manager with Plexus in Neenah, Wis., transferred from its payphone operations branch. As the PBX manager, he's blocked all outside access to his Northern Telecom Meridian 1 and meridian Mail. Just in case a phreaker does gain access, Collar bought a $600, PC-based software package from Tribase Systems in Springfield, NJ, called Tapit. With Tapit, Collar runs daily reports on all overseas call attempts and completions. But the drawback to Tapit is that by itself it has no alarm features, so if a phreaker does get in, Collar won't know about it until he runs the next report. Tribase does offer Fraud Alert with alarms for $950, but Collar chose not to use it. Erica Ocker, telecom supervisor at Phico Insurance in Mechaniscsburg, PA, also wanted to block all of her outside ports. But she has maintenance technicians who need routine access, so she needed a way to keep her remote access ports open, without opening up her Rolm 9751 to toll fraud. The solution is to buy LeeMah DataCom Security Corps's TraqNet 2001. For $2,000, Ocker got two secured modems that connect to her maintenance port on her PBX and to her Rolm Phone Mail port. When someone wants to use these features, they dial into the TraqNet and punch in their PIN number. TraqNet identifies the user by their PIN and asks them to punch in a randomly selected access code that they can only get from a credit card-sized random number generator, called an InfoCard. That access code matches the codes that are generated each time the TraqNet is accessed. The TraqNet 2001 is a single-line model that supports up to 2,304 users for $950. More upscale can support up to 32 lines and run call detail reports, but they cost as much as $15,000. InfoCards each cost an additional $50. Conclusions: The ultimate solution will be, as I read in a French consultancy review, The more pleasant story directly linked with French phreaking was the night that I saw on my TV screen in Paris a luxurous computer ad for the Dell micro-computers. At the end of the ad, a toll-free number was presented in green: 05-444-999. I immediately phoned this number ... and found the well-known voice of all French Northern Telecom's Meridian Mail saying in English: "For technical reasons, your call cannot be transferred to the appropriate person. Call later or leave a message after the tune." The dial of 0* gave the open door to more than Dell information. My letter to this company already is without (free voice-) answer! Jean-Bernard Condat, General Secretary Chaos Computer Club France [cccf] First European Hacking, Phreaking & Swapping Club Address: B.P. 8005, 69351 Lyon cedex 08, France. Phone: +33 1 47874083; Fax: +33 1 47874919; E-mail: cccf@altern.com -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=- -=[SD]=-