Home Page Front Page E-Mail March 31, 1998

S t a r t B u t t o n

by D.B. Spalding

In the past couple of weeks, a convincing "phone scam alert" has spread through U.S. Government offices and the Internet. Though the seed of this net rumor is factual, the alert has been abridged and misquoted to the extent that it's alarming ... and inaccurate.

One version of the alert (posted on the newsgroup alt.folklore.urban) goes like this:

On Saturday, 24 January 1998, Naval Air Station, Joint Reserve Base, New Orleans' Quarterdeck received a telephone call from an individual identifying himself as an AT&T Service Technician that was running a test on our telephone lines. He stated that to complete the test the QMOW should touch nine (9), zero (0), pound sign (#) and hang up. Luckily, the QMOW was suspicious and refused. Upon contacting the telephone company we were informed that by pushing 90# you end up giving the individual that called you access to your telephone line and allows him/her to place a long distance telephone call, with the charge appearing on your telephone call. We were further informed that this scam has been originating from many of the local jails/prisons. Please "pass the word."

Somehow this smelled like a net rumor, maybe even a hoax, since it follows the "Hook, Threat and Request" model that CIAC (http://ciac.llnl.gov/) identified in Internet chain letters and virus hoaxes.

I discussed this with AT&T's Network Security office (800-337-5373, security@att.com), which is referenced in some versions of the alert. The specialist I talked to had heard of the rumor, but discounted its validity as posted. He noted that it could conceivably be used against some common PBX systems.

Here's how:

1. On many PBX systems, 9 will access an outside line, 0 will request a local operator, and # ... well, most systems wouldn't know what to do with that #, so the call to the local operator would be CANCELLED. It's conceivable that calling someone on a PBX, and asking the recipient to hookflash, then dial 90#, will give the caller an outside dial tone. The caller can now make long distance calls that are charged to the hapless recipient. (See "Inmate fraud" link.)

2. This, of course, would require that

• the recipient is on a PBX system that supports 9 for accessing an outside line,
• the default "9" outside line has long distance dialing privileges (some systems require a different code to get the LD carrier) and
• the recipient doesn't see through the obvious deception ("I'm an AT&T service technician, dial this code....") and just hang up.

It's possible. It can be used as a scam, but most likely on systems that the series of numbers is known to provide a long distance dial tone. The original alert, within a single Navy installation, has some validity. The resulting net rumor, though, infers that this "90#" code works anywhere. It just ain't so. Dialing 90# on a home phone won't do squat. As to whether the calls are typically originating from jails, AT&T's rep asserted that it's rarely possible for a convict to pull such a scam. (See the exception referenced in the links.)

To get to the bottom of the source incident, I called the Naval Air Station quarterdeck in New Orleans. The petty officer who was manning the watch cheerfully confirmed that they had a clearly posted warning at the desk matching the quoted text above almost word for word. Almost. He also looked up his log for January 24, 1998, and confirmed that the duty watchstander had received a suspicious call. But the text he read me had one critical element missing from the net posts ... I'll simulate the omission here:

Service Technician that was running a test on our telephone lines. He stated that to complete the test the QMOW should

• "touch the LINE key [for an outside line], then"
• touch nine (9), zero (0), pound sign (#) and hang up.

This procedure COULD give the caller an outside line on the base's phone system. What a surprise.

So the bottom line is that this warning has some validity for certain PBXs, but no way near the "alarm factor" danger for any and all phone systems. Your office or institution phone system may be vulnerable to this technique, or this kind of technique, or even some form of "social engineering" scam for abusing phone systems. But, folks, your home phones are safe from danger. As Rob Carlson posted on alt.folklore.urban, "Being able to use one single sequence on the variety of phone switches is as silly as expecting to run an Intel machine code on a SPARC."

Here are several tips you can apply to minimize your risk to phone scams like the one prophesied in this net rumor.

1. Don't give out personal information over the phone. This includes passwords, PINs (personal identification numbers) for your calling card or ATM card, your Social Security Number, home phone, address. Those who need this information should already have it, and often WILL NOT ask for it over the phone.
2. Those who need to do "checks" and maintenance work on phones and computer systems ... don't need to ask you for access codes. They already have them, or don't need them.
3. Phone technicians don't need user intervention to check equipment. Often, they don't even need to bother you at all; it's all done in the background.
4. Be suspicious of strange callers who claim to be within your company, and need you to transfer them or perform some unusual function.
5. Social engineers may ask you several innocuous questions before hitting the real question. Be suspicious of anyone who calls up to "confirm your information" and asks the obvious questions.
6. When in doubt, get a return phone number where you can call the person back. Legitimate entities will provide a company number; hackers will often just hang up.

AT&T FTS2000 telephone fraud information - http://www.att.com/gov/forum/staybriefed.html http://www.att.com/gov/forum/protecting.html

Royal Canadian Mounted Police telephone fraud information - http://www.rcmp-grc.gc.ca/html/tcb2-2c.htm

The Computer Incident Advisory Capability - http://ciac.llnl.gov/

The Urban Folklore newsgroup - news:alt.folklore.urban

Similar incidents of scams in the past - http://www.utexas.edu/admin/utpd/phone2.html http://www.infowar.com/iwftp/risks/Risks-12/risks-12.47.txt

D.B. Spalding is an infopreneur and consultant based in Marin County, CA. Many of his articles can be found on the World Wide Web at http://korova.com/

(C) Copyright 1998 D.B. Spalding. All rights reserved.

The HOAX DU JOUR is a regular feature of Korova Multimedia. Tune in to http://korova.com/virus/hoax.htm