March 31, 1998
by D.B. Spalding
In the past couple of weeks, a convincing "phone scam alert" has spread through U.S. Government offices and the Internet. Though the seed of this net rumor is factual, the alert has been abridged and misquoted to the extent that it's alarming ... and inaccurate.
One version of the alert (posted on the newsgroup alt.folklore.urban) goes like this:
On Saturday, 24 January 1998, Naval Air Station, Joint Reserve Base, New Orleans' Quarterdeck received a telephone call from an individual identifying himself as an AT&T Service Technician that was running a test on our telephone lines. He stated that to complete the test the QMOW should touch nine (9), zero (0), pound sign (#) and hang up. Luckily, the QMOW was suspicious and refused. Upon contacting the telephone company we were informed that by pushing 90# you end up giving the individual that called you access to your telephone line and allows him/her to place a long distance telephone call, with the charge appearing on your telephone call. We were further informed that this scam has been originating from many of the local jails/prisons. Please "pass the word."
Somehow this smelled like a net rumor, maybe even a hoax, since it follows the "Hook, Threat and Request" model that CIAC (http://ciac.llnl.gov/) identified in Internet chain letters and virus hoaxes.
I discussed this with AT&T's Network Security office (800-337-5373, email@example.com), which is referenced in some versions of the alert. The specialist I talked to had heard of the rumor, but discounted its validity as posted. He noted that it could conceivably be used against some common PBX systems.
1. On many PBX systems, 9 will access an outside line, 0 will request a local operator, and # ... well, most systems wouldn't know what to do with that #, so the call to the local operator would be CANCELLED. It's conceivable that calling someone on a PBX, and asking the recipient to hookflash, then dial 90#, will give the caller an outside dial tone. The caller can now make long distance calls that are charged to the hapless recipient. (See "Inmate fraud" link.)
2. This, of course, would require that
It's possible. It can be used as a scam, but most likely on systems that the series of numbers is known to provide a long distance dial tone. The original alert, within a single Navy installation, has some validity. The resulting net rumor, though, infers that this "90#" code works anywhere. It just ain't so. Dialing 90# on a home phone won't do squat. As to whether the calls are typically originating from jails, AT&T's rep asserted that it's rarely possible for a convict to pull such a scam. (See the exception referenced in the links.)
To get to the bottom of the source incident, I called the Naval Air Station quarterdeck in New Orleans. The petty officer who was manning the watch cheerfully confirmed that they had a clearly posted warning at the desk matching the quoted text above almost word for word. Almost. He also looked up his log for January 24, 1998, and confirmed that the duty watchstander had received a suspicious call. But the text he read me had one critical element missing from the net posts ... I'll simulate the omission here:
Service Technician that was running a test on our telephone lines. He stated that to complete the test the QMOW should
This procedure COULD give the caller an outside line on the base's phone system. What a surprise.
So the bottom line is that this warning has some validity for certain PBXs, but no way near the "alarm factor" danger for any and all phone systems. Your office or institution phone system may be vulnerable to this technique, or this kind of technique, or even some form of "social engineering" scam for abusing phone systems. But, folks, your home phones are safe from danger. As Rob Carlson posted on alt.folklore.urban, "Being able to use one single sequence on the variety of phone switches is as silly as expecting to run an Intel machine code on a SPARC."
Here are several tips you can apply to minimize your risk to phone scams like the one prophesied in this net rumor.
AT&T FTS2000 telephone fraud information - http://www.att.com/gov/forum/staybriefed.html http://www.att.com/gov/forum/protecting.html
Royal Canadian Mounted Police telephone fraud information - http://www.rcmp-grc.gc.ca/html/tcb2-2c.htm
The Computer Incident Advisory Capability - http://ciac.llnl.gov/
The Urban Folklore newsgroup - news:alt.folklore.urban
Similar incidents of scams in the past - http://www.utexas.edu/admin/utpd/phone2.html http://www.infowar.com/iwftp/risks/Risks-12/risks-12.47.txt
D.B. Spalding is an infopreneur and consultant based in Marin County, CA. Many of his articles can be found on the World Wide Web at http://korova.com/
(C) Copyright 1998 D.B. Spalding. All rights reserved.
The HOAX DU JOUR is a regular feature of Korova Multimedia. Tune in to http://korova.com/virus/hoax.htm