Roanoke Times
Copyright (c) 1995, Landmark Communications, Inc.
DATE: SUNDAY, March 27, 1994 TAG: 9403250206
SECTION: BUSINESS PAGE: F-3 EDITION: METRO
SOURCE: BY DAN CHAPMAN KNIGHT-RIDDER NEWSPAPERS
DATELINE: LENGTH: Medium
It was Thursday afternoon, and the gentleman wanted access to Dimetrics Inc.'s WATS line. Identifying himself as the parent company's vice president of human resources, he said he was at the airport and needed to make some long-distance calls fast.
Poteat didn't fall for it.
"He said his first name was William," Poteat remembered. "The gentleman in our corporate office is Bill. I've met Bill. I figured this might not be on the up-and-up."
Not every business is fortunate enough to have somebody like Poteat, a receptionist for 20 years at Dimetrics, based in Davidson, N.C. Still, most companies are savvy enough to thwart the random caller requesting access to a phone line.
It's the computer hackers who instill the most fear into corporate America. The federal government reported that phone fraud cost businesses and individuals $2.3 billion in 1992.
"That exceeded credit-card fraud for that period throughout the world," said Jim Sturgis, a senior manager of investigations for MCI Telecommunications Corp. "It can have a devastating effect on a business's bottom line."
There are as many ways to uncover a company's access codes as there are crooks trying to get them:
A businesswoman at the airport makes a call from a row of telephones. The guy next to her in the coat and tie looks over her shoulder at the numbers she punches in. He's "shoulder surfing," memorizing her access code.
A hospital switchboard operator sends a caller to the emergency room. "Oops," says the caller, "I've got the wrong extension. Can you send me to the switchboard?" The operator can't tell the call's been looped back. "This is Dr. Bagongalong," the caller says, "may I have an outside line?"
A deliveryman brings a package for Jane Shmeetz. But Shmeetz doesn't work here. "Oh," says the deliverer, "may I use your phone to call my office and find out where I messed up?" Instead, he dials a $25-a-call, 900 number run by his buddy.
Sturgis calls these operator-friendly scams, like the one attempted at Dimetrics, "social engineering."
"The real problems in the telecommunications fraud business are those who get electronically into PBXes [private branch exchanges] and use nights and weekends to make hundreds and thousands of calls," Sturgis said. "That's a surreptitious entry into a customer's equipment. And all the people calling want is one simple thing: a free dial tone."
Crooks use computers to randomly access a company's PBX. Once the hacker's computer uncovers a dial tone, it's not difficult to get an outside line by playing with a sequence of numbers. Hackers know that legitimate access-code users typically rely on an easily remembered number sequence.
Criminals elude detection by switchboard monitors by making their calls after 5 p.m. and on weekends. That's what happened at Piedmont Natural Gas Co. in 1989, costing the Charlotte, N.C.-based utility nearly $70,000. It also happened with Pic 'n Pay Stores Inc. of Matthews, N.C., last year, which claims it lost $17,000.
AT&T sued Piedmont for not paying up. The case was settled in 1992, but terms weren't disclosed. Pic 'n Pay sued BellSouth Telecommunications Inc., claiming its voice-mail system wasn't as fail-safe as the communication giant claimed. No settlement has been reached.
But the Federal Communications Commission has ruled that businesses are liable for hackers' scams.
"There are some incredible schemes out there," said Brian Tallent, the engineering manager for Duke Power Co.'s telecommunication division. "You've just got to stay on your toes. There are new schemes coming along all the time. Just be cautious."
\ HOW TO AVOID PHONE FRAUD\ Duke Power's Brian Tallent and MCI's Jim Sturgis offered these suggestions on how to avoid telephone fraud\ \ Before installing a system, work with your telephone company to let them know what you need and don't want. Example: Does your company need to make overseas calls?\ \ Monitor the who, what, where, when and why of your company's calls. Are there a disproportionate number of calls going to South America, for example?\ \ Use more numbers in the access code. Many companies now use an easily hacked four numbers. Increase it to six, seven or eight numbers.\ \ Don't allow voice mail to be transferred to an operator who may not be able to tell that the call originated outside the company.\ \ Block access to 900 numbers.\ \ Don't let anybody peek over your shoulder to see you punch in the access code. Some crooks use binoculars.\ \ Use common sense. If something seems fishy, it probably is.\
by CNB