TOLL FRAUD ON FRENCH PBX SYSTEMS

In France it is estimated that PBX

trunk fraud (toil fraud) costs
companies over $220 million a
year. Criminal phreakers figure
out how to access ~
owned

vided by these systems to the

public. In European markets
where PSTN to P S ~ co n - - i o n s
are illegal it has not to date :been
such an issue. However, for a
number of reasons this is likely
to change. Jean-kmard Condat
reports.
Trunk to trunk connection barring
through PBXs is expected to be deregulated throughout Europe.
The telecom industry has done more in
the past year to prevent toll fraud than
at any other time. Yet, toll fraud losses
will top more than US$2 billion again
this year. If you aren't doing anything to
prevent yourself being hit, it's not a
matter of whether you will be hit, but
when and for how much. So, here are
some low-cost ways to stop toll fraud or at least lessen the blow if it happens.
Increasing numbers of international
companies have private networks and
provide DISA (Direct Inward System
Access) access to employees. Such
companies are prime victims for Phreaking. For example, a phone hacker can
access the network in the UK, France, or
Germany and break out in another
country where it is legal to make trunk
to trunk calls, and from that point they
can call anywhere in the world. Voice
Mail is taking off across Europe. This,
together with DISA, is one of the most
common ways phreakers enter a company's PBX. Raising these issues now and
detailing precautionary measures will
enable companies to take steps to
reduce such frauds. The following looks
at the current situation in France.
In France a whole subculture, like a real
phone underground culture, of these
technology terrorists is springing up on
city streets. Stolen access codes are used
to run call-sell operations from phone
booths or private phones. The perpetra-

tors offer international call for circa

FF 20, which is considerably less than it
could cost to dial direct. When calls are
placed through corporate PBXs rather
than carrier switches, the companies
that own the PBXs end up footing the
bill.
What are the warning signs that your
own communication systems are being
victimized by toll fraud? In inbound call
detail records, look for long holding
times, an unexplained increase in use,
frequent use of the system after normal
working hours, or a system that is always
busy. In records of outbound calls look
for calls made to unusual locations or
international numbers, high call volumes, long duration of calls, frequent
calls to premium rate numbers and
frequently recurring All Trunks Busy
(ATB) conditions.
Toll fraud is similar to unauthorized
access to mainframe computers or
hacking. Manufacturers such as Northern Telecom have developed security
features that minimize the risk of such
theft. Telecommunication managers,
however, are the only ones who can
ensure that these features are being
used to protect their systems from fraud.

AREAS OF INTRUSION INTO

CORPORATE SYSTEMS
PBX features that are vulnerable to
unauthorized access include call forwarding, call prompting and call processing features. But the most common
ways phreakers enter a company's PBX is
through DISA and voice mail systems.
They often search a company's rubbish
for directories or call detail reports that
contain a company's own 05 numbers
and codes. They have also posed as
system administrators or France Telecom
technicians and conned employees into
telling them PBX authorization codes.
More sophisticated hackers use personal
computers and modems to break into
databases containing customer records
showing phone numbers and voice mail
access codes, or simply dial 05 numbers
with the help of sequential number
generators and computers until they
find one that gives access to a phone
system.
Once these thieves have the numbers

89

and codes, they can call into the PBX and

place calls out to other locations. In
many cases, PBX is only the first point of
entry for such criminals. They can also
use the PBX to access a company's data
system. Call-sell operators can even hide
their activities from law enforcement
officials by using PBXolooping - using
one PBX to place calls out through
another PBX in another state.

HOLDING THE LINE -- STEPS

T H A T REDUCE TOLL FRAUD
Northern Telecom's Meridian 1 system
provide a number of safety features to
guard against unauthorized access. It is
the most popular PBX phreaked in
France. The following information highlights Meridian 1 features that can
minimize such abuse.
DISA SECURITY
The DISA feature allows users to access a
company's PBX system from the public
network by dialling a telephone number
assigned to the feature. Once the system
answers the DISA call, the caller may be
required to enter a security code and
authorization code. After any required
codes are entered, the caller, using push
button tone dialling, is provided with the
calling privileges, such as Class of Service

(COS), Network Class of Service (NCOS)

Trunk Group Access Restrictions
(TGAR), that are associated with the

and

DISA DN or the authorization code

entered.

To minimize the vulnerability of the

Meridian 1 system to unauthorized
access through DISA, the following
safeguards are suggested:
1) Assign restricted Class of Service,
TGAR and NCOS to the DISA DN;
2)
Require users to enter a security
code upon reaching the DISA DN;
3)
In addition to a security code,
require users to enter an authorization code. The calling privileges
provided will be those associated
with the specific authorization
code;
4)
Use Call Detail Recording (CDR) to
identify calling activity associated
w i t h individual a u t h o r i z a t i o n
codes. As a further precaution,
you may choose to limit printed

...............................
:::,::......................................................................................
::::::i::~::":::~::;i:==============:;'~;"
=======i;"~::/~"~~;~;.'.:~::~::::::; ~:~:ii~~::::i"~
l;:ii~:::~:::;:;:
::;ii;:::i;::........................................................................................................
ii"i:i~::~i;ii":i7~"i~::~"":::::~i:........

5)
6)

copies to these records;

Change security codes frequently;
Limit access to administration of
authorization codes to a few,
carefully selected employees.

MERIDIAN MAIL SECURITY

Northern Telecom's Meridian Mail voice
messaging system is also equipped with
a number of safeguarding features. The
features that allow system users to dial
out; Through Dial Operator Revert and
Remote Notification (Outcalting) should
be controlled to reduce the likelihood of
unauthorized access. The following
protective measures can be used to
minimize toll fraud:

VOICE SECURITY CODES

Set security parameters for Through-Dial
using the Voice Security Options prompt
from the Voice Systems Administration
menu. This prompt will list restricted
access codes to control calls placed using
the Through-Dial function of Meridian
Mail. An access code is a prefix for a
telephone number or a number that
must be dialled to access outside lines or
long-distance calling. If access codes are
listed as restricted on the Meridian Mail
system, calls cannot be placed through
Meridian Mail to numbers beginning
with the restricted codes. Up to 10
access codes can be defined.
VOICE MENUS
With the Through-Dial function of Voice
Menus, the system administrator can
limit dialling patterns using restricted
dialling prefixes. These access codes,
which are defined as illegal, apply only
to the Through-Dial function of eacIn
voice menu. Each Through-Dial menu
can have its own restricted access codes.
Up to 10 access codes can be programmed.
Meridian Mail also allows system administrators to require that users enter an
Access Password for each menu. In this
way, the Through-Dial menu can deny
unauthorized callers access to ThroughDial functions, while allowing authorized
callers access.
ADDITIONAL SECURITY
FEATURES
The Secured Messaging feature can be
activated system-wide and essentially
blocks external callers from logging to

Meridian Mail. In addition, the system

administrator can establish a systemwide parameter that forces the users to
change their Meridian Mail passwords
within a defined time period. Users can
also change their passwords at anytime
when logged in to Meridian Mail.
The system administrator can define a
minimum acceptable password length
for Meridian Mail users. The administrators can also determine the maximum
numbers of times an invalid password
can be entered before a log-on attempt
is dropped and the mailbox log-on is
disabled. Some of the features that
provide convenience and flexibility are
also vulnerable to unauthorized access.
However, Meridian 1 products provide a
wide array of features that can protect
your system from unauthorized access.
In general, you can select and implement
the combination of features that best
meets your company's needs.

GENERAL SECURITY
MEASURES
Phone numbers and passwords used to
access DISA and Meridian mail should
only be provided to authorized personnel. In addition, call detail records and
other reports that contain such numbers
should be shredded or disposed of in an
appropriate manner for confidential
material. To detect instances of trunk
fraud and to minimize the opportunities
for such activity, the system administrator should take the following steps
frequently (the frequency is determined
on a per site basis according to need):
1)
Monitor Meridian CDR output to
identify sudden unexplained increases in trunk calls. Trunk to
trunk / Tie connections should be
included in CDR output;
2)
Review the system database for
unauthorized changes;
3)
Regularly change system passwords, and DISA authorization
and security codes;
4)
Investigate recurring All Trunks
Busy (ATB) conditions to determine the cause;
5)
If modems are used, change access
numbers frequently, and consider
using dial-back modems;
6)
Require the PBX room to be locked
at all times. Require a sign-in log
and verification of all personnel
entering the PBX room.

90

TWO PRACTICAL CASES

Bud Collar, electronic systems manager
with Plexus in Neenah, Wisonsin, transferred from its payphone operations
branch. As the PBX manager, he's
blocked all outside access to his Northern Telecom Meridian 1 and Meridian
Mail. Just in case a phreaker does again
access, Collar bought a US$600, PCbased software package from Tribase
Systems in Springfield, New Jersey called
Tapir, Collar runs daily reports on all
overseas call attempts and completions.
But the drawback to Tapit is that, by
itself, it has no alarm features, so if a
phreaker does get in, Collar will not
know about it until he runs the next
report. Tribase does offer Fraud Alert
with alarms for US$950, but Collar chose
not to use it.
Erica Ocker, telecom supervisor at Phico
Insurance in Mechanicsburg, Philadelphia, also wanted to block all of her
outside ports. But she has maintenance
technicians who need routine access, so
she needed a way to keep her remote
access ports open, without opening up
her Rolm 9751 to toll fraud. The solution
is to buy LeeMah DataCom Security
Corp's TraqNet 2001. For US$2000,
Ocker got two secured modems that
connect to her maintenance port on her
PBX and to her Rolm Phone Mail port.
When someone wants to use these
features, they dial into the TraqNet and
punch in their PIN number. TraqNet
identifies the user by their PIN number
and asks them to punch in a randomly
selected access code that they can only
get from a credit card-sized random
number generator, called an InfoCard.
That access code matches the codes that
are generated each time the TraqNet is
accessed. The TraqNet 2001 is a singleline model that supports up to 2304
users for US$950. More upscale models
can support up to 32 lines and run call
detail reports, but they cost as much as
US$15 000. InfoCards each cost an
additional US$50.

CONCLUSIONS
The ultimate solution will be, as I read in
a French consultancy review, "to program the PBX ACD agent ports as toll
denied."
The more pleasant story directly linked
with French phreaking was the night
that I saw on my TV screen in Paris an
upmarket computer ad for Dell micro-

computers. At the end of the ad, a tollfree number was shown in green: 05444-999. I immediately phoned this
number.., and heard the well known
voice of French Northern Telecom's
Meridian Mail saying in English: "For

!iiiiii".....................................................................................................................................................................................

technical reasons, your call cannot be

transferred to the appropriate person.
Call later or leave a message after the
tone." The dial of 0* gives open door to
more than... Dell information. My letter
to this company is already without (free

voice) answer!
Jean-Bernard Condat
General Secretary, Chaos Computer
Club, France. Editor of the French
journal Chaos Digest (ISSN 1244-4901)
related to computer security.

BOOK REVIEW

ELECTRONIC DATA INTERCHANGE

!i!!

includes a discussion of other jurisdictions.

Chapter Five introduces the reader to the role of interchange
agreements in EDI, explaining some of the underlying
reasons for their introduction and perhaps more ~mportantly
reviews the benefits of using them.
Both Chapters Six and Seven are a continuation of Chapter
Five, analysing in some detail the individual clauses of the
Standard UK EDI Association Interchange Agreement (a
copy of which is reproduced in the Appendix).
Chapter Eight outlines some of the issues when understanding the relationship between the traditional interchange agreement and the underlying business contract
which contains the standards terms and conditions of
business.
Chapter Nine reviews some of the legal problems and
outlines some key practical ~ssues which may arise when
using a Value-added Network Service.
Chapter Ten considers the problem of a "computer forming
a contract which ~s a mistake" this problem is perceived by
many as a "major concern when using EDI". This chapter s
useful n itself as it provides a logical approach shedding
light on this problem.
The final chapter reviews the egal implications when
applying EDI to the payment process, that is financial EDI.
In summary, this book is a recommended read as a good
introductory book for both awyers and, especially, nonlawyers. For any business manager considering the EDI
option or using EDI an understanding of the legal
environment in which EDI operates is both important and
interesting.
Available from the EDI Association, 148 Buckingham
Palace Road, London S W I W 9TR, UK. Tel: 071 824
8848; fax: 071 824 8114.
Review by Alastair Ross
Research student, Southampton University

Peter Jones and David Marsh: The Essentials of EDI

Law - A Straightforward Legal Framework To
Protect Your Business. 1993 Softcover 141p.
The first version of this book was directed specifically at EDI
and Canadian law, written by Peter Jones in 1992. This is
the second version which principally follows the same
layout as the first book, but being aimed primarily at English
Jaw and EDI, is now written by David Marsh. David Marsh,
the author is well qualified to write this book, he has been a
prominent legal commentator on EDI for a number of
years.
According to the author, the main purpose of the book is to
"enable the reader to consider in general terms the legal
implications of the use of EDI for the transaction of
business". To facilitate 'reader accessibility' the book
actively avoids the complex legal jargon which can so
often give a sense of fear to those readers who have no
legal background. Instead, the book gives a clear and
simple discussion of key legal problems, combined with
useful practical advice. The format of the book mirrors the
Canadian edition? Chapter One provides an introduction to
the book. Chapter Two concentrates principally on an
introduction to EDI technology, what is EDI, what are
message standards and how message standards are
designed (indeed, no EDI book worth its salt would be
without a chapter on technology). In the latter part of this
section the author introduces the reader to some of the
legal problems raised when translating a physical document
to its electronic message equivalent.
Chapter Three introduces the reader to a wider perspective
of EDI, concentrating upon the relationship between
governmental policy, the law and EDI.
Chapter Four specifically tackles some common legal
concerns which EDI raises. Although primarily this is
directed at English law, the author by way of comparison,

91