Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacked Business Owner Stuck With $52k Phone Bill

ScuttleMonkey posted more than 5 years ago | from the build-a-better-mousetrap dept.

Communications 300

ubercam writes "A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions, is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers." This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with the credit card companies'.

Sorry! There are no comments related to the filter you selected.

WTF? (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26175991)

Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?

"Oh hi, I got my PBX hacked (possibly because of my 4 character PIN "security") and lost 50 grand on calls to Bulgarian criminals, how about paying me to set up your computers?"

Re:WTF? (4, Funny)

Spazztastic (814296) | more than 5 years ago | (#26176015)

Seriously there guys, why would Mr. HUB Computer Solutions let something as embarrassing as that hit the press?

Perhaps he's now offering super-low-discount services and this is just an elaborate advertising campaign?

Re:WTF? (4, Funny)

Warll (1211492) | more than 5 years ago | (#26176089)

So what you're saying is that his pan is somehting like this:
1. Get hacked
2. Tell the press
3. ?????
4. Profit!

Re:WTF? (3, Funny)

Anonymous Coward | more than 5 years ago | (#26176207)

** Caution: Low-flying Wooshes **

This is an alert of the emergency joke-casting system. Sarcasm detectors in your area have detected low-flying wooshes. This alert is in effect for the entirety of this thread.

Repeat.

This is an alert of the emergency joke-casting system. Sarcasm detectors in your area have detected low-flying wooshes. This alert is in effect for the entirety of this thread.

Re:WTF? (0)

aztektum (170569) | more than 5 years ago | (#26176193)

Perhaps he is hoping the Streisand effect will help convince the phone company to dump the charges.

Re:WTF? (4, Informative)

oldspewey (1303305) | more than 5 years ago | (#26176439)

I thought the Streisand effect was when somebody doesn't want information to become public, and by acting to suppress it they generate publicity.

Re:WTF? (0, Redundant)

ijakings (982830) | more than 5 years ago | (#26176581)

Thats exactly what the streusand effect is.

Re:WTF? (5, Interesting)

mewsenews (251487) | more than 5 years ago | (#26176567)

Some context from a native of Winnipeg:

MTS is our AT&T, it's the big bad phone company. I believe it's the second largest company in our province, behind the power company. HUB is a tiny business that I had never heard of. This is very much a David vs. Goliath thing, the HUB guy wants MTS to go easy on the bill because they have money. MTS has dropped all responsibility because it's not their equipment that was hacked, but this guy has come back with "you should have notified me earlier of abnormal usage on my phone lines".

The HUB guy will have to lay off one of his staff unless MTS goes easy on this bill. His only method of leverage on MTS is to speak to the newspaper. That's the reason he's risking public embarrassment.

Re:WTF? (1)

b4upoo (166390) | more than 5 years ago | (#26176705)

I'm certain that he followed every tip in P.C. Magazine. Quality apparently means different things to different people.

ScuttleMonkey doesn't even read TFS (3, Informative)

mugnyte (203225) | more than 5 years ago | (#26176009)

Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

    Dude, it wasn't the phone company's equipment - hence the "outrageous" charge to the consumer.

Re:ScuttleMonkey doesn't even read TFS (4, Interesting)

morgan_greywolf (835522) | more than 5 years ago | (#26176253)

ScuttleMonkey probably just hasn't figured out that, as far as the telcos are concerned, everything on the INSIDE of the drop is the customer's problem, everything on the OUTSIDE of the drop is the phone company's problem, unless the customer has specifically hired the phone company to handle the customer premises equipment. And more and more phone companies aren't doing that anymore.

Re:ScuttleMonkey doesn't even read TFS (3, Interesting)

spazdor (902907) | more than 5 years ago | (#26176457)

Credit card companies do things like monitoring your usage habits, and calling you when you deviate wildly from them in order to make sure everything is legit and froody.

This is a useful and profitable thing for them to be doing, since when things turn out not to be legit and froody, the credco is sometimes on the hook themselves for a lot of money.

It is not as useful or profitable for a telco to do the same, because they charge money for a "service" that it costs them next to nothing to render. If the customer accidentally runs up a huge bill, then the dilemma is different: if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.

Re:ScuttleMonkey doesn't even read TFS (4, Insightful)

michaelwv (1371157) | more than 5 years ago | (#26176533)

"It is not as useful or profitable for a telco to do the same, because " they are not legally on the hook. Thanks to some consumer-friendly legislation passed a while back, the credit card companies are specifically liable for fraudulent transactions above a $50 limit. The phone companies are not. Figuring out whether or not the marginal cost to the phone company was comparable to $52k (they're probably paying some other company to call Bulgaria) is complicated. But I'll agree that it's likely much less, whereas the marginal cost to the CC company is the numeric amount. But really I think the liability protection has made the biggest difference in how attentive CC companies are to these things. Other practices aside, this is something that most CC companies do very well in striking a balance between usability and minimizing fraud.

Re:ScuttleMonkey doesn't even read TFS (3, Interesting)

Richard_at_work (517087) | more than 5 years ago | (#26176725)

if they don't get to collect on that bill, they haven't lost out on anything but a bit of network traffic.

This is a myth - when the phone company does not originate and terminate the call themselves, they get charged by the companies they pass the call on to to have it terminated. In many situations, the large phone companies agree to call it quits as they carry roughly the same amount of each others calls, but in international call markets, these agreements are much rarer.

So yes, potentially (in reality, quite likely in this case) there is a real cost to the phone company if they do not collect on the bill.

Bulgaria? (3, Interesting)

onehitwonder (1118559) | more than 5 years ago | (#26176029)

Shouldn't the telecom provider be able to identify the phone number(s) in Bulgaria that the hacker called? If a hacker is calling Bulgaria, I'd think there's probably some international crime or identity theft ring centered there that the phone company and government officials would want to know about. Either that, or the hacker was calling about the whereabouts of his mail-order bride.

Re:Bulgaria? (5, Informative)

OhPlz (168413) | more than 5 years ago | (#26176275)

Often times, the thief sells calls at clusters of payphones in low income urban areas. The calls are made to wherever the immigrants in the area came from. These rings have phone systems like this that they hijacked, stolen prepaid phone card lists, stolen credit card lists that they can use to place calls, and so on. This is where a lot of phishing leads to. If they think anyone is on to them, they can just walk away. The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough. It's a great scam because it's easy and they don't have to risk taking delivery of anything. The minutes turn into cash.

Re:Bulgaria? (2, Insightful)

Frosty Piss (770223) | more than 5 years ago | (#26176519)

The authorities rarely get involved because they're too difficult to catch and the dollar amounts aren't large enough.

$50K not high enough? Huh.

But anyway, given that it can't have cost the Canadian telecom anywhere *near* $50K, and it was clearly fraud, shouldn't they prorate this guys bill to *cost* or a little more? Demanding the full $50K is unfair.

Any lawyers out there? (2, Interesting)

NotQuiteReal (608241) | more than 5 years ago | (#26176731)

This is an interesting legal point.

It seems to me a lot of lawsuits come down to "what are the damages"?

If someone steals a physical item, how is its value determined - retail or wholesale? The "actual damages" are a lot lower than the retail price of lots of things, but especially phone service.

Re:Bulgaria? (0)

Anonymous Coward | more than 5 years ago | (#26176851)

Identify phone numbers in Bulgaria? What would be the point in that, when you can just stick the guy with a $52,000 bill and not have to upset nasty people who can ruin your whole day?

Why would they do that? (5, Informative)

GrenDel Fuego (2558) | more than 5 years ago | (#26176037)

This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

As long as the customers are responsible for the charges, they have no business reason to invest in fraud protection.

Bruce Schenier refers to this as an externality, and had written about it a number of times in the context of credit card security and computer security.

http://www.schneier.com/blog/archives/2007/01/information_sec_1.html

http://www.schneier.com/blog/archives/2006/03/credit_card_com.html

http://www.schneier.com/blog/archives/2005/10/preventing_iden.html

Not astonishingly suprising... (5, Interesting)

damn_registrars (1103043) | more than 5 years ago | (#26176039)

I don't find this suprising in perspective of what people in the service sector usually have for themselves.

After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

Hint - the mechanic's car is usually fixed last, if ever.

In similar light I knew a cardiologist a few years back who died of heart failure.

It isn't easy to find time to maintain for yourself the same kind of equipment that you are paid to keep up for others.

Re:Not astonishingly suprising... (3, Insightful)

jellomizer (103300) | more than 5 years ago | (#26176143)

Or the old quote.
The Carpenters house is always the one that is in least repair.

Re:Not astonishingly suprising... (5, Interesting)

Spazztastic (814296) | more than 5 years ago | (#26176277)

Or the old quote. The Carpenters house is always the one that is in least repair.

Good point, their site runs Sharepoint and the Site Settings prompt is open to the world.

http://www.hub.ca/default.aspx [www.hub.ca]

Re:Not astonishingly suprising... (1)

tripdizzle (1386273) | more than 5 years ago | (#26176719)

I think HUB just got slashdotted in the face.

Re:Not astonishingly suprising... (4, Funny)

he-sk (103163) | more than 5 years ago | (#26176819)

Great work! Not only is he stuck with a 50k phone bill, but now his internet bill will skyrocket as well thanks to the slashdotting of his site.

Are you his competitor by any chance?

Re:Not astonishingly suprising... (3, Funny)

the jalapeno (876954) | more than 5 years ago | (#26176309)

Or the old quote. The Carpenters house is always the one that is in least repair.

Or the town barber is always the one with the worst haircut..

Re:Not astonishingly suprising... (0)

Anonymous Coward | more than 5 years ago | (#26176505)

This does not really have the same meaning as the others because giving yourself a haircut is more difficult than giving another person a haircut.

Re:Not astonishingly suprising... (2, Insightful)

That's Unpossible! (722232) | more than 5 years ago | (#26176217)

After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

Hint - the mechanic's car is usually fixed last, if ever.

Care to try and back that statement up?

I happen to work in the automotive repair industry. Good automotive techs know better than most that it's far cheaper to maintain their vehicle than it is to repair damage later.

Re:Not astonishingly suprising... (2, Funny)

larry bagina (561269) | more than 5 years ago | (#26176347)

[citation needed]

Re:Not astonishingly suprising... (1)

spazdor (902907) | more than 5 years ago | (#26176509)

Would people please stop posting this on its own, for no apparent reason? Why would anyone need to give a citation for an anecdote about their own car?

Re:Not astonishingly suprising... (0)

Anonymous Coward | more than 5 years ago | (#26176759)

I believe that it's called "humor". Could someone cite me on this?

Re:Not astonishingly suprising... (1)

LandDolphin (1202876) | more than 5 years ago | (#26176849)

USer "That's Unpossible!" asked for back up to a posters claims, then offered no real back up to his counter claim.

If you are going to as for black up on a claim and then proceed to make a counter claim, you had better provide back up for your counter claim.

On that note, I have known several Mechanics that purchase $500 cars and jsut do the min. work to keep it running. The cars are always in a constant need for repair, but they only get the bare min. that is needed so they can get to work everyday. [citation needed?]

Re:Not astonishingly suprising... (1)

LandDolphin (1202876) | more than 5 years ago | (#26176881)

Remember, all claims should come with "black up"

/You know I meant back up right? :-)

Re:Not astonishingly suprising... (2, Interesting)

citylivin (1250770) | more than 5 years ago | (#26176255)

"Hint - the mechanic's car is usually fixed last, if ever"

Either you don't know any mechanics personally, or the mechanics you deal with are shitty ones. Ive seen engines so spotless that you can eat off them, with brand new bolts everywhere. Mechanics take DAMN good care of their cars, just like computer repair people take good care of their personal PCs (if they do their job with pride and arent merely there to cash a paycheque).

Their wives cars on the other hand...

Most security companies provide the illusion of security and an external person to blame, thats all. If someone really wants to hack your business, they will. Even if it takes backing a truck through your front door and making off with the physical servers (actually happened at one location i used to work for). In this case Im not sure what I would do differently. Its a small business, so auditing incomming calls shouldn't be overly complex. Although who really audits their call logs every week? Perhaps there was a password lockout function that was not enabled properly? Some SNMP triggers to log failed password attempts..

Most likely though, was that someones password was 1234 or 2468.

Re:Not astonishingly suprising... (1)

qoncept (599709) | more than 5 years ago | (#26176283)

Thank you. I was thinking the exact same thing. It's like avoiding a certain doctor because you found out he had gotten sick. OP must be pretty simple minded.

Re:Not astonishingly suprising... (3, Interesting)

222 (551054) | more than 5 years ago | (#26176323)

I manage a Cisco CallManager cluster (now called Unified Communication Manager, but whatever) and the problem here is that this is such a trivial mistake. We have every device / extension that doesn't require outside access in an internal only calling search space, and this includes our Unity voicemail ports.

I can't stress this enough; whoever was responsible for setting up this system seems to have ignored every best practice guide for deploying CallManager. I'd actually like to see their setup, just for curiosities sake. I'd also have to recommend against using their consulting services :- )

But as for the other stuff you said, I sort of agree. My network at home is an absolute cabling / design mess.

Re:Not astonishingly suprising... (1)

commodoresloat (172735) | more than 5 years ago | (#26176469)

In similar light I knew a cardiologist a few years back who died of heart failure.

Aren't most deaths ultimately attributable to "heart failure"?

Re:Not astonishingly suprising... (1)

gandhi_2 (1108023) | more than 5 years ago | (#26176501)

No, all deaths are a result of hypoxemia, a lack of oxygen to the brain.

Re:Not astonishingly suprising... (1)

b4dc0d3r (1268512) | more than 5 years ago | (#26176495)

Forget time, it's money. I work at a Fortune ~120 company, and we never build anything for ourselves. Even in the name of cost-saving, no outlay happens unless we are confident it will be sold somehow. In a leveraged environment, the first client to need something pays for it, the others get it free (for one-time charges, space and bandwidth are ongoing though).

The client delivery arm of the co. is now requesting to use the web app we made for $car_company, even though they wouldn't fund or blaze the trail for its creation and delivery. Catch-122, it would not have existed if we had done it their way.

Re:Not astonishingly suprising... (0)

Anonymous Coward | more than 5 years ago | (#26176547)

After all, what kind of car does your mechanic drive? Do you know when your mechanic last did an oil change on their own car?

Hint - the mechanic's car is usually fixed last, if ever.

1990 VW Jetta, oil changed every 5000km like clockwork. Usually phones me the same day to do mine.

When you see the expensive lesson weekly, or sometimes daily, that preventive maintennance is cheaper in the long run you find the time to do it. It also beats walking.

The irony, he _was_ a service manager at a GM dealership until him and the rest of his shop got their walking papers. I'm not sure what lesson is there.

Re:Not astonishingly suprising... (2, Interesting)

D Ninja (825055) | more than 5 years ago | (#26176755)

That's kind of sad, in my opinion. I work in the computer industry and my own computers and network are, at the very least, up-to-date and maintained well. (I don't claim to be a security expert...but there are some basic things that you can do.)

Same with any doctor I visit (he better look like he's in good health, at least), my mechanic I use (he's fanatical about how he takes care of his car), etc.

People who just have a "job" won't want to continue doing their job after they are finished for the day. People who love what they do, will continue what they do, even after they are finished with their hours at the end of the day. Those are the people you won't working for you and providing services.

Re:Not astonishingly suprising... (0)

Anonymous Coward | more than 5 years ago | (#26176959)

Quite true. I fix computers and digital signage equipment all day long. I can only bring myself to do any IT stuff at home on a long weekend.

1-900... (4, Funny)

curtix7 (1429475) | more than 5 years ago | (#26176051)

I hear bulgaria has the best phone sex lines confirm/deny?

Re:1-900... (3, Funny)

Servo (9177) | more than 5 years ago | (#26176169)

Only one way to find out!

Re:1-900... (0, Flamebait)

gb506 (738638) | more than 5 years ago | (#26176313)

Yeah, that thick slavic accent is a real blood-pumper. I can smell the unibrow from here...

Re:1-900... (5, Interesting)

gandhi_2 (1108023) | more than 5 years ago | (#26176529)

I just spent 2 weeks in Bulgaria with the Utah Army National Guard.

Let me assure you, none of us had ever seen so many gorgeous women in one place.

Re:1-900... (4, Funny)

LandDolphin (1202876) | more than 5 years ago | (#26176907)

Of course, you came from Utah.

Re:1-900... (2, Funny)

JohnnyLocust (855742) | more than 5 years ago | (#26176909)

I just spent 2 weeks in Bulgaria with the Utah Army National Guard.

Let me assure you, none of us had ever seen so many gorgeous women in one place.

Insert polygamy joke here ->

The phone company? (3, Insightful)

Tdawgless (1000974) | more than 5 years ago | (#26176067)

Why should the phone company be responsible for their customer's incompetence? If they installed it... maybe... but they didn't. Now, as far as a compassion standpoint... the company should at least help out some.

Good luck with MTS. Seriously. (5, Interesting)

Abstrackt (609015) | more than 5 years ago | (#26176077)

I had a phone cable dug up recently because MTS didn't mark it on a cable locate. The responses ranged from "sorry, you're out of luck" to "where else are you going to go for phone service?" I feel bad for the guy, but unless he takes it to court he isn't getting any help from MTS.

bewildering... (3, Insightful)

Dzimas (547818) | more than 5 years ago | (#26176099)

It is strange that MTS doesn't monitor extreme spikes in phone use. They claim that they don't have the resources to monitor anomalies, but it should be relatively straightforward to write a report that queries billing totals that are n times a customer's long term average. After all, few companies would see a legitimate spike of 20 or 30x normal billing from month to month. What it boils down to is that MTS doesn't want to be responsible for identifying fraudulent billing (lest the victim use that as grounds to get the charges waived), and the easiest way to avoid legal responsibility is to bury their heads in the sand.

Re:bewildering... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26176171)

It's not strange at all. Monitoring would cost money (even if it is only someone writing the query) that they don't have to spend.

Or as Lilly Tomlin put it "We're the phone company. We don't care; we don't have to."

Re:bewildering... (4, Interesting)

snspdaarf (1314399) | more than 5 years ago | (#26176257)

Agreed. When our receptionist got hacked, and was doing call transfers to "9", AT&T picked up on the outbound calls as unusual and called us. They shut down the calls and canceled the charges. We own our switch, and there was none of this silly dance that MTS is doing.

Some Math (4, Insightful)

Anonymous Coward | more than 5 years ago | (#26176133)

Let's assume these calls cost $3.00 for a minute.

$56,000 / 3.00 = 18667 Minutes.

18667 / 60 (min/hr) = 311 Hrs.

So that means nobody noticed as this guy called for almost 2 full weeks of talk-time??

($3.00 is an assumption as I have no idea what actual international rates are)

Still, if this is even in the ball-park, that's a hell of a lot of talk time going unnoticed. You'd think the system would flag if you suddenly doubled your usage over a period of time.

Re:Some Math (1)

Spazztastic (814296) | more than 5 years ago | (#26176225)

Let's assume these calls cost $3.00 for a minute.

Back in the day when I was on Dial-up I had a virus on my Windows laptop that was online for only two minutes and charged $30 to my phone bill. You'd be surprised.

Re:Some Math (1)

zamboni1138 (308944) | more than 5 years ago | (#26176735)

I had this same attack happen on our company's PBX about five years ago. The CLEC providing us Internet and voice (Integra Telecom, worst phone company ever) forgot to put a password on the admin account of the voice mail box. One day MCI fraud calls us about the $10,000 bill we had racked up over the weekend. Because we had multiple voice channels (seven at the time) the attackers could place three outbound calls at the same time, which easily came to over 6,000 minutes in just two days.

Ha ha (3, Insightful)

DeadManCoding (961283) | more than 5 years ago | (#26176151)

Sorry, but no sympathy for this guy. It's his company's equipment which was hacked. His telecom company isn't responsible for his equipment, and if they're nice, they'll alert him to the calls. They make money when those calls are made, and why should they be responsible for alerting a customer who's making phone calls. Yes, the calls are going to Bulgaria, but that doesn't mean a telco should alert every person when they make a phone call overseas.

Re:Ha ha (1)

badfish99 (826052) | more than 5 years ago | (#26176249)

I've got lots of sympathy for him. He bought a voice mail machine, that is supposed to receive incoming calls, and the machine made outgoing calls without his knowledge or permission. If I were him, I would be suing the manufacturer of the machine for everything they have got. Oh, and publicizing the make of the machine, so that nobody else will buy one.

Re:Ha ha (1)

aaarrrgggh (9205) | more than 5 years ago | (#26176423)

His phone system was configured to allow outbound call transfer and had no restrictions on international calls. If you actually use the call transfer function, it isn't especially easy to prevent someone in voicemail to do the call transfer. Likewise, if you make international calls, you either need to create an account code system to permit it, or another PIN code.

For a small business that needs outbound call transfer and international calling, you are spending a lot of extra effort to protect things.

I know with Asterisk none of this is especially easy, although we do restrict which users can make international calls. I don't imagine any of the bigger systems are easier to configure...

Re:Ha ha (1)

DeadManCoding (961283) | more than 5 years ago | (#26176689)

Time to RTFA. It's a piece of equipment made by his company, that either he didn't secure, or didn't bug test for. Again, no sympathy for him, he screwed up and now stands to lose a lot of money because of that failure.

Re:Ha ha (4, Insightful)

Creepy Crawler (680178) | more than 5 years ago | (#26176251)

In most civilized countries, possession of stolen property is a criminal offense, as is selling said property. Service is also seen as the same.

How is it not fraudulent behaviour to collect on services that amounted from theft?

Re:Ha ha (1)

Al Dimond (792444) | more than 5 years ago | (#26176591)

I basically agree with you here. But there are some costs to the phone companies associated with making those calls as well, and it's not fair to stick the company with them when it was the user's equipment getting hacked.

I don't know much about the major costs for telcos; I assume they have to pay other companies for access to their networks. If there are significant per-minute costs for calls to Bulgaria, the user in this case should at least pay those plus a small overhead. However, if most of the costs don't vary based on usage, a fair solution is less clear.

Re:Ha ha (1)

Creepy Crawler (680178) | more than 5 years ago | (#26176795)

Simply put: The phone provider should also 'stiff' the upstream provider based upon fraudulent calls. Take a look at this list [bellsouth.com] and tell me this bill isnt so loaded, assuming they paid non-plan minutes.

And there is the issue with the Voicemail machine being hacked to send calls.. Go after their throat, legally, and drain them for all they're worth.

Re:Ha ha (2, Insightful)

Richard_at_work (517087) | more than 5 years ago | (#26176811)

In most civilized countries, possession of stolen property is a criminal offense, as is selling said property. Service is also seen as the same.

How is it not fraudulent behaviour to collect on services that amounted from theft?

Because it should not be the service providers responsibility to police their customers (come on guys, doesnt that sound awfully familiar?), especially when their customers can provide their own equipment and the service provider cannot legally force equipment limitations.

In short, the telephone company in this instance did *exactly* what they were contracted to do - why the hell should they suffer (and they will suffer, they are out of pocket on the international termination charges) through no fault of their own?

Its time the customer starts taking *some* responsibility. Secure your system or pay the penalty.

Re:Ha ha (1)

internerdj (1319281) | more than 5 years ago | (#26176369)

There have been plenty of outrageous phone/cell-phone bill stories in the past year. The problem with these stories is that one month everything is $40-150 and the next month is more than I make in a year (much less take home) without any warning from the phone company in what is obviously abnormal usage. While the circumstances of this it is pretty clear the man is liable for his own equipment, but if my phone bill passes my monthly income without my provider alerting me then I'm screwed. Phone isn't a credit card, if I don't pay I don't get to roll over my bill to the next month; they cut me off from the world. Ever tried to get a job without a phone number? Conduct business? Apply for any type of credit?

Top it all off some criminal just walked away scot free with $56000 worth of phone service and the phone company won't do anything about it. Whoever that is now is free to do it again.

Have Teleco Block Outgoing International Calls? (4, Insightful)

Zymergy (803632) | more than 5 years ago | (#26176157)

Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?
If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?

I was also under the impression that YOU had to be the one that actually 'in good faith' placed the calls for it to legally billed to you. I am not sure about US/Canadian telecom laws?

If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).
I would simply be responsible for getting a better protected router or some other commonplace and reasonable standard process of WiFi protection.

Similarly, this firm likely had made reasonable efforts to NOT have their phone system hacked, and therefore did not make the calls and thus should not be made responsible for them. The phone company should protect their customers 'in good faith'.

Re:Have Teleco Block Outgoing International Calls? (4, Insightful)

GrenDel Fuego (2558) | more than 5 years ago | (#26176219)

If a stranger hacks my WIFI encryption in my neighborhood and downloads child prOn, warez, illegal MP3, etc.. through my router/IP that DOES NOT mean that I did it and I AM NOT responsible for those communications/transfers as I have made reasonable accommodations to prevent that (plus I shutter to think that any of my neighbors are into any of that).

There's a difference between criminal liability and financial. You wouldn't be convicted of downloading child porn (or shouldn't be at least), but if your internet access was pay as you go, you may still be required to pay for the bandwidth used.

Re:Have Teleco Block Outgoing International Calls? (2, Informative)

athakur999 (44340) | more than 5 years ago | (#26176311)

The problem is, that 52K phone bill is not all going to this guy's phone company's coffers. They're going to pass on some amount of that to their upstream provider who will pass some amount on to someone else and on and on. It's not like the phone company can waive that 52K charge and nobody's hurt. The phone company still has to pay someone else for that call.

Sorry, but I can't side with the guy in this case. He setup his own equipment instead of using the phone company's and that implies, in the absence of an agreement otherwise, that you're taking the responsibility to make sure it is setup correctly.

Re:Have Teleco Block Outgoing International Calls? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26176355)

Is there not a way to just block the ability to direct dial International Calls at the Phone company level. That way a calling card could be used to only dial international?

If the phone company does not offer such a protection, they are in a manner condoning such abuse are they not?

Every phone provider has this feature.... you just need to call in and get it added. This would be the customers fault, why would MTS or any other phone company have this on by default?

I am totally with MTS on this one, if you are in the business of installing VOIP phones and securing them, then you get hacked, tough luck buttercup. The way I see it, YOU are responsible for your own shit, end of story. If someone breaks into your wireless router and hacks the planet you better bet that heat is coming down on you. Maybe in your world the cops would brush you off in a few seconds, but the reality of the situation is that it will be quite different, I assure you :)

Re:Have Teleco Block Outgoing International Calls? (3, Funny)

Anonymous Coward | more than 5 years ago | (#26176429)

The phone company should protect their customers 'in good faith'.

I know what all those phrases mean. I just never imagined I'd see them all together in one sentence like that.

Why ask MTS for compensation? (4, Insightful)

e9th (652576) | more than 5 years ago | (#26176165)

He should be looking to the company that installed the system for compensation, not MTS.

If the phone company wants to charge... (3, Interesting)

gandhi_2 (1108023) | more than 5 years ago | (#26176179)

...then they should be legally liable for selling stolen goods.

The phone bill is exactly stolen services....and for the phone company to sell that should be illegal.

Re:If the phone company wants to charge... (1)

MobyDisk (75490) | more than 5 years ago | (#26176339)

Pretend for a moment this was not cybercrime, but was physical. If someone physically broke into HUB computer's offices, and made $52,000 of phone calls from someone's desk, would the phone company be responsible?

No. The phone company did nothing wrong. It isn't their responsibility to screen your phone calls and determine which ones are fraudulent. This wasn't a case of the phone company's system being compromised. It was neglectful security by HUB.

Re:If the phone company wants to charge... (1)

whisper_jeff (680366) | more than 5 years ago | (#26176491)

The phone company did nothing wrong. It isn't their responsibility to screen your phone calls and determine which ones are fraudulent.

It doesn't take a brain surgeon to recognize a distinctly unusual shift in calling patterns. If the company had NEVER called Bulgaria (which is likely because, let's be honest, who among us has ever called Bulgaria?...) and then it suddenly wracks up $52 THOUSAND in calls to Bulgaria, someone at the company should say "hey, that seems odd. Let me make a call to our valued customer and make sure nothing's wonky." Sorry, it's not hard. If we expect it of credit card companies, I see no reason to not expect it from other companies.

Re:If the phone company wants to charge... (1)

IceCreamGuy (904648) | more than 5 years ago | (#26176625)

What, someone just happens to be browsing through their records of billions of phone calls and notices this pattern? Also, you are assuming that they value their customer; I don't think you've ever dealt with a phone company in a business setting...

Re:If the phone company wants to charge... (1)

MobyDisk (75490) | more than 5 years ago | (#26176633)

You are right, the phone company could have done this. But just because the phone company did not implement measures to protect someone from their own stupidity does not make it the phone companies fault.

However, if the phone company offered such a service, perhaps for a monthly fee, then I could see blaming the phone company for the failure of that service.

Re:If the phone company wants to charge... (1)

bugs2squash (1132591) | more than 5 years ago | (#26176521)

That sounds good.

But in practice the phone companies (there will be one in Bulgaria too) have profited enormously from this crime, way beyond their cost for the calls in question.

It might seem reasonable to me that they should ask that their costs to be covered for the stolen minutes, not the retail price.

It's not as if the phone company did much or anything to offer a service whereby they could determine the calls were bone fide.

Re:If the phone company wants to charge... (1)

gandhi_2 (1108023) | more than 5 years ago | (#26176593)

Using your (non-car) analogy, no. Of course, the phone company isn't liable for this...HUB is. Just like your credit card company not being liable if someone steals your llama.

But the phone company continued to sell to HUB a stolen service, thereby financially benefiting from the theft.

Re:If the phone company wants to charge... (1)

Hans Lehmann (571625) | more than 5 years ago | (#26176507)

It wasn't stolen goods when the phone company sold it. If sell you my used car and a week later it's stolen from your driveway, that doesn't make me responsible for its theft.

Re:If the phone company wants to charge... (1)

prajjwal (965508) | more than 5 years ago | (#26176511)

Using the same analogy, if someone stayed in an insufficiently secured house while the owners were away, the electricity company should be illegally selling electricity and the water company illegally selling water -- stolen goods by the example above! The thief is liable, but if the provider cannot notice any difference from their end regarding the service being provided, then they are not liable in my opinion.

Someday ... 'Cloud Hacking' (1)

aoheno (645574) | more than 5 years ago | (#26176209)

Taking this further, given enough bandwidth, we could well see many a PC relegated to being a dumb terminal attached to a hackable 'cloud computer', or 'personal virtual machine'. Imagine a million of those hacked instantly because Amazon EC2 has a security flaw - a backdoor admin password revealed to a boy/girlfriend of the opposite political persuasion; a lost Amazon laptop with a functioning VPN link into EC2 with superadmin privileges; an unfortunate fraud detection and prevention businessman specializing in cloud security?

THAT's why we don't pay by the megabyte (0)

Anonymous Coward | more than 5 years ago | (#26176235)

This should be a lesson to all the people who think customers should pay by the megabyte for internet access. The safety of a fixed price per month is worth it, even if you would normally pay a little less with a metered connection.

Of course a metered connection could still be made a lot safer by allowing the customer to set an upper limit, but that would prevent accidental roaming and long distance charges which everybody seems to fall victim to once in a lifetime. Maybe it's time for a law...

It has been said before (1)

Deag (250823) | more than 5 years ago | (#26176321)

But why is there no credit limits on what phone companies provide, they all seem to happily keep upping someones bill without ever wondering if that person can pay it.
Someday we are going to hear about a someone getting billed 30 million for watching a movie on their iphone while on safari.
After the first few grand they should cut you off and tell you about it. And if you want a bigger credit limit you request it.

Re:It has been said before (1)

Creepy Crawler (680178) | more than 5 years ago | (#26176463)

Why do that, when you're on the hook for it?

Just load'er up, and cut a "deal" for 5K or so.

Yay for 4-digit pins (4, Funny)

MobyDisk (75490) | more than 5 years ago | (#26176379)

Davison has a four-digit password on the voice mail. That doesn't stop professional hackers, said Brett Rhodes, an expert in the field who runs SME Teleresources Inc. in Winnipeg.

I once saw a web site with a list of all 4-digit pins on it. I mean like, every single one!!!! There must be... hundreds.. no... thousands of possiblities! Keeping or distributing such a list should be illegal.

Re:Yay for 4-digit pins (2, Funny)

dietdew7 (1171613) | more than 5 years ago | (#26176421)

Oh crap! I'm going to have the change the combination on my luggage.

Re:Yay for 4-digit pins (5, Funny)

Anonymous Coward | more than 5 years ago | (#26176559)

Incorrect PIN number. You have 9998 tries remaining.

Re:Yay for 4-digit pins (1)

Dan Ost (415913) | more than 5 years ago | (#26176573)

+1 Funny!

Thanks!
I needed a laugh.

Re:Yay for 4-digit pins (0)

Anonymous Coward | more than 5 years ago | (#26176769)

No joke.. but we once ran a program to map 4-digit pins. The vast majority fell in the MM/DD or MM/YY format. I.e., they were using the numbers from 0101 to 1231 most often, with the next 'hump' in the 1231-1299 range (which corresponded to the age range).

What's with the law? (1)

Lord Bitman (95493) | more than 5 years ago | (#26176479)

Someone steals from the phone company using someone else's phone, and it's the someone else who needs to pay?

Say there's a water main and a pipe running off it to someone's house. Unscrupulous fiend taps into it. If he taps into the part closest to the street, it's a clear case of that person stealing from the water company and they're stuck with the problem. If he makes his hole six inches to the left, the water company gets to send a bill? How is that sane?

Re:What's with the law? (2, Insightful)

IceCreamGuy (904648) | more than 5 years ago | (#26176673)

Because the water company doesn't own the pipe six inches to the left, and the company that got their water hijacked was a "pipe security" company.

Re:What's with the law? (1)

JoeMerchant (803320) | more than 5 years ago | (#26176821)

It should only cost the guy $5K in legal fees to fight this, I'd give him 50% chance of winning - not bad odds on the whole, if he can find a shyster to take the case.

Re:What's with the law? (0)

Anonymous Coward | more than 5 years ago | (#26176843)

Lines of distinction must be drawn somewhere. In the case of a water main, it's the meter. A huge water bill shouldn't be the first clue that your basement is flooding. This guy got tapped on his side of the meter - within his realm of responsibility. You and I might not agree with where the line was drawn, but we need a line somewhere.

Re:What's with the law? (1)

starfishsystems (834319) | more than 5 years ago | (#26176953)

It's called a "demarcation point" and it's identified in the part of the service agreement which describes which parties to the agreement are responsible for what.

Not having an agreed demarc would be less than sane, since then there would be no explicit basis for determining responsibility. That would lead to endless arguments such as you've advanced, which for example either (a) blame the phone company because "it's a phone" (guilt by association) or (b) depend on questionable analogy leading to hairsplitting (reductio ad absurdum.)

According to the article, the exploit took place because of vulnerabilities in customer premises equipment. End of story.

I am in the same business (3, Informative)

E. Edward Grey (815075) | more than 5 years ago | (#26176553)

...and there is no, I mean, NO excuse for what this guy allowed to happen, from the perspective of a telephony engineer.

Point #1: how weak is your security that an external entity can log in and gain access?

Point #2: why in the world does his voice mail system have a class of service that allows outdialing? Typically a telephony engineer restricts the class of service on the ports connecting to the phone system so that they can only pass calls to the phone system itself, not to the outside world.

This guy is unbelievably lazy, and the fact that he wants someone else to pay for his mistakes is insane. He fails at life.

When can we start executing hackers? (3, Interesting)

tjstork (137384) | more than 5 years ago | (#26176605)

Everyone here seems to have this blame the victim for getting hacked, but, why should we have to do this security stuff at all? Why can't we just execute the criminals. Everything is all about put up shields, pay tons of money for security, and its as if the criminals have more of a right to our systems than we do. Enough already. This guy shouldn't have to pay any money at all, regardless of whether he had the shields up, or not. People ought to be able to have a relative sense of security about themselves, and if we have to behead 50,000 convicted hackers and identity thieves and hang their bloated corpses off of bridges as an example to others, then, lets get on with it.

Death to hackers, that's the best security policy that any country could have.

On par with Credit Card Companies? (0)

Anonymous Coward | more than 5 years ago | (#26176631)

As in, on par with American airport security? As in, make you feel like something has been done? Or did you mean on par with the cc companies, taking it one step further than that, like making you feel secure but actually doing very little so that they end up with your money the majority of the fraud cases.

52 000 for long distance? (1)

Haralampi (1198303) | more than 5 years ago | (#26176679)

I liked one of the comments under the original article that charging 52K for long distance is crime itself. Are we still living in the dark ages of pre-internet where telcos being monopolists could charge whatever price they wanted for pnone calls? Another thing that bothers me is that there are sooo many voip solutions out there that allow you to make calls to Europe for as low as 3 cents per minute. It's not worth the risk of hacking if you have that option.

hmmmm (3, Insightful)

dissolved (887190) | more than 5 years ago | (#26176887)

I work for a Telco. We flag to clients when they accrue silly spends to foreign numbers. This happens around the $100 mark generally. Why did this go unnoticed for so long? Incidentally this is completely the responsbility of the end client. Anyone could ring Bulgaria for hours on end and then blame "teh criminalz!!!11". Secure your equipment better.

Cool... where is the How-to (0)

Anonymous Coward | more than 5 years ago | (#26176933)

This is sooo cool... where is the How-to?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?