1. No category

Telecommuncation problems?
Steven Branigan
District Manager,
Corporate Computer and Network Security
2 march 1999
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
It can’t be that difficult!
Just a bunch of LATAs
Courtesy of US WATS from the fcc.gov web page
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Telephony issues
 Frauds
 wireless
 coin
 landline
 Recent exploits
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Let’s start with General Billing
 Coin phone: pay as you go.
 Prepaid: pay in advance.
 Calling credit: credit
 Residence/business line: credit
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Traditional frauds
I make the call, you pay the bill
 Clip on fraud.
 Cordless phone fraud.
 Calling card fraud
 Boxes. (red, blue…)
 Cloning
 Subscriber fraud
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Coin phone
 coin phone
 Network controlled pay phones.
 Customer owned payphones
 Pay as you go, and you know exactly how much the
call costs.
 Carrier is selected by the coin phone.
 Of course the red box was a common coin fraud.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Of interest
 Incoming payphones in certain LATAs must allow
incoming calls.
 The calling party controls the connection until a
timeout in the US.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Calling card
 Can be used from a residential or coin phone.
 In this cases, the user has no idea how much the call
costs.
 Calling cards and pins are compromised frequently.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Exploit #1
 Insider at a telco gained access to an SS7 network
element
 Crafted SS7 messages that issues C.C. queries to SS7
database.
 Automated process rotated calling card number, kept
the pin constant.
 Avoiding fraud detection mechanisms.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Exploit #2
 A potential payphone user would hear a ringing
payphone at a busy location.
 The user would pickup and hangup.
 Then the user would place a calling card call, and the
calling card was compromised.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Exploit #2 Hypothetical
 Payphone located in Chicago.
 Fraudster located in NYC.
 Fraudster calls payphone in Chicago. When the call is
answered, the fraudster plays dialtone (from NYC)
into the payphone.
 Person in chicago believes the dialtone is from
chicago, and places a calling card call.
 The NYC fraudster completes the call, and collects the
calling card number.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
What about toll free calls
 Calls to specific number may be toll free.
 In this call model, the party called actually pays for
the call.
 Currently, 800, 888 and 877 are toll free numbers in
the US
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
An old toll-free case
 The “stolen” 800 number.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
It could happen to anyone…
 It started with a book on Internet security being
recovered on a drug raid…
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Using a tapped phone line for
profit.
 A phone line was tapped that was used for credit card
validations.
 The rest, as we say, is history.
 (and people worry about using their credit card on the
Internet?)
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Investigative tools
 Dialed Number Recorder (DNR)
 Trap & trace
 Wiretap
 Billing records
 Caller id?
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
CO Switch
Line history block
< op:ilhb,dn=7329491999; PF
S570-15073350 95-11-12 15:45:15 075603 MTCE
M OP ILHB DN=7329491999
DATE=11/12 TIME=15:42
LICDN=7326241024
MULT_CALL=YES PRIV_INC=NO TRACE=NO IDP=YES
SCREENING=NP ADDR_TYPE=NATL NUM_PLAN=ISDN UNIQ=YES
CNPR_INC=NOP
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Trap and Trace
Example output
< op:clid; PF
S570-15073350 95-11-12 15:45:22 075605 TRCE XXX
M OP CLID LIST CONTAINS 2 NUMBERS
SECTION 1 OF 1
5550101
7329491999
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
The CCS/SS7 network
SCP
SCP
SCP
STP
STP
CO/SSP
CO/SSP
trunks
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
CCS/SS7 network
Issues
 SS7 messages obtainable (think pins)
 Remote maintenance of switches
 Remote maintenance of databases
 Many telephone lines rely on a single system
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
PBX
 A great target for the call sell operation.
 In order to save money, some corporations allow for
dial-out capability in their PBX.
 A user can call into the PBX using a toll free number,
than call any number in the world.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Cellular
Hello, you’re on the air!
 Wireless telephone communication.
 Phone number doesn’t determine physical location!
 Conversation broadcast within cell.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Cellular tracking?
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
The future
 Local number portability.
 Voice/video over the Internet.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Local number portability
 A user will be able to keep their phone number
forever, (as long as they are in the US)
 This will remove geographical issues from wire-line
telephone numbers just as it has been removed from
cellular.
 10 digit dialing will become much more common.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Area code splits
 dividing a specific area code into two area codes.
 Increases the available telephone numbers in the
network
 Two mechanisms, geographical splits or overlays.
 Makes the concept of a long distance call more
confusing.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Geographic split
 Neighboring call can still be dialed with only 7 digits.
 NJ’s 908/732 area code split is an example of a
geographic split.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved
Area code overlay
 Requires that all calls are dialed with 10 digits.
 NYC’s 212 area code split is an example of an area
code split overlay.
We make the things that make communications work.™
© Lucent Technologies -- All rights reserved