Phone Sleuths Are Cutting Off The Hackers

Once burned, twice smart. After a hacker broke into the phone system of the Christian Broadcasting Network and used it to make $40,000 worth mf calls to Pakistan, the network's vice-president for information services fought back. Paul D. Flanagan programmed the company's phone switch, or PBX, to block all calls to Pakistan as well as the Caribbean and other areas favored by hackers--often drug dealers or hoodlums who sell cut-rate calls to immigrants. The program also cuts off anybody who repeatedly calls from outside trying to make calls through CBN's PBX. Since the first incident in 1987, hackers have tried to enter Flanagan's PBX twice--and failed both times. "I think we've licked this problem," he says.

Flanagan may be overly confident. Phone hackers are resourceful, and estimates of phone-fraud losses in the U.S. range from $500 million to $4 billion. But it looks as if phone companies and their customers are starting to bring toll-call cheating under control. For one thing, instead of fighting over who pays for losses, carriers are working with their customers to stamp out fraud--and giving partial protection from losses to those who fully cooperate (table).

IN THE GARBAGE. Like CBN, corporations across the country are securing their phones better. And phone companies are using software that quickly spots unusual calling patterns. Sprint Corp. says its average loss has fallen more than 90% in the past year, to less than $2,000 per case. TeleChoice Inc., a Montclair (N.J.) consultancy, predicts that losses from PBX toll fraud could fall 60% in the coming year.

For years, the problem seemed almost intractable. In the case of PBX fraud, the key is obtaining access codes, which traveling employees use to make calls through the home PBX at corporate rates. Thieves watch executives using pay phones or dig through garbage to get the numbers. Until recently, companies wouldn't learn they had been victimized until the monthly phone billarrived.

These days, the ripoffs can be halted almost as quickly as they begin. American Telephone & Telegraph Co., for instance, has a computer program that looks for unusual calling patterns as they occur, much the way New York Stock Exchange computers spot patterns that might signal insider trading. That requires speedy computing: Traditionally, call details went onto magnetic tapes and weren't looked at until the end of each month. AT&T now alerts customers as soon as a threshold is exceeded. For example, it would notice if many calls are suddenly placed to an 800 number that's intended for internal corporate use. Since May 7, when it got a government go-ahead, AT&T has cut off all access to 800 numbers from more than 1,000 phone lines that were suspected of being involved in fraud.

Sprint also studies calling patterns to detect aberrations but collects data daily, rather than minute by minute. MCI Communications Corp. focuses mainly on traffic coming out of New York, where it estimates that 70% of such illegal calls originate. Lately, it has begun monitoring Los Angeles as well.

Phone companies are also working more vigorously with authorities to track down hackers. Late last year, MCI tipped off New York police to a fraud ring. The cops set up video surveillance of pay phones, while New York Telephone kept track of the numbers that were being dialed. In May, they charged three men with scheming to defraud and accused them of stealing $130,000 worth of long-distance calls. If convicted, each faces up to four years in prison. MCI aided in 300 arrests last year and expects to exceed that in 1992. "The phone companies are becoming much more aggressive," says George M. Donahue, the assistant district attorney prosecuting the New York case.

SIMPLE PLOY. Of course, the hackers are getting more aggressive, too. "It's like collapsing a balloon," says James F. Snyder, an MCI investigator. "You squeeze it in one place and it gets bigger somewhere else." Lately, hackers seem to be turning to cellular networks to steal long-distance service. And now that companies are wise to the 800-number route into their PBXs, thieves are entering via voice-mail systems. How? Once they discover the access number for a voice-mail system, they dial an employee's number. When the system asks for a password, they try the same number as the employee's extension. If that works, they try to get transferred to a line that lets them make outgoing calls.

It turns out that there are simple ways to curb entry through voice mail, such as making sure passwords aren't the same as extension numbers. As companies do that, hackers no doubt will figure other routes in. But these days, they know that the antihacker brigades will be watching--and perhaps even keeping a step ahead.

      SPRINT Will monitor overseas calls for suspicious patterns such as heavy 
      calling to unusual destinations. For a fee, will cover losses over $25,000, up 
      to $1 million per year per customer location
      AT&T Also monitors overseas calls and, in one program starting in August, will 
      cover losses over $25,000. Will cover customers' losses over $12,500 if 
      customers spot the fraud before AT&T does
      MCI No formal program, but monitors calls from the New York and Los Angeles 
      areas, and alerts customers to suspected fraud. Will cover 30% of the first 
      loss suffered by a customer. Recommends ways to stop fraud
Before it's here, it's on the Bloomberg Terminal.