informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/phreak/PHREAKING/advphrk.txt

838 lines
45 KiB
Plaintext
Raw Normal View History

Initial commit
2021-04-15 13:31:59 -05:00
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
<*> Joe Cosmo Presents..... <*>
<*> <*>
<*> Methods of Phreaking and Telco Security Measures <*>
<*> <*>
<*> June 16, 1988 1:30 am <*>
<*> <*>
<*> (updated 7/3/88 for CN/A list & Plus One Service) <*>
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
(formatted to 80 Columns)
Dedication: This phile is dedicated to all those great phreakers who taught
me all of this, and to all of the newcomers being born to the phreak world. For
the legends, it is here as their legacy, and for the newcomers, I hope they
will use it as their guide in times of trouble, and may there always be
phreakers in the world.
TABLE OF CONTENTS
CHAPTER
I. Introduction: What Telephone Fraud Is
II. Who Does It and Why
III. The Systems That Are Fooled
IV. Electronic Toll Fraud
How Boxes Work
The Blue Box
Operation of a Blue Box
Pink Noise
The Black Box
The Red Box
The Cheese Box
V. Divertors
VI. Private Branch Exchanges
VII. Specialized Common Carriers
SCC Extenders List
VIII. PC Pursuit
How to Originate a PC Pursuit Call
IX. Cellular Phone Fraud
ESN Tampering
Obtaining ESN's
X. CN/A's
CN/A List (updated 7/3/88)
XI. Loops
XII. Alliance Teleconferencing
Billing an Alliance Conference
Starting a Conference
XIII. Telephone System Security Measure
ESS Detection Devices
Automatic Number Identification and Centralized
Automatic Message Accounting Tapes
Dialed Number Recorders
Trap Codes
The Lock In Trace
Stopping a Lock In Trace
4Tel (Updated 6/24/88 Thanx to Touch Tone of BC, Canada)
Evading 4Tel
Plus One Service (updated 7/3/88)
Common Channel Inter-office Signaling
XIV. Laws Governing the Rights of Phreakers
XV. Conclusion
I. Introduction: What Telephone Fraud Is
Telephone fraud is illegally using the communication facilities of
telephone companies. This is commonly known as "phreaking." The writer's
purpose
is to explore the methods of phreaking, and the various security measures of
telephone companies.
II. Who Does It and Why
The majority of people who phreak are owners of modems (MOdulators
DEModulators, devices which allow computers to communicate over telephone
lines)
and are usually between the ages of twelve and seventeen. When the person
reaches age eighteen, he or she usually stops, since after that age, if the
person in caught, the penalty can become very serious. Phreaking is the
violation of the law on Fraud In Connection With Access Devices, which carries
maximum penalties of 15 years imprisonment and a fine of $50,000, or twice the
value of the fraudulent activity.
Scattered throughout the country are many different computer bulletin
board
systems, or BBS's. These are computer systems established by private users or
large organizations for the exchange of public and private messages and
software. Most are not a local call, though. Since the normal user calls about
ten different BBS's, with even the lowest long-distance rates, the phone bill
each month can range from $100 to $1000. The solution is to phreak. When these
people learn how to phreak, they also realize that besides making free
long-distance calls from their home, they can also make free calls from
payphones. They also find that there are many other facilities that they can
used without paying.
III. The Systems That Are Fooled
Their are three types of telephone operating systems in the U.S., Step by
Step (SxS), Crossbar (XB), and Electronic Switching System (ESS). They are
described in detail in the following paragraphs.
Step by Step
Step by Step (SxS) was the first switching system used in America, adopted
in 1918 and until 1978 Bell had over 53% of all exchanges using Step by Step.
A
long, and confusing train of switches is used for SxS switching.
Disadvantages
A. The switch train may become jammed, blocking calls.
B. No DTMF (Dual-Tone Multi-Frequency), to be discussed later.
C. Much maintenance and much electricity.
D. No "Touch-Tone" dialing.
Identification
A. No pulsing digits after dialing or "Touch Tone".
B. Much static in the connections.
C. No Speed calling, Call forwarding, and other services.
D. Pay-phone wants money first before dial-tone.
Crossbar
Crossbar has been Bell's primary switcher after 1960. Three types of
Crossbar switchings exist, Number 1 Crossbar (1XB), Number 4 Crossbar (4XB),
and
Number 5 Crossbar (5XB). A switching matrix is used for all of the phones in an
area. When someone calls, the route is determined and is connected with the
other phone. The matrix is positioned in horizontal and vertical paths,
organizing the train of switches more effectively, and therefore, stopping the
equipment from jamming. There are no definite distinguishing features of
Crossbar switchings from Step by Step.
Electronic Switching System
ESS is the most advanced system employed, and has gone through many kinds
of revisions. The latest system to date is ESS 11a, which is used in Washington
D.C. for security reasons. ESS is the country's most advanced switching system,
and has the highest security system of all. With its many special features, it
is truly the phreaker's nightmare.
Identification
A. Dialing 911 for emergencies.
B. Dial-tone first for pay-phones.
C. Calling services, including Call forwarding, Speed dialing, and Call
waiting.
D. Automatic Number Identification for long-distance calls (ANI), to be
discussed later.
E. "Touch Tone"
IV. Electronic Toll Fraud
The ETF's are electrical devices used to get free long-distance calls. The
devices are more commonly known as colored boxes, and using them is known as
"boxing." Boxing is one of the oldest way to phreak, and therefore, it is also
the most dangerous, since the telephone companies are very much aware of their
existence. Colored boxes are not used only for phreaking. There are many types
which have other uses (such as the Tron Box, which lowers your electric bill),
so only those used in telephone fraud will be discussed.
How Boxes Work
In the beginning, all long distance calls were connected manually by
operators who passed on the called number verbally to other operators in
series.
This is because pulse (rotary) digits are created by causing breaks in the DC
current. Since long distance calls call for routing through various switching
equipment and AC voice amplifiers, pulse dialing cannot be used to send the
destination number to the end local office (CO).
Eventually, the demand for faster and more efficient long distance service
caused Bell to make a multi-billion dollar decision. They had to create a
signaling system that could be used on the LD Network. They had two options:
[1] To send all the signaling and supervisory information (eg., ON and OFF
HOOK)
over separate data links. This type of signaling is referred to as out-of-band
signaling.
[2] To send all the signaling information along with the conversation using
tones to represent digits. This type of signaling is called in-band signaling.
The second seemed to be the most economical choice, and so, it was incorporated
in ESS.
Then, in the 1960's, when the first ESS systems were employed, a toy
whistle was put in each box of Captain Crunch Cereal as a premium. A young
radio
technician in the United States Air Force became fascinated with the whistle
when he discovered that by blowing it into the telephone after dialing any long
distance number, the trunk line would remain open without toll charges
accounting. From then on, any number could be dialed for free. The truth was
that the whistle produced a perfect-pitch 2600 Hz tone, the one used to signify
a disconnect in ESS switching equipment. To overcome the initial charge for the
for the long distance call, he later used toll-free 800 numbers.
Being a skilled technician, Captain Crunch (he began to use the name as an
alias) soon went beyond the simple whistle and experimented with other
frequencies, creating many of the boxes discussed in the following paragraphs.
The Blue Box
The "Blue Box" was so named because of the color of the first one
discovered by the authorities. The design and hardware used in the Blue Box is
very sophisticated, and its size varies from a large piece of apparatus to a
miniaturized unit that is approximately the size of a "king size" package of
cigarettes.
The Blue Box contains 12 or 13 buttons or switches that emit the
multi-frequency tones used in the normal operation of the telephone toll (long
distance) switching network. In effect, the the Blue Box can let a person
become
the operator of a phone line. The Blue Box enables its user to originate
fraudulent toll calls by circumventing (fooling) toll billing equipment. The
Blue Box may be directly connected to a phone line, or it may be acoustically
coupled to a telephone handset by placing the Blue Box's speaker next to the
transmitter, or the telephone handset.
Operation of a Blue Box
To understand the steps of a fraudulent Blue Box call, it is necessary to
understand the basic operation of the Direct Distance Dialing (DDD) telephone
network. When a DDD call is originated, the calling number is identified as an
integral part of establishing the connection. This may be done either
automatically by ANI in ESS, or in some cases, by an operator asking the
calling
party for his telephone number. This information is entered on a tape in the
Centralized Automatic Message Accounting (CAMA) office. This tape also contains
the number assigned to the trunk line over which the call is to be made. The
information relating to the call contained on the tape includes the called
number's identification, time of origination of the call, and if the called
number answered the call. The time of disconnect is also recorded. The various
data entries with of the call are correlated to provide billing information for
use by the caller's telephone company's accounting department.
The typical Blue Box user usually dials a number that will route the call
into the telephone network without charge. For example, the user will very
often
call a well-known INWATS (toll-free) number. The Blue Box user, after gaining
this access to the network when somebody picks up and in effect, "seizing"
control of the line, operates a key on the Blue Box which emits a 2600 Hertz
(cycles per second, abbreviated as Hz) tone. This tone causes the switching
equipment to release the connection to the INWATS customer's line. The 2600 Hz
tone is the signal to the switching system that the calling party has hung up.
In fact though, the local trunk on the calling party's end is still connected
to
the toll network. The Blue Box user now operates the "KP" (Key Pulse) key on
the
Blue Box to notify the toll switching equipment that switching signals are
about
to be emitted. The user then pushes the "number" buttons on the Blue Box
corresponding to the telephone number being called. After doing so, he/she
operates the "ST" (Start) key to tell the switching equipment that signaling is
complete. If the call is completed, only the portion of the original call prior
to the operation of the 2600 Hz tone is recorded on the CAMA tape. The tones
emitted by the Blue Box are not recorded on the CAMA tape. Therefore, because
the original call to the INWATS number is toll-free, no billing is rendered in
connection with the call.
The above are the steps in a normal operation of a Blue Box, but they may
vary in any one of the following ways:
A. The Blue Box may include a rotary dial to apply the 2600Hz tone and the
switching signals. This type of Blue Box is called a "dial pulser" or "rotary
SF" Blue box.
B. A magnetic tape recording may be used to record the Blue Box tones. Such a
tape recording could be used in lieu of a Blue Box to fraudulently place calls
to the phone numbers recorded on the magnetic tape.
All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes,
must have the following four common operating capabilities:
A. It be able to emit the 2600 Hz tone. This tone is used by the toll network
to
indicate, either by its presence or its absence, an "on hook" (idle) or "off
hook" (busy) condition of a trunk line.
B. The Blue Box must have a "KP" tones that unlocks or readies
the multi-frequency receiver at the called end to receive the
tones corresponding to the called phone number.
C. The Blue Box must be able to emit DTMF, tones used to transmit phone numbers
over the toll network. Each digit of a phone number is represented by a
combination of two tones. For example, the 2 is 700 Hz and 900 Hz.
D. The Blue Box must have an "ST" key which consists of a combination of two
tones that tell the equipment at the called end that all digits have been sent
and that the equipment should start connecting the call to the called number.
The following is a chart of the multi-frequency (MF) tones produced by the
normal Blue Box.
700 : 1 : 2 : 4 : 7 : 11 : 2600 X
900 : + : 3 : 5 : 8 : 12 :
1100 : + : + : 6 : 9 : KP :
1300 : + : + : + : 10 : KP2 :
1500 : + : + : + : + : ST :
: 700 : 900 :1100 :1300 :1500 :
The "Dial Pulser" or "Rotary SF" Blue Box requires only a dial
with a signalling capability to produce a 2600 Hz tone.
Pink Noise
Since telephone companies have such advanced equipment to detect Blue
Boxes, to help avoid detection "pink noise" is sometimes added to the 2600 Hz
tone.
Since 2600 Hz tones can be simulated in speech, the detection equipment of
the switching system must be attentive not to misinterpret speech as a
disconnect signal. Thus, a virtually
pure 2600 Hz tone is required for disconnect. This is also the reason why the
2600 Hz tone must be sent rapidly; sometimes, it will not work when the person
called is speaking. It is feasible, though, to send some "pink noise" along
with
the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise will
not reach the toll network, where we want our pure 2600 Hz to hit, but it will
go through the local CO and thus, the fraud detectors.
The Black Box
The Black Box is the easiest type to build. The box stops a call from
being
charged to some one only if it is hooked to the line of the person being
called.
In the normal telephone cable, there are four wires: a red, a green, a
black, and a yellow. The red & green wires are often referred to as tip (T) and
ring (R).
When a telephone is on-hook (hung up) there is approximately 48 volts of
DC
current (VDC) flowing through the tip and ring. When the handset of a phone is
lifted, switches close, causing a loop to be connected (which is known as the
"local loop,") between the telephone and the CO. Once this happens DC current
is able to flow through the telephone with less resistance. This causes a
relay
to energize and signal to other CO equipment that service is being requested.
Eventually, a dial tone is emitted. This also causes the 48 VDC to drop down
into the vicinity of 13 volts. The resistance of the loop also drops below the
2500 ohm level. Considering that this voltage and resistance drop is how the CO
detects that a telephone was taken off hook, how a Black Box works is by
allowing the voltage to drop enough to allow talking, but not enough to signal
to the CO equipment to start billing. To do this, a 10,000 Ohm, .5 Watt
resistor
is incorporated in the local loop on the called party's line.
The Red Box
A Red Box is a device that simulates the sound of a coin being accepted by
a payphone. When a coin is put in the slot of a payphone, the first obstacle is
the magnetic trap. This will stop any light-weight magnetic slugs. If it passes
this, the coin is then classed as a nickel, dime, or quarter. Each coin is then
checked for appropriate size and weight. If these tests are passed, it will
then
travel through a nickel, dime, or quarter magnet as proper. These magnets start
an eddy current effect which causes coins of the appropriate characteristics to
slow down so they will follow the correct trajectory.
If all goes well, the coin will follow the correct path, striking the
appropriate totalizer arm, causing a ratchet wheel to rotate once for every
5-cent increment (eg, a quarter will cause it to rotate 5 times). The totalizer
then causes the coin signal oscillator to readout a dual-frequency signal
indicating the value deposited to the Automated Coin Toll Service computer
(ACTS) or the Traffic Service Position System (TSPS) operator. These are the
tones emitted by the Red Box.
For a quarter, five beep tones are outpulsed for 66 milliseconds (ms). A
dime causes two beep tones for 33 ms, while a nickel causes one beep tone at
also 33 ms. A beep consists of two frequencies, 2200 Hz and 1700 Hz. As with a
Blue Box, Red Box tones can be recorded on a magnetic tape.
Since any call from a payphone is originated with a "ground test," in
which
the TSPS operator or the ACTS computer checks for the presence of the first
coin
inserted into the phone, by verifying use of the magnetic, weight, and size
traps, when using a Red Box, it is necessary to put in at least one coin.
The Cheese Box
A Cheese Box lets a normal telephone emulate a payphone. By emulating a
payphone, using a blue box now becomes safe, because if the CO equipment
recognizes the call as one from a payphone, it does not record it on a CAMA
tape. Since a normal telephone does not have a slot to enter coins, a Red Box
is
needed to generate the sound of a coin dropping.
V. Divertors
A divertor is a special service that allows businesses to "divert" calls
if
no one answers after a certain number of rings. For example, a person calls a
company, and nobody answers. After about three rings, a few clicks are heard,
then a few fainter rings are heard. The building receiving the call has changed
from the company to another building, usually somebody's house. What has
happened is that the call has been re-routed from building A to building B. In
effect, the number called is not really changed, but instead, building A has
answered the call, called building B, and connected the two lines together. If
the person in building B disconnects, the caller is still connected to building
A. With the way the divertor equipment works in the telephone company, the
phone
line of building A will then emit a dial tone and the caller has total control
of the line, and can originate another call, charging it to building A.
VI. Private Branch Exchanges
A Private Branch Exchange (PBX) is a system of out-WATS (Wide Area
Telephone Service) lines and in-WATS lines. An out-WATS line allows a business
to make as long-distance calls each month for a flat rate. An in-WATS line is a
toll-free number (800 number) that is also leased to businesses for flat rates.
PBX's save corporations much money when their salesmen, distributors, and
franchisees must make many calls from different parts of the country. It works
much like specialized common carriers (to be discussed later).
First, the employee calls the company on the in-WATS line. The switching
equipment picks up the phone, and send a tone to the employee indicating for
him
to enter the access code of the PBX. If the access code is correct, then the
line is connected to the out-WATS line, and the employee can make a call.
To use PBX's, phreakers must find the access code of the PBX. This can be
done very easily, since the code is usually only a few digits. One way is to
dial different combinations manually on the telephone keypad. The other way is
of the phreaker is the owner of a modem. A simple program can be easily written
to continuously dial digit combinations randomly or sequentially.
VII. Specialized Common Carriers
Ever since the break up of AT&T's monopoly on long-distance service, there
have been many other corporations that compete with AT&T in the long-distance
market, including Sprint, MCI, All-net, ITT, and Metrophone. These all boast
opportunities for large savings on long-distance calls. These companies are
called specialized common carriers (SCC's).
SCC's cost less because they do not use the AT&T's cable-based systems,
but
instead use microwave links. Some have also added fiber-optic lines to their
networks.
Another way they can save consumers money is by using AT&T's lines.
Instead
of connecting calls by the shortest route, the carrier will use a different
route, so the call goes through places where the long-distance traffic is
heavy,
and the rate is lower. The companies that do this are known as "resellers."
Most SCC's work nearly the same as PBX's. The 800 number is called, a tone
is heard, the private identification number (PIN) is entered, and then the call
can be made. The length of the PIN number can range from four digit to fourteen
digits.
Besides 800 toll free numbers, in some areas, a 950 can be used. A 950
works exactly the same as an 800 number, the only difference is that the
consumer must enter only seven digits before dialing his PIN number instead of
ten with a toll-free number. 950's are free of charge and can be used both at
home and at pay phones.
The PIN numbers can be found the same way as PBX access codes. Since the
number of digits in a PIN is so great, using a computer is much more common
practice than manual dialing.
The following pages are lists of SCC's and their dialups, formats, and
special points. Note that some have many different dialups.
=============================================================================
[ SCC Extenders List ]
[ 0-9 - Number of digits in code ]
[ [ ] - Dial that exact number ]
[ # - Area code + Prefix + Suffix ]
[ : - Dial tone ]
[ + - Continue dialing ]
=============================================================================
| Extender | Dialing Format | Company | Comments |
-----------------------------------------------------------------------------
| 800-223-0548 | 8+[1]+# | TDX | |
| 800-241-1129 | 8+[1]+# | TDX | |
| 800-248-6248 | 6+[1]+# | SumNet Systems | (800)824-3000 |
| 800-288-8845 | 7:[1]+# | TMC Watts | (800)999-3339 |
| 800-325-0192 | [1]+#+6 | MCI | 950-1986 |
| 800-325-1337 | 7:[1]+# | TMC Watts | |
| 800-325-7222 | 6+[1]+# | Max | (800)982-4422 |
| 800-325-7970 | 6+[1]+# | Max | (800)982-4422 |
| 800-327-4532 | 8+# | All-TelCo | |
| 800-327-9488 | #:13 | ITT | 950-0488 |
| 800-334-0193 | [9]+# | Piedmont | |
| 800-345-0008 | [0]+#:14 | US Sprint FON Cards |950-1033 also 9+#|
| 800-368-4222 | 8+# | Congress Watts Lines | |
| 800-437-7010 | 13 | GCI | |
| 800-448-8989 | 14+[1]+# | Call US | |
| 800-521-8400 | 8:# | TravelNet | 950-1088 (voice)|
| 800-541-2255 | 10 | MicroTel | |
| 800-547-1784 | 13 | AmericaNet | |
| 800-621-5640 | 6+[1]+# | ExpressTel | |
| 800-637-4663 | 5+[1]+# | TeleSave | |
| 800-821-6511 950-1033 also 9+#|
| 800-882-2255 | 6:[1]+# | AmeriCall | False Carrier |
| 800-950-1022 | [0]+#:14 | MCI Calling Card | |
| 800-992-1444 | 9+# | AllNet | 950-1444 |
=============================================================================
VIII. PC Pursuit
Many modem users know Telenet as a packet-switching network through which
they can connect to different telecommunication services throughout the country
for an hourly rate of $2. With PC Pursuit, Telenet uses the same method as
SCC's, but instead of using microwave links, the call is routed through
computers. Since it is routed through computers, the service can be used by
only
owners of modems. Instead of paying the hourly rate, the consumer needs only to
pay a flat monthly rate of $25.
Using PC Pursuit is a little more difficult than using SCC's, because now
instead of combinations of only ten different characters (0-9), the whole
alphabet can be used in the access code. The following is a chart showing the
steps to originate a typical PC Pursuit call.
How to Originate a PC Pursuit Call
First, the users dials the local Telenet Access Center, which can be found
by dialing Telenet customer service at 1-800-336-0437.
Then:
Note: (cr) signifies the carriage return on a computer keyboard.
Network Shows | User Types | Explanation
__________________|____________________________|_____________________________
| (cr) (cr) |
__________________|____________________________|_____________________________
TELENET | | Telenet network called and
XXX XXX | | your network address.
__________________|____________________________|_____________________________
TERMINAL= | "D1" (cr) | Enter "D1" or press (cr)
__________________|____________________________|_____________________________
@ | For 300 bps: | CONNECT command. To access
| "C(sp)DIALXXX/3,XXXX(cr)" | a PC Pursuit city type a PC
| | Pursuit access code and
| For 1200 bps: | your user ID.
| "C(sp)DIALXXX/12,XXXX(cr)" |
__________________|____________________________|_____________________________
PASSWORD= | "XXXXXX" (cr) | Type the password
__________________|____________________________|_____________________________
DIALXXX/X | "ATZ" (cr) | You are now connected to the
CONNECTED | | PCP city. Type ATZ (upper).
__________________|____________________________|____________________________
OK | "ATDTXXXXXXX" (cr) | Dials a number in PCP city
__________________|____________________________|____________________________
CONNECT | | Your are now connected to
| | your destination computer.
__________________|____________________________|____________________________
If the number dialed is busy, the user will see BUSY. To call another
number in the same city, the user types "ATZ." The network will answer OK. The
user then types "ATDTXXXXXXX" (cr) to dial the next number.
To connect to a different PC Pursuit City, when the user sees BUSY, he
types "@" (cr). When a @ appears, "D" (cr) is entered. This disconnects the
user
from the previous city. The user then follows the above procedures to dial
another city.
IX. Cellular Phone Fraud
Cellular phones have evolved considerably from previous systems.
Signaling
between mobile and base stations uses high-speed digital techniques and
involves
many different types of digital messages. The cellular phone contains its own
Mobile Identification Number (MIN), which is programmed by the seller or
service
shop and can be changed when, for example, the phone is sold to a new user. In
addition, the U.S. cellular standard incorporates a second number, the
Electronic Serial Number (ESN), which is intended to uniquely and permanently
identify the mobile unit.
According to the Electronic Industries Association (EIA) Interim Standard
IS-3-B, Cellular System Mobile Station Land Station Compatibility
Specification, the serial number is a 32-bit binary number that uniquely
identifies a mobile station to any cellular system. It must be factory-set and
not readily alterable in the field. The circuitry that provides the serial
number must be isolated from fraudulent contact and tampering. Attempts to
change the serial number circuitry should render the mobile station
inoperative.
The ESN was intended to solve two problems the industry observed with its
older systems. First, the number of subscribers that older systems could
support
fell far short of the demand in some areas, leading groups of users to share a
single mobile number (fraudulently) by setting several phones to send the same
identification. Carriers lost individual user accountability and their means
of
predicting and controlling traffic on their systems.
Second, systems had no way of automatically detecting use of stolen
equipment because thieves could easily change the transmitted identification.
In theory, the required properties of the ESN allow cellular systems to check
to
ensure that only the correctly registered unit uses a particular MIN, and the
ESNs of stolen units can be permanently denied service ("hot-listed"). This
measure is an improvement over the older systems, but vulnerabilities remain.
ESN Tampering
Although the concept of the unalterable ESN is laudable in theory,
weaknesses are apparent in practice. Many cellular phones are not constructed
so that attempts to change the serial number circuitry renders the mobile
station inoperative. Contrary to this statement, swapping of one ESN chip for
another in a unitcellular switch's database. With the right equipment, the ESN/MIN pair can be
read right off the air because the mobile transmits it each time it originates
a
call. Service shops can capture this information using test gear that
automatically receives and decodes the reverse, or mobile-to-base, channels.
Another way to obtain the numbers is from service shops. Service shops
keep
ESN/MIN records on file for units they have sold or serviced, and the carriers
also have these data on all of their subscribers. Unscrupulous employees could
compromise the security of their customers' telephones by obtaining these
records.
In many ways, trade in illegally obtained ESN/MIN pairs could, in the
future, resemble what currently transpires in the long distance telephone
business with AT&T credit card numbers and alternate long-distance carrier
(such
as MCI, Sprint and Alltel) account codes. Code numbers are swapped among
friends, published on computer bulletin boards and trafficked by career
criminal
enterprises.
X. CN/A's
CN/A's, which stands for Customer Names and Addresses, are bureaus that
exist so that authorized Bell employees can find out the name and address of
any
customer in the Bell System. All phone numbers are maintained on file
including
unlisted numbers.
To find the owner of any number, the person first must call the local CN/A
during business hours. Then he must pretend to be from a registered business,
and ask for the owner of the number. In some states, though, the operator will
ask for an ID number. In these cases, one must be guessed at.
There is also a type of reverse CN/A bureau, which is usually called a NON
PUB DA or TOLL LIB. With these numbers, somebody can find unpublished numbers
if
the caller gives the operator the name and locality. These are considerably
harder to use, since the operator will then request the caller's name,
supervisors name, etc.
The following is a list of current CN/A's.
_____________________________________________________________________________
1988 CN/A List (subject to change)
_____________________________________________________________________________
Area: CN/A Area: CN/A Area: CN/A
201: 201-676-7070 202: 304-343-7016 203: 203-789-6815
204: 204-949-0900 205: 205-988-7000 206: 206-345-4082
207: 617-787-5300 208: 303-293-8777 209: 415-781-5271
212: 518-471-8111 213: 415-781-5271 214: 214-464-7400
215: 412-633-5600 216: 614-464-0519 217: 217-789-8290
218: 402-221-7199 219: 317-265-4834 301: 304-343-1401
302: 412-633-5600 303: 303-293-8777 304: 304-344-8041
305: 912-752-2000 307: 303-293-8777 308: 402-221-7199
309: 217-525-7000 312: 312-796-9600 313: 313-424-0900
314: 816-275-8460 315: 518-471-8111 316: 913-276-6708
317: 317-265-4834 318: 504-245-5330 319: 402-221-7199
401: 617-787-5300 402: 402-221-7199 403: 403-425-2652
404: 912-752-2000 405: 405-236-6121 406: 303-293-8777
408: 415-546-1341 412: 412-633-5600 413: 617-787-5300
414: 608-252-6932 415: 415-781-5271 416: 416-443-0542
417: 816-275-8460 418: 614-464-0123 419: 614-464-0519
501: 405-236-6121 502: 502-583-2861 503: 206-345-4082
504: 504-245-5330 505: 303-293-8777 506: 506-657-3855
507: 402-380-2255 509: 206-345-4082 512: 512-828-2501
513: 614-464-0519 514: 514-394-7440 515: 402-221-7199
516: 518-471-8111 517: 313-424-0900 518: 518-471-8111
519: 416-443-0542 601: 601-961-8139 602: 303-293-8777
603: 617-787-5300 604: 604-432-2996 605: 402-221-7199
606: 502-583-2861 607: 518-471-8111 608: 608-252-6932
609: 201-676-7070 612: 402-221-7199 613: 416-443-0542
614: 614-464-0519 615: 615-373-5791 616: 313-424-0900
617: 617-787-5300 618: 217-525-7000 619: 415-781-5271
701: 402-221-7199 702: 415-543-2861 703: 304-344-7935
704: 912-752-2000 705: 416-443-0542 707: 415-781-5271
712: 402-221-7199 713: 713-961-2397 714: 213-995-0221
715: 608-252-6932 716: 518-471-8111 717: 412-633-5600
718: 518-471-8111 801: 303-293-8777 802: 617-787-5300
803: 912-784-9111 804: 304-344-7935 805: 415-781-5271
806: 512-828-2501 808: 212-226-5487 809: 404-751-8871
812: 317-265-4834 813: 813-228-7871 814: 412-633-5600
815: 217-789-8290 816: 816-275-8460 817: 214-464-7400
819: 514-861-6391 901: 615-373-5791 902: 902-421-4110
904: 912-752-2000 906: 313-424-0900 912: 912-752-2000
914: 518-471-8111 916: 415-781-5271 918: 405-236-6121
_____________________________________________________________________________
XI. Loops
The loop is an alternative communication medium that has many potential
uses. Loops are phone lines that are connected when they are called
simultaneously. One use is when somebody wants another person to call them back
but is reluctant to give out their home phone number (eg., if they were on a
party line).
Loops are found in pairs that are usually close to each other (eg.,
718-492-9996 and 718-492-9997). On a loop, one line is the high end, and the
other is the low end. The high end is always silent. The tone disappears on
the
low end when somebody calls the high end.
It is truly only safe to use a loop during non-business hours. During
business, loops are used to test equipment by various telephone companies and
local CO's.
XII. Alliance Teleconferencing
Alliance Teleconferencing is an independent company which allows the
general public to access and use its conferencing equipment.
Billing an Alliance Conference
Alliance Teleconferencing is accessed by dialing 0-700-456-1000 in most
states. In some states, the first and last digits of the suffix vary. There are
four main ways to use Alliance illegally. The first is through a PBX. Some
allow
use of the 700 exchange, but many do not.
The second way is with a Blue Box. After seizing the line,
KP-0-700-456-1000-ST is dialed. The equipment now thinks that Alliance has been
dialed from a switchboard and bills the conference to it.
The third way is to a loop. After being connected to Alliance, the caller
contacts the operator by pressing 0. The caller then can ask for the conference
to billed to another number, giving the operator the number of the high-end of
a
loop. The operator will then call the loop. A friend of the phreaker must be
prepared to answer the call by calling the low-end. When the friend answers and
accepts the billing, the conference will be billed to the loop.
The fourth way is from a divertor. Since the divertor is a normal,
home-type line, the phreaker should not have any problems starting a
conference.
Starting a Conference
When Alliance answers, a two-tone combination is emitted. The caller then
types a two digit combination to tell the equipment how many people will be in
the conference, including the originator. Then either # is pressed to continue
or * is pressed to cancel the conference. To dial a each conferee, the phreaker
simply answers each prompt with the phone number of the corresponding person.
To join the conference, the originator enters #, and to return to control
mode, he enters # again. To transfer control of the conference, #+6+1+ the
phone
number of the person you wish to transfer the control to. To end the
conference,
the phreaker presses the * button.
XIII. Telephone System Security Measures
To stop telephone fraud, there are many measures which telephone companies
can apply to identify and convict the phone phreaker.
ESS Detection Devices
Telephone companies have had twenty years to work on detection devices;
therefore, they are well refined. Basically, the detection devices will look
for the presence of 2600 Hz where it does not belong, which is in the local CO.
It then records the calling number and all activity after the 2600 Hz.
Automatic Number Identification and the Centralized Automatic Message
Accounting Tapes
Automatic Number Identification (ANI) is an implement in ESS that can
instantly identify the calling party. For every call that is made, information
including the numbers of the calling and receiving parties, the time of
origination of the call, if the called party answered the call, and the time
when the caller has hung-up is recorded on a tape in the Centralized Automatic
Message Accounting (CAMA) office. This includes wrong numbers, toll-free
numbers, and local calls. This tape is then processed for billing purposes.
Normally, all free calls are ignored, but the billing equipment has been
programmed to recognize many different types of unusual activity. One checks if
a certain 800 number is called excessively. If the number is an SCC, the
equipment can instantly check if the caller is a subscriber of the SCC. If it
is
not, it will alert the company of the illegal activity. Another is if there is
a
call where the calling party has stayed off-hook for a large amount of time,
but
the called party never answers. The equipment recognizes this as possible use
of
a Black Box.
Dialed Number Recorders
Placing a Dialed Number Recorders (DNR) on a telephone line is standard
procedure when telephone fraud is suspected. The most common DNR's can do the
following: print all touch tone digits sent (in suspected illegal use of an
SCC), print out all MF and record the presence of 2600hz on the line (in
suspected use of a Blue Box), and activate a tape recorder for a specific
amount
of time.
Trap Codes
Trap codes are decoy PIN numbers. If a telephone company find that a
certain PIN number is being used illegally, it will call the real owner and
notify him of the change in his account number. The company will then contact
the FBI to bring their telephone trace equipment. There are very many different
types of tracing equipment that exist today, which are nearly impossible to
detect or evade. The only reason why tracing is not used often is that the FBI
charges a very high fee for use of its equipment.
The Lock In Trace
One very old trace type is the "lock in" trace. A lock in trace is a
device
used by the FBI to lock into the phone user's location. Since all phone
connections are held open by a certain voltage of electricity,
the lock in trace works by patching into the line and generate the same voltage
into the lines. If the caller tries to hang up, voltage is retained. The phone
will continue to ring as if someone was calling even after the call is
disconnected. The trunk then remains open and the call can be traced. The FBI
sets its equipment so that the next time the PIN number is illegally used, the
call goes through, but while the communication is proceeding, the FBI traces
the
call.
Stopping a Lock In Trace
Stopping a lock in trace is theoretically very simple. If the voltage in
the line could be lowered, the trace could not function, since lowering the
voltage would also probably short out the voltage generator. Therefore, any
appliance which uses many volt can be connected to the red and green wires in a
wall jack, and the trace should be removed.
4Tel
4Tel is an add on from GTE which can attach to GTD#5 electronic switching
systems. It's main function is to automatically find problems with the exchange
it is connected 24 hours a day. Most phone companies in Canada using it and
most
of the local phone companies in New York and other largely populated states in
the US now use it, as it is extremely advanced (it was designed by Telecom
Canada.) Besides detecting dead grounds and leds and killing power surges, 4Tel
can also detect exchange scanning (war dialing), because it treats 4000 numbers
excuting out of a single phone trunk in a small period of time with the same
time interval between each number as an error, and will log the calling party's
number to the telco's computer.
This also applies to extender or PBX hacking.
Evading 4Tel
To avoid detection By 4Tel, the following steps should be taken when
hacking codes for SCC's and PBX's.
1. Always fill a random block in a range of 9999
2. Modify programs to have a random interval set between each number dialed.
3. Limit hacking to 2000 calls per night.
4. Do not have the modem send a carrier after each number, since 4Tel will
treat it as a 1000 hz tone, and will think somebody is illegally using a
loop.
Plus One Service
A new way that large SCC's may stop code hacking is the installation of a
plus one service. With this service, the use of access codes is removed, and
use
of the SCC's services no longer require a subscription. Plus one service works
by having the user access the network by a toll-free number. When the caller
has
entered the network, his number is found via ANI. The name and address is then
found via CN/A, and the bill is sent to the user. Two companies, Sprint and
MCI,
have already installed their plus-one services, and more will follow.
*Note: In around February, 1988, many phreakers aquired many Sprint Plus
One access numbers and mistakenly thought that they were Sprint "Back-doors."
Their mistake was realized when afterward, they were sent bills for the call
that they made.
Reference in New Issue Copy Permalink