Phone Fraud
£117,000 Phonecard Scam Smashed
Dateline: 2355 Hrs 12 June 1998
A cloned phonecard scam ring was smashed by Irish police on Thursday (11th). The scam, which had been in operation for nine months, had netted an estimated £117,000 apparently was only detected by Telecom Eireann a few weeks ago. Eight people were arrested and fourteen premises were searched. Those arrested, six men and two women were later released without charge. They had been arrested under the Criminal Damage Act for alleged damage to data and computers and were held for twelve hours. A file on the case being prepared for the Director of Public Prosecutions. The police raided the rented premises that the gang were using in Edenmore shopping centre in Raheney,Dublin as headquarters for their operation. Other arrests were made in the Raheney area and on the southside of Dublin. Computer equipment and phonecard emulators were seized in the course of the raids.
The scam involved a bogus company running premium rate phonelines and cloned phonecards. The suspects set up a 1580 premium line service, a helpline for computer users, and used the cloned phonecards to dial this number from telephone kiosks. By using phonecard emulators, the suspects avoided having to pay for the calls. It was simply a case of resetting the phonecard emulator.
The suspects had used what appeared to be 100 unit phonecards to dial the premium line service. This in itself was strange since many shops do not specifically stock the 100 unit phonecards, preferring instead to go for the faster selling 10 and 20 unit cards. All of the calls to the lines had been made from card phones rather than business or residential numbers. The bogus company had not advertised the line so there was no real reason for the apparent success of the service.
A few weeks ago, a Telecom Eireann official had noticed the strange traffic patterns. After having confirmed that a fraud was being perpetrated, Telecom Eireann called in the Irish police, (the Gardai). An investigation, codenamed Operation Kiosk, into the scam commenced. A surveillance operation by the Garda Bureau of Fraud Investigation identified those involved. Apparently all 38 members of the bureau, led by Detective Superintendent Willie McGee were involved in the operation. In a national newspaper, The Irish Independent, one Fraud Bureau source described the operation to the paper's security correspondent Tom Brady as being "a complicated scam that could have continued for a long time except for the vigilance of the Telecom official.".
Scam Highlights Serious Flaws In Telecom Eireann Security
The scam highlighted serious flaws in the security of Telecom Eireann's phonecard enterprise. The detection of the scam appears to have hinged on a chance discovery of a suspicious traffic pattern. The fact that it was discovered probably owes more to the greed of those involved than the vigilance of Telecom Eireann. By using what appeared to be large value phonecards and making calls only from phonecards, it was only a matter of time before the scam was detected. The strange thing about this is that the scam continued for approximately eight months apparently undetected by Telecom Eireann.
The telephone cards used in Ireland by Telecom Eireann are simple EPROM devices though some of the newer EEPROM cards are believed to have been used. The suspects cloned these cards using, it is believed, easily available details. The details of how to clone phonecards have been available on Bulletin Board Systems (BBSes) and the internet for at least ten years. Most of the recent designs have used the PIC16C84 as the microcontroller.
Since the phonecard was introduced by France Telecom in the mid eighties, the problems of security have been well known. Even Telecom Eireann would have known about the insecurities. FAQs and documents concerning the operation of phonecards were posted on BBSes, FTP sites and websites so the timing details of the cards were commonly known. It was only a short step to implement a phonecard emulation using a microcontroller.
The first hack on these devices was simply preventing the write voltage from getting to the Vpp on the card. Various tricks were used ranging from nail varnish to masking tape were used. The manufacturers and the Telco quickly became aware of this and implemented countermeasures.
As the telcos introduced new countermeasures, the phreakers and hackers developed new responses. Early emulators used discrete solutions but with the advent of cheap microcontrollers, more sophisticated hacker solutions appeared. At first 68705 based emulators appeared though with the large pirate satellite tv market, the commonly used PIC16C84 became the microcontroller of choice.
The only strange thing about this whole episode is that phonecard piracy has not affected Telecom Eireann on a far greater basis. Then again, how would they know?
|
