TAP YIPL

home *** CD-ROM | disk | FTP | other *** search

/ TAP YIPL / TAP_and_YIPL_Collection_CD.iso / PHREAK / GENERAL / PH08.TXT < prev next >

Wrap

Text File | 1992-06-16 | 46KB | 780 lines

<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> <*> Joe Cosmo Presents..... <*> <*> <*> <*> Methods of Phreaking and Telco Security Measures <*> <*> <*> <*> June 16, 1988 1:30 am <*> <*> <*> <*> (updated 7/3/88 for CN/A list & Plus One Service) <*> <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> (formatted to 80 Columns) Dedication: This phile is dedicated to all those great phreakers who taught me all of this, and to all of the newcomers being born to the phreak world. For the legends, it is here as their legacy, and for the newcomers, I hope they will use it as their guide in times of trouble, and may there always be phreakers in the world. TABLE OF CONTENTS CHAPTER I. Introduction: What Telephone Fraud Is II. Who Does It and Why III. The Systems That Are Fooled IV. Electronic Toll Fraud How Boxes Work The Blue Box Operation of a Blue Box Pink Noise The Black Box The Red Box The Cheese Box V. Divertors VI. Private Branch Exchanges VII. Specialized Common Carriers SCC Extenders List VIII. PC Pursuit How to Originate a PC Pursuit Call IX. Cellular Phone Fraud ESN Tampering Obtaining ESN's X. CN/A's CN/A List (updated 7/3/88) XI. Loops XII. Alliance Teleconferencing Billing an Alliance Conference Starting a Conference XIII. Telephone System Security Measure ESS Detection Devices Automatic Number Identification and Centralized Automatic Message Accounting Tapes Dialed Number Recorders Trap Codes The Lock In Trace Stopping a Lock In Trace 4Tel (Updated 6/24/88 Thanx to Touch Tone of BC, Canada) Evading 4Tel Plus One Service (updated 7/3/88) Common Channel Inter-office Signaling XIV. Laws Governing the Rights of Phreakers XV. Conclusion I. Introduction: What Telephone Fraud Is Telephone fraud is illegally using the communication facilities of telephone companies. This is commonly known as "phreaking." The writer's purpose is to explore the methods of phreaking, and the various security measures of telephone companies. II. Who Does It and Why The majority of people who phreak are owners of modems (MOdulators DEModulators, devices which allow computers to communicate over telephone lines) and are usually between the ages of twelve and seventeen. When the person reaches age eighteen, he or she usually stops, since after that age, if the person in caught, the penalty can become very serious. Phreaking is the violation of the law on Fraud In Connection With Access Devices, which carries maximum penalties of 15 years imprisonment and a fine of $50,000, or twice the value of the fraudulent activity. Scattered throughout the country are many different computer bulletin board systems, or BBS's. These are computer systems established by private users or large organizations for the exchange of public and private messages and software. Most are not a local call, though. Since the normal user calls about ten different BBS's, with even the lowest long-distance rates, the phone bill each month can range from $100 to $1000. The solution is to phreak. When these people learn how to phreak, they also realize that besides making free long-distance calls from their home, they can also make free calls from payphones. They also find that there are many other facilities that they can used without paying. III. The Systems That Are Fooled Their are three types of telephone operating systems in the U.S., Step by Step (SxS), Crossbar (XB), and Electronic Switching System (ESS). They are described in detail in the following paragraphs. Step by Step Step by Step (SxS) was the first switching system used in America, adopted in 1918 and until 1978 Bell had over 53% of all exchanges using Step by Step. A long, and confusing train of switches is used for SxS switching. Disadvantages A. The switch train may become jammed, blocking calls. B. No DTMF (Dual-Tone Multi-Frequency), to be discussed later. C. Much maintenance and much electricity. D. No "Touch-Tone" dialing. Identification A. No pulsing digits after dialing or "Touch Tone". B. Much static in the connections. C. No Speed calling, Call forwarding, and other services. D. Pay-phone wants money first before dial-tone. Crossbar Crossbar has been Bell's primary switcher after 1960. Three types of Crossbar switchings exist, Number 1 Crossbar (1XB), Number 4 Crossbar (4XB), and Number 5 Crossbar (5XB). A switching matrix is used for all of the phones in an area. When someone calls, the route is determined and is connected with the other phone. The matrix is positioned in horizontal and vertical paths, organizing the train of switches more effectively, and therefore, stopping the equipment from jamming. There are no definite distinguishing features of Crossbar switchings from Step by Step. Electronic Switching System ESS is the most advanced system employed, and has gone through many kinds of revisions. The latest system to date is ESS 11a, which is used in Washington D.C. for security reasons. ESS is the country's most advanced switching system, and has the highest security system of all. With its many special features, it is truly the phreaker's nightmare. Identification A. Dialing 911 for emergencies. B. Dial-tone first for pay-phones. C. Calling services, including Call forwarding, Speed dialing, and Call waiting. D. Automatic Number Identification for long-distance calls (ANI), to be discussed later. E. "Touch Tone" IV. Electronic Toll Fraud The ETF's are electrical devices used to get free long-distance calls. The devices are more commonly known as colored boxes, and using them is known as "boxing." Boxing is one of the oldest way to phreak, and therefore, it is also the most dangerous, since the telephone companies are very much aware of their existence. Colored boxes are not used only for phreaking. There are many types which have other uses (such as the Tron Box, which lowers your electric bill), so only those used in telephone fraud will be discussed. How Boxes Work In the beginning, all long distance calls were connected manually by operators who passed on the called number verbally to other operators in series. This is because pulse (rotary) digits are created by causing breaks in the DC current. Since long distance calls call for routing through various switching equipment and AC voice amplifiers, pulse dialing cannot be used to send the destination number to the end local office (CO). Eventually, the demand for faster and more efficient long distance service caused Bell to make a multi-billion dollar decision. They had to create a signaling system that could be used on the LD Network. They had two options: {1} To send all the signaling and supervisory information (eg., ON and OFF HOOK) over separate data links. This type of signaling is referred to as out-of-band signaling. {2} To send all the signaling information along with the conversation using tones to represent digits. This type of signaling is called in-band signaling. The second seemed to be the most economical choice, and so, it was incorporated in ESS. Then, in the 1960's, when the first ESS systems were employed, a toy whistle was put in each box of Captain Crunch Cereal as a premium. A young radio technician in the United States Air Force became fascinated with the whistle when he discovered that by blowing it into the telephone after dialing any long distance number, the trunk line would remain open without toll charges accounting. From then on, any number could be dialed for free. The truth was that the whistle produced a perfect-pitch 2600 Hz tone, the one used to signify a disconnect in ESS switching equipment. To overcome the initial charge for the for the long distance call, he later used toll-free 800 numbers. Being a skilled technician, Captain Crunch (he began to use the name as an alias) soon went beyond the simple whistle and experimented with other frequencies, creating many of the boxes discussed in the following paragraphs. The Blue Box The "Blue Box" was so named because of the color of the first one discovered by the authorities. The design and hardware used in the Blue Box is very sophisticated, and its size varies from a large piece of apparatus to a miniaturized unit that is approximately the size of a "king size" package of cigarettes. The Blue Box contains 12 or 13 buttons or switches that emit the multi-frequency tones used in the normal operation of the telephone toll (long distance) switching network. In effect, the the Blue Box can let a person become the operator of a phone line. The Blue Box enables its user to originate fraudulent toll calls by circumventing (fooling) toll billing equipment. The Blue Box may be directly connected to a phone line, or it may be acoustically coupled to a telephone handset by placing the Blue Box's speaker next to the transmitter, or the telephone handset. Operation of a Blue Box To understand the steps of a fraudulent Blue Box call, it is necessary to understand the basic operation of the Direct Distance Dialing (DDD) telephone network. When a DDD call is originated, the calling number is identified as an integral part of establishing the connection. This may be done either automatically by ANI in ESS, or in some cases, by an operator asking the calling party for his telephone number. This information is entered on a tape in the Centralized Automatic Message Accounting (CAMA) office. This tape also contains the number assigned to the trunk line over which the call is to be made. The information relating to the call contained on the tape includes the called number's identification, time of origination of the call, and if the called number answered the call. The time of disconnect is also recorded. The various data entries with of the call are correlated to provide billing information for use by the caller's telephone company's accounting department. The typical Blue Box user usually dials a number that will route the call into the telephone network without charge. For example, the user will very often call a well-known INWATS (toll-free) number. The Blue Box user, after gaining this access to the network when somebody picks up and in effect, "seizing" control of the line, operates a key on the Blue Box which emits a 2600 Hertz (cycles per second, abbreviated as Hz) tone. This tone causes the switching equipment to release the connection to the INWATS customer's line. The 2600 Hz tone is the signal to the switching system that the calling party has hung up. In fact though, the local trunk on the calling party's end is still connected to the toll network. The Blue Box user now operates the "KP" (Key Pulse) key on the Blue Box to notify the toll switching equipment that switching signals are about to be emitted. The user then pushes the "number" buttons on the Blue Box corresponding to the telephone number being called. After doing so, he/she operates the "ST" (Start) key to tell the switching equipment that signaling is complete. If the call is completed, only the portion of the original call prior to the operation of the 2600 Hz tone is recorded on the CAMA tape. The tones emitted by the Blue Box are not recorded on the CAMA tape. Therefore, because the original call to the INWATS number is toll-free, no billing is rendered in connection with the call. The above are the steps in a normal operation of a Blue Box, but they may vary in any one of the following ways: A. The Blue Box may include a rotary dial to apply the 2600Hz tone and the switching signals. This type of Blue Box is called a "dial pulser" or "rotary SF" Blue box. B. A magnetic tape recording may be used to record the Blue Box tones. Such a tape recording could be used in lieu of a Blue Box to fraudulently place calls to the phone numbers recorded on the magnetic tape. All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes, must have the following four common operating capabilities: A. It be able to emit the 2600 Hz tone. This tone is used by the toll network to indicate, either by its presence or its absence, an "on hook" (idle) or "off hook" (busy) condition of a trunk line. B. The Blue Box must have a "KP" tones that unlocks or readies the multi-frequency receiver at the called end to receive the tones corresponding to the called phone number. C. The Blue Box must be able to emit DTMF, tones used to transmit phone numbers over the toll network. Each digit of a phone number is represented by a combination of two tones. For example, the 2 is 700 Hz and 900 Hz. D. The Blue Box must have an "ST" key which consists of a combination of two tones that tell the equipment at the called end that all digits have been sent and that the equipment should start connecting the call to the called number. The following is a chart of the multi-frequency (MF) tones produced by the normal Blue Box. 700 : 1 : 2 : 4 : 7 : 11 : 2600 X 900 : + : 3 : 5 : 8 : 12 : 1100 : + : + : 6 : 9 : KP : 1300 : + : + : + : 10 : KP2 : 1500 : + : + : + : + : ST : : 700 : 900 :1100 :1300 :1500 : The "Dial Pulser" or "Rotary SF" Blue Box requires only a dial with a signalling capability to produce a 2600 Hz tone. Pink Noise Since telephone companies have such advanced equipment to detect Blue Boxes, to help avoid detection "pink noise" is sometimes added to the 2600 Hz tone. Since 2600 Hz tones can be simulated in speech, the detection equipment of the switching system must be attentive not to misinterpret speech as a disconnect signal. Thus, a virtually pure 2600 Hz tone is required for disconnect. This is also the reason why the 2600 Hz tone must be sent rapidly; sometimes, it will not work when the person called is speaking. It is feasible, though, to send some "pink noise" along with the 2600 Hz. Most of this energy should be above 3000 Hz. The pink noise will not reach the toll network, where we want our pure 2600 Hz to hit, but it will go through the local CO and thus, the fraud detectors. The Black Box The Black Box is the easiest type to build. The box stops a call from being charged to some one only if it is hooked to the line of the person being called. In the normal telephone cable, there are four wires: a red, a green, a black, and a yellow. The red & green wires are often referred to as tip (T) and ring (R). When a telephone is on-hook (hung up) there is approximately 48 volts of DC current (VDC) flowing through the tip and ring. When the handset of a phone is lifted, switches close, causing a loop to be connected (which is known as the "local loop,") between the telephone and the CO. Once this happens DC current is able to flow through the telephone with less resistance. This causes a relay to energize and signal to other CO equipment that service is being requested. Eventually, a dial tone is emitted. This also causes the 48 VDC to drop down into the vicinity of 13 volts. The resistance of the loop also drops below the 2500 ohm level. Considering that this voltage and resistance drop is how the CO detects that a telephone was taken off hook, how a Black Box works is by allowing the voltage to drop enough to allow talking, but not enough to signal to the CO equipment to start billing. To do this, a 10,000 Ohm, .5 Watt resistor is incorporated in t{b= 1loop on the called party's line. The Red Box A Red Box is a device that simulates the sound of a coin being accepted by a payphone. When a coin is put in the slot of a payphone, the first obstacle is the magnetic trap. This will stop any light-weight magnetic slugs. If it passes this, the coin is then classed as a nickel, dime, or quarter. Each coin is then checked for appropriate size and weight. If these tests are passed, it will then travel through a nickel, dime, or quarter magnet as proper. These magnets start an eddy current effect which causes coins of the appropriate characteristics to slow down so they will follow the correct trajectory. If all goes well, the coin will follow the correct path, striking the appropriate totalizer arm, causing a ratchet wheel to rotate once for every 5-cent increment (eg, a quarter will cause it to rotate 5 times). The totalizer then causes the coin signal oscillator to readout a dual-frequency signal indicating the value deposited to the Automated Coin Toll Service computer (ACTS) or the Traffic Service Position System (TSPS) operator. These are the tones emitted by the Red Box. For a quarter, five beep tones are outpulsed for 66 milliseconds (ms). A dime causes two beep tones for 33 ms, while a nickel causes one beep tone at also 33 ms. A beep consists of two frequencies, 2200 Hz and 1700 Hz. As with a Blue Box, Red Box tones can be recorded on a magnetic tape. Since any call from a payphone is originated with a "ground test," in which the TSPS operator or the ACTS computer checks for the presence of the first coin inserted into the phone, by verifying use of the magnetic, weight, and size traps, when using a Red Box, it is necessary to put in at least one coin. The Cheese Box A Cheese Box lets a normal telephone emulate a payphone. By emulating a payphone, using a blue box now becomes safe, because if the CO equipment recognizes the call as one from a payphone, it does not record it on a CAMA tape. Since a normal telephone does not have a slot to enter coins, a Red Box is needed to generate the sound of a coin dropping. V. Divertors A divertor is a special service that allows businesses to "divert" calls if no one answers after a certain number of rings. For example, a person calls a company, and nobody answers. After about three rings, a few clicks are heard, then a few fainter rings are heard. The building receiving the call has changed from the company to another building, usually somebody's house. What has happened is that the call has been re-routed from building A to building B. In effect, the number called is not really changed, but instead, building A has answered the call, called building B, and connected the two lines together. If the person in building B disconnects, the caller is still connected to building A. With the way the divertor equipment works in the telephone company, the phone line of building A will then emit a dial tone and the caller has total control of the line, and can originate another call, charging it to building A. VI. Private Branch Exchange A Private Branch Exchange (PBX) is a system of out-WATS (Wide Area Telephone Service) lines and in-WATS lines. An out-WATS line allows a business to make as long-distance calls each month for a flat rate. An in-WATS line is a toll-free number (800 number) that is also leased to businesses for flat rates. PBX's save corporations much money when their salesmen, distributors, and franchisees must make many calls from different parts of the country. It works much like specialized common carriers (to be discussed later). First, the employee calls the company on the in-WATS line. The switching equipment picks up the phone, and send a tone to the employee indicating for him to enter the access code of the PBX. If the access code is correct, then the line is connected to the out-WATS line, and the employee can make a call. To use PBX's, phreakers must find the access code of the PBX. This can be done very easily, since the code is usually only a few digits. One way is to dial different combinations manually on the telephone keypad. The other way is of the phreaker is the owner of a modem. A simple program can be easily written to continuously dial digit combinations randomly or sequentially. VII. Specialized Common Carriers Ever since the break up of AT&T's monopoly on long-distance service, there have been many other corporations that compete with AT&T in the long-distance market, including Sprint, MCI, All-net, ITT, and Metrophone. These all boast opportunities for large savings on long-distance calls. These companies are called specialized common carriers (SCC's). SCC's cost less because they do not use the AT&T's cable-based systems, but instead use microwave links. Some have also added fiber-optic lines to their networks. Another way they can save consumers money is by using AT&T's lines. Instead of connecting calls by the shortest route, the carrier will use a different route, so the call goes through places where the long-distance traffic is heavy, and the rate is lower. The companies that do this are known as "resellers." Most SCC's work nearly the same as PBX's. The 800 number is called, a tone is hearl, the private identification number (PIN) is entered, and then the call can be made. The length of the PIN number can range from four digit to fourteen digits. Besides 800 toll free numbers, in some areas, a 950 can be used. A 950 works exactly the same as an 800 number, the only difference is that the consumer must enter only seven digits before dialing his PIN number instead of ten with a toll-free number. 950's are free of charge and can be used both at home and at pay phones. The PIN numbers can be found the same way as PBX access codes. Since the number of digits in a PIN is so great, using a computer is much more common practice than manual dialing. The following pages are lists of SCC's and their dialups, formats, and special points. Note that some have many different dialups. ============================================================================= { SCC Extenders List } { 0-9 - Number of digits in code } { { } - Dial that exact number } { # - Area code + Prefix + Suffix } { : - Dial tone } { + - Continue dialing } ============================================================================= \ Extender \ Dialing Format \ Company \ Comments \ ----------------------------------------------------------------------------- \ 800-223-0548 \ 8+{1}+# \ TDX \ \ \ 800-241-1129 \ 8+{1}+# \ TDX \ \ \ 800-248-6248 \ 6+{1}+# \ SumNet Systems \ (800)824-3000 \ \ 800-288-8845 \ 7:{1}+# \ TMC Watts \ (800)999-3339 \ \ 800-325-0192 \ {1}+#+6 \ MCI \ 950-1986 \ \ 800-325-1337 \ 7:{1}+# \ TMC Watts \ \ \ 800-325-7222 \ 6+{1}+# \ Max \ (800)982-4422 \ \ 800-325-7970 \ 6+{1}+# \ Max \ (800)982-4422 \ \ 800-327-4532 \ 8+# \ All-TelCo \ \ \ 800-327-9488 \ #:13 \ ITT \ 950-0488 \ \ 800-334-0193 \ {9}+# \ Piedmont \ \ \ 800-345-0008 \ {0}+#:14 \ US Sprint FON Cards \950-1033 also 9+#\ \ 800-368-4222 \ 8+# \ Congress Watts Lines \ \ \ 800-437-7010 \ 13 \ GCI \ \ \ 800-448-8989 \ 14+{1}+# \ Call US \ \ \ 800-521-8400 \ 8:# \ TravelNet \ 950-1088 (voice)\ \ 800-541-2255 \ 10 \ MicroTel \ \ \ 800-547-1784 \ 13 \ AmericaNet \ \ \ 800-621-5640 \ 6+{1}+# \ ExpressTel \ \ \ 800-637-4663 \ 5+{1}+# \ TeleSave \ \ \ 800-821-6511 \ 5+{1}+# \ American Pioneer \ (800)852-4154 \ \ 800-821-6629 \ 6+{1}+# \ Max \ (800)982-4422 \ \ 800-821-7961 \ 6+{1}+# \ Max \ (800)982-4422 \ \ 800-826-7397 \ 6:{1}+# \ Call U.S. \ \ \ 800-858-4009 \ 6+{1}+# \ NTS \ Voice \ \ 800-862-2345 \ 7:{1}+# \ TMC \ \ \ 800-877-8000 \ {0}+#:14 \ US Sprint Calling Card\950-1033 also 9+#\ \ 800-882-2255 \ 6:{1}+# \ AmeriCall \ False Carrier \ \ 800-950-1022 \ {0}+#:14 \ MCI Calling Card \ \ \ 800-992-1444 \ 9+# \ AllNet \ 950-1444 \ ============================================================================= VIII. PC Pursuit Many modem users know Telenet as a packet-switching network through which they can connect to different telecommunication services throughout the country for an hourly rate of $2. With PC Pursuit, Telenet uses the same method as SCC's, but instead of using microwave links, the call is routed through computers. Since it is routed through computers, the service can be used by only owners of modems. Instead of paying the hourly rate, the consumer needs only to pay a flat monthly rate of $25. Using PC Pursuit is a little more difficult than using SCC's, because now instead of combinations of only ten different characters (0-9), the whole alphabet can be used in the access code. The following is a chart showing the steps to originate a typical PC Pursuit call. How to Originate a PC Pursuit Call First, the users dials the local Telenet Access Center, which can be found by dialing Telenet customer service at 1-800-336-0437. Then: Note: (cr) signifies the carriage return on a computY.Z+e =I9 Network Shows \ User Types \ Explanation uuuuuuuuuuuuumuuE[]]]]]]][]]]]]][]]]]]]][]]]]q]][]]]]]]][]]]][]]]]]]][]]]]]k \ (cr) (cr) \ \\ TELENET \ \ Telenet network called and XXX XXX \ \ your network address. \\ TERMINAL= \ "D1" (cr) \ Enter "D1" or press (cr) \\ @ \ For 300 bps: \ CONNECT command. To access \ "C(sp)DIALXXX/3,XXXX(cr)" \ a PC Pursuit city type a PC \ \ Pursuit access code and \ For 1200 bps: \ your user ID. \ "C(sp)DIALXXX/12,XXXX(cr)" \ \\ PASSWORD= \ "XXXXXX" (cr) \ Type the password \\ DIALXXX/X \ "ATZ" (cr) \ You are now connected to the CONNECTED \ \ PCP city. Type ATZ (upper). \\ OK \ "ATDTXXXXXXX" (cr) \ Dials a number in PCP city \\ CONNECT \ \ Your are now connected to \ \ your destination computer. \\ If the number dialed is busy, the user will see BUSY. To call another number in the same city, the user types "ATZ." The network will answer OK. The user then types "ATDTXXXXXXX" (cr) to dial the next number. To connect to a different PC Pursuit City, when the user sees BUSY, he types "@" (cr). When a @ appears, you are in business, and ask for the owner of the number. In some states, though, the operator will ask for an ID number. In these cases, one must be guessed at. There is also a type of reverse CN/A bureau, which is usually called a NON PUB DA or TOLL LIB. With these numbers, somebody can find unpublished numbers if the caller gives the operator the name and locality. These are considerably harder to use, since the operator will then request the caller's name, supervisors name, etc. The following is a list of current CN/A's. 1988 CN/A List (subject to change) Area: CN/A Area: CN/A Area: CN/A 201: 201-676-7070 202: 304-343-7016 203: 203-789-6815 204: 204-949-0900 205: 205-988-7000 206: 206-345-4082 207: 617-787-5300 208: 303-293-8777 209: 415-781-5271 212: 518-471-8111 213: 415-781-5271 214: 214-464-7400 215: 412-633-5600 216: 614-464-0519 217: 217-789-8290 218: 402-221-7199 219: 317-265-4834 301: 304-343-1401 302: 412-633-5600 303: 303-293-8777 304: 304-344-8041 305: 912-752-2000 307: 303-293-8777 308: 402-221-7199 309: 217-525-7000 312: 312-796-9600 313: 313-424-0900 314: 816-275-8460 315: 518-471-8111 316: 913-276-6708 317: 317-265-4834 318: 504-245-5330 319: 402-221-7199 401: 617-787-5300 402: 402-221-7199 403: 403-425-2652 404: 912-752-2000 405: 405-236-6121 406: 303-293-8777 408: 415-546-1341 412: 412-633-5600 413: 617-787-5300 414: 608-252-6932 415: 415-781-5271 416: 416-443-0542 417: 816-275-8460 418: 614-464-0123 419: 614-464-0519 501: 405-236-6121 502: 502-583-2861 503: 206-345-4082 504: 504-245-5330 505: 303-293-8777 506: 506-657-3855 507: 402-380-2255 509: 206-345-4082 512: 512-828-2501 513: 614-464-0519 514: 514-394-7440 515: 402-221-7199 516: 518-471-8111 517: 313-424-0900 518: 518-471-8111 519: 416-443-0542 601: 601-961-8139 602: 303-293-8777 603: 617-787-5300 604: 604-432-2996 605: 402-221-7199 606: 502-583-2861 607: 518-471-8111 608: 608-252-6932 609: 201-676-7070 612: 402-221-7199 613: 416-443-0542 614: 614-464-0519 615: 615-373-5791 616: 313-424-0900 617: 617-787-5300 618: 217-525-7000 619: 415-781-5271 701: 402-221-7199 702: 415-543-2861 703: 304-344-7935 704: 912-752-2000 705: 416-443-0542 707: 415-781-5271 712: 402-221-7199 713: 713-961-2397 714: 213-995-0221 715: 608-252-6932 716: 518-471-8111 717: 412-633-5600 718: 518-471-8111 801: 303-293-8777 802: 617-787-5300 803: 912-784-9111 804: 304-344-7935 805: 415-781-5271 806: 512-828-2501 808: 212-226-5487 809: 404-751-8871 812: 317-265-4834 813: 813-228-7871 814: 412-633-5600 815: 217-789-8290 816: 816-275-8460 817: 214-464-7400 819: 514-861-6391 901: 615-373-5791 902: 902-421-4110 904: 912-752-2000 906: 313-424-0900 912: 912-752-2000 914: 518-471-8111 916: 415-781-5271 918: 405-236-6121 912: 912-752-2000 XI. Loops The {kis an alternative communication medium that has many potential uses. Loops are phone lines that are connected when they are called simultaneously. One use is when somebody wants another person to call them back but is reluctant to give out their home phone number (eg., if they were on a party line). Loops are found in pairs that are usually close to each other (eg., 718-492-9996 and 718-492-9997). On a loop, one line is the high end, and the other is the low end. The high end is always silent. The tone disappears on the low end when somebody calls the high end. It is truly only safe to use a loop during non-business hours. During business, loops are used to test equipment by various telephone companies and local CO's. XII. Alliance Teleconferencing Alliance Teleconferencing is an independent company which allows the general public to access and use its conferencing equipment. Billing an Alliance Conference Alliance Teleconferencing is accessed by dialing 0-700-456-1000 in most states. In some states, the first and last digits of the suffix vary. There are four main ways to use Alliance illegally. The first is through a PBX. Some allow use of the 700 exchange, but many do not. The second way is with a Blue Box. After seizing the line, KP-0-700-456-1000-ST is dialed. The equipment now thinks that Alliance has been dialed from a switchboard and bills the conference to it. The third way is to a loop. After being connected to Alliance, the caller contacts the operator by pressing 0. The caller then can ask for the conference to billed to another number, giving the operator the number of the high-end of a loop. The operator will then call the loop. A friend of the phreaker must be prepared to answer the call by ca+kthe low-end. When the friend answers and accepts the billing, the conference will be billed to the loop. The fourth way is from a divertor. Since the divertor is a normal, home-type line, the phreaker should not have any problems starting a conference. Starting a Conference When Alliance answers, a two-tone combination is emitted. The caller then types a two digit combination to tell the equipment how many people will be in the conference, including the originator. Then either # is pressed to continue or * is pressed to cancel the conference. To dial a each conferee, the phreaker simply answers each prompt with the phone number of the corresponding person. To join the conference, the originator enters #, and to return to control mode, he enters # again. To transfer control of the conference, #+6+1+ the phone number of the person you wish to transfer the control to. To end the conference, the phreaker presses the * button. XIII. Telephone System Security Measures To stop telephone fraud, there are many measures which telephone companies can apply to identify and convict the phone phreaker. ESS Detection Devices Telephone companies have had twenty years to work on detection devices; therefore, they are well refined. Basically, the detection devices will look for the presence of 2600 Hz where it does not belong, which is in the local CO. It then records the calling number and all activity after the 2600 Hz. Automatic Number Identification and the Centralized Automatic Message Accounting Tapes Automatic Number Identification (ANI) is an implement in ESS that can instantly identify the lX+KkIQe9 For every call that is made, information including the numbers of the calling and receiving parties, the time of origination of the call, if the called party answered the call, and the time when the caller has hung-up is recorded on a tape in the Centralized Automatic Message Accounting (CAMA) office. This includes wrong numbers, toll-free numbers, and local calls. This tape is then processed for billing purposes. Normally, all free calls are ignored, but the billing equipment has been programmed to recognize many different types of unusual activity. One checks if a certain 800 number is called excessively. If the number is an SCC, the equipment can instantly check if the caller is a subscriber of the SCC. If it is not, it will alert the company of the illegal activity. Another is if there is a call where the calling party has stayed off-hook for a large amount of time, but the called party never answers. The equipment recognizes this as possible use of a Black Box. Dialed Number Recorders Placing a Dialed Number Recorders (DNR) on a telephone line is standard procedure when telephone fraud is suspected. The most common DNR's can do the following: print all touch tone digits sent (in suspected illegal use of an SCC), print out all MF and record the presence of 2600hz on the line (in suspected use of a Blue Box), and activate a tape recorder for a specific amount of time. Trap Codes Trap codes are decoy PIN numbers. If a telephone company find that a certain PIN number is being used illegally, it will call the real owner and notify hZ{zthe change in his account number. The company will then contact the FBI to bring their telephone trace equipment. There are very many different types of tracing equipment that exist today, which are nearly impossible to detect or evade. The only reason why tracing is not used often is that the FBI charges a very high fee for use of its equipment. The Lock In Trace One very old trace type is the "lock in" trace. A lock in trace is a device used by the FBI to lock into the phone user's location. Since all phone connections are held open by a certain voltage of electricity, the lock in trace works by patching into the line and generate the same voltage into the lines. If the caller tries to hang up, voltage is retained. The phone will continue to ring as if someone was calling even after the call is disconnected. The trunk then remains open and the call can be traced. The FBI sets its equipment so that the next time the PIN number is illegally used, the call goes through, but while the communication is proceeding, the FBI traces the call. Stopping a Lock In Trace Stopping a lock in trace is theoretically very simple. If the voltage in the line could be lowered, the trace could not function, since lowering the voltage would also probably short out the voltage generator. Therefore, any appliance which uses many volt can be connected to the red and green wires in a wall jack, and the trace should be removed. 4Tel 4Tel is an add on from GTE which can attach to GTD#5 electronic switching systems. It's main function is to automatically find problems with the exchange it is connected 24 hours a day. Most phone companies in Canada using it and most of the local phone companies in New York and other largely populated states in the US now use it, as it is extremely advanced (it was designed by Telecom Canada.) Besides detecting dead grounds and leds and killing power surges, 4Tel can also detect exchange scanning (war dialing), because it treats 4000 numbers excuting out of a single phone trunk in a small period of time with the same time interval between each number as an error, and will log the calling party's number to the telco's computer. This also applies to extender or PBX hacking. Evading 4Tel To avoid detection By 4Tel, the following steps should be taken when hacking codes for SCC's and PBX's. 1. Always fill a random block in a range of 9999 2. Modify programs to have a random interval set between each number dialed. 3. Limit hacking to 2000 calls per night. 4. Do not have the modem send a carrier after each number, since 4Tel will treat it as a 1000 hz tone, and will think somebody is illegally using a loop. Plus One Service A new way that large SCC's may stop code hacking is the installation of a plus one service. With this service, the use of access codes is removed, and use of the SCC's services no longer require a subscription. Plus one service works by having the user access the network by a toll-free number. When the caller has entered the network, his number is found via ANI. The name and address is then found via CN/A, and the bill is sent to the user. Two companies, Sprint and MCI, have already installed their plus-one services, and more will follow. *Note: In around February, 1988, many phreakers aquired many Sprint Plus One access numbers and mistakenly thought that they were Sprint "Back-doors." Their mistake was realized when afterward, they were sent bills for the call that they made. Common Channel Inter-office Signaling Besides detection devices, Bell has begun to gradually redesign the network using out-of-band signaling. This is known as Common Channel Inter-office Signaling (CCIS). Since this signaling method sends all the signaling information over separate data lines, and does not use any form of DTMF, all colored boxes do not work under it. Of course, until this multi-million dollar project is totally complete, boxing will still be possible. It will become progressively harder to find places to "box" off of, though. XIV. Laws Governing the Rights of Phreakers Since phreaking is one-hundred percent illegal, once discovered, there are not many laws protecting the phreaker. There are, however some laws governing steps government agents may take to convict him. The first law is the Section 605 of Title 47 of the United States Code. This section forbids interception of communications, except by persons outlined in Chapter 119, Title 18, which is a portion of the Omnibus Crime Control and Safe Streets Act of 1968. In this chapter, Section 2511 (2) (a) (i) says "It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of any communications carrier, whose facilities are used in the transmission of a wire communication, to intercept, disclose, or use that communication in the normal course of his employment, while engaged in any activity which is a necessary incident to the rendition of his service of the protection of the rights or property of the carrier of such communication." This means that agents of telephone companies are allowed not only allowed to tap lines without a warrant, but also allowed to disclose the recording of a communication. In the case United States vs. Sugden, the following ruling was made: "For an unreasonable search and seizure to result from the interception of the defendant's communication, he must have exhibited a reasonable expectation of privacy. Where, as here, one uses a communication facility illegally, no such expectation is required." This simply means that when you make an illegal call, you have waved your right to privacy. The only limit on tapping lines is that it must not be excessive. For example, in the case Bubis vs. United States, the telephone company monitored all of the defendant's phone calls for a period of four months. The court acknowledged the phone company's right of the "protection of the rights and property of the carrier of such communication," but ordered the evidence suppressed because the extent of the monitoring was excessive. Lastly, the limit of the monitoring was set. In the case United States vs. Bubis, the court ruled, "Thus, it would appear that the tape recordings of the defendant's conversation had been limited by the phone company to establish that the calls were in violation of the subscription agreement (were illegal), and to the identification of the person using the phone, Xfor those purposes only, then the tapes would have been admissible against the defendant." This means that the telephone company cannot monitor more than the first five minutes of the communication. XV. Conclusion With the advent of many new security features, in the near future, we may see the end of phreaking. Incorporating CCIS has already begun to eliminate the use of boxes. The use of longer codes may one day bring illegal use of SCC's and PBX's to a minimum. Improvement in divertor and loop equipment will ultimately bring an end to their abuse. Even though telephone fraud could very well become a memory, in every teenage telecommunicator's mind, there will always be a Captain Crunch, thinking of a way to "beat" the system. Such legends as the Captain and Joe the Whistler (the blind phreaker with perfect pitch), will be remembered forever.