Upload
marjorie-harris
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Telecommuncation problems?
Steven BraniganDistrict Manager,
Corporate Computer and Network Security
2 march 1999
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
It can’t be that difficult!Just a bunch of LATAs
Courtesy of US WATS from the fcc.gov web page
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Telephony issues
Frauds wireless coin landline
Recent exploits
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Let’s start with General Billing
Coin phone: pay as you go. Prepaid: pay in advance. Calling credit: credit Residence/business line: credit
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Traditional fraudsI make the call, you pay the bill
Clip on fraud. Cordless phone fraud. Calling card fraud Boxes. (red, blue…) Cloning Subscriber fraud
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Coin phone
coin phone Network controlled pay phones. Customer owned payphones
Pay as you go, and you know exactly how much the call costs.
Carrier is selected by the coin phone. Of course the red box was a common coin
fraud.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Of interest
Incoming payphones in certain LATAs must allow incoming calls.
The calling party controls the connection until a timeout in the US.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Calling card
Can be used from a residential or coin phone. In this cases, the user has no idea how much
the call costs. Calling cards and pins are compromised
frequently.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Exploit #1
Insider at a telco gained access to an SS7 network element
Crafted SS7 messages that issues C.C. queries to SS7 database.
Automated process rotated calling card number, kept the pin constant.
Avoiding fraud detection mechanisms.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Exploit #2
A potential payphone user would hear a ringing payphone at a busy location.
The user would pickup and hangup. Then the user would place a calling card call,
and the calling card was compromised.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Exploit #2 Hypothetical
Payphone located in Chicago. Fraudster located in NYC. Fraudster calls payphone in Chicago. When the
call is answered, the fraudster plays dialtone (from NYC) into the payphone.
Person in chicago believes the dialtone is from chicago, and places a calling card call.
The NYC fraudster completes the call, and collects the calling card number.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
What about toll free calls
Calls to specific number may be toll free. In this call model, the party called actually
pays for the call. Currently, 800, 888 and 877 are toll free
numbers in the US
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
An old toll-free case
The “stolen” 800 number.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
It could happen to anyone…
It started with a book on Internet security being recovered on a drug raid…
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Using a tapped phone line for profit.
A phone line was tapped that was used for credit card validations.
The rest, as we say, is history. (and people worry about using their credit card
on the Internet?)
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Investigative tools
Dialed Number Recorder (DNR) Trap & trace Wiretap Billing records Caller id?
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
CO SwitchLine history block
< op:ilhb,dn=7329491999; PF
S570-15073350 95-11-12 15:45:15 075603 MTCE
M OP ILHB DN=7329491999
DATE=11/12 TIME=15:42
LICDN=7326241024
MULT_CALL=YES PRIV_INC=NO TRACE=NO IDP=YES
SCREENING=NP ADDR_TYPE=NATL NUM_PLAN=ISDN UNIQ=YES
CNPR_INC=NOP
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Trap and TraceExample output
< op:clid; PF
S570-15073350 95-11-12 15:45:22 075605 TRCE XXX
M OP CLID LIST CONTAINS 2 NUMBERS
SECTION 1 OF 1
5550101
7329491999
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
The CCS/SS7 network
CO/SSPCO/SSP
STP
trunks
links
SCP
links
SCP
STP
SCP
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
CCS/SS7 networkIssues
SS7 messages obtainable (think pins) Remote maintenance of switches Remote maintenance of databases Many telephone lines rely on a single system
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
PBX
A great target for the call sell operation. In order to save money, some corporations
allow for dial-out capability in their PBX. A user can call into the PBX using a toll free
number, than call any number in the world.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
CellularHello, you’re on the air!
Wireless telephone communication. Phone number doesn’t determine physical
location! Conversation broadcast within cell.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Cellular tracking?
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
The future
Local number portability. Voice/video over the Internet.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Local number portability
A user will be able to keep their phone number forever, (as long as they are in the US)
This will remove geographical issues from wire-line telephone numbers just as it has been removed from cellular.
10 digit dialing will become much more common.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Area code splits
dividing a specific area code into two area codes.
Increases the available telephone numbers in the network
Two mechanisms, geographical splits or overlays.
Makes the concept of a long distance call more confusing.
We make the things that make communications work.™© Lucent Technologies -- All rights reserved
Geographic split
Neighboring call can still be dialed with only 7 digits.
NJ’s 908/732 area code split is an example of a geographic split.