Reported notice in the the University of Washington staff newspaper ("Phone Fraud"), October, 1991

Public links to this specific article:
http://www.korova.com/virus/hoax980212.htm
Also: this page, print-friendly

Got a question? Try
"The FAQ du Jour"

February 12, 1998     

In the past couple of weeks, a convincing "phone scam alert" has spread through U.S. Government offices and the Internet. Though the seed of this net rumor is factual, the alert has been abridged and misquoted to the extent that it's alarming ... and inaccurate.

One version of the alert (posted on the newsgroup alt.folklore.urban) goes like this:

Somehow this smelled like a net rumor, maybe even a hoax, since it follows the "Hook, Threat and Request" model that CIAC (http://ciac.llnl.gov/) identified in Internet chain letters and virus hoaxes.

I discussed this with AT&T's Network Security office (800-337-5373, security@att.com), which is referenced in some versions of the alert. The specialist I talked to had heard of the rumor, but discounted its validity as posted. He noted that it could conceivably be used against some common PBX systems. Here's how:

1. On many PBX systems, 9 will access an outside line, 0 will request a local operator, and # ... well, most systems wouldn't know what to do with that #, so the call to the local operator would be CANCELLED*. It's conceivable that calling someone on a PBX, and asking the recipient to hookflash, then dial 90#, will give the caller an outside dial tone. The caller can now make long distance calls that are charged to the hapless recipient. (See "Inmate fraud" link.)
   
   

   [A writer on USENET informed me that this is a "call completion" code, which signals a PBX system that the number is complete, and initiates dialing. In essence, 90# would connect an internal line to the outside operator, and 900# would connect a line to an outside long distance operator (depending on the PBX being used).]

2. This, of course, would require that



• the recipient is on a PBX system that supports 9 for accessing an outside line,
• the default "9" outside line has long distance dialing privileges (some systems require a different code to get the LD carrier) and
• the recipient doesn't see through the obvious deception ("I'm an AT&T service technician, dial this code....") and just hang up.

It's possible. It can be used as a scam, but most likely on systems that the series of numbers is known to provide a long distance dial tone. The original alert, within a single Navy installation, has some validity. The resulting net rumor, though, infers that this "90#" code works anywhere. It just ain't so. Dialing 90# on a home phone won't do squat. As to whether the calls are typically originating from jails, AT&T's rep asserted that it's rarely possible for a convict to pull such a scam. (See the exception referenced in the links.)

To get to the bottom of the source incident, I called the Naval Air Station quarterdeck in New Orleans. The petty officer who was manning the watch cheerfully confirmed that they had a clearly posted warning at the desk matching the quoted text above almost word for word. Almost. He also looked up his log for January 24, 1998, and confirmed that the duty watchstander had received a suspicious call. But the text he read me had one critical element missing from the net posts ... I'll simulate the omission here:

 >  Service Technician that was running a test on our telephone
 >  lines. He stated that to complete the test the QMOW should

<snip> touch the LINE key [for an outside line], then <snip>

 >  touch nine (9), zero (0), pound sign (#) and hang up.

This procedure COULD give the caller an outside line on the base's phone system. What a surprise.

So the bottom line is that this warning has some validity for certain PBXes, but no way near the "alarm factor" danger for any and all phone systems. Your office or institution phone system may be vulnerable to this technique, or this kind of technique, or even some form of "social engineering" scam for abusing phone systems. But, folks, your home phones are safe from danger. As Rob Carlson posted on alt.folklore.urban, "Being able to use one single sequence on the variety of phone switches is as silly as expecting to run Intel machine code on a SPARC."

Here are several tips you can apply to minimize your risk to phone scams like the one prophecied in this net rumor.

1. Don't give out personal information over the phone. This includes passwords, PINs (personal identification numbers) for your calling card or ATM card, your Social Security Number, home phone, address. Those who need this information should already have it, and often WILL NOT ask for it over the phone.
2. Those who need to do "checks" and maintenance work on phones and computer systems ... don't need to ask you for access codes. They already have them, or don't need them.
3. Phone technicians don't need user intervention to check equipment. Often, they don't even need to bother you at all, it's all done in the background.
4. Be suspicious of strange callers who claim to be within your company, and need you to transfer them or perform some unusual function.
5. Social engineers may ask you several innocuous questions before hitting the real question. Be suspicious of anyone who calls up to "confirm your information" and asks the obvious questions.
6. When in doubt, get a return phone number where you can call the person back. Legitimate entities will provide a company number; hackers will often just hang up.

• AT&T has more tips for spotting a scam at http://www.att.com/fraud/tips.html.

Update!

December  20, 1998     

This alert has resurfaced lately, just in time to ride the coattails of various returning rumors regarding Internet Access Charges & Taxation. In its new version, all the corroboration from the U.S. Navy has been replaced with a supposed personal account. Oddly, this makes it even less credible, but seems to appeal to the belief that a warning told in the first person "I" will be more believable.

David Spalding