Computerized voice-mailbox systems are one of the newest technological conveniences in Corporate America. But when "gangs" of computer hackers take over a corporate phone system by capturing its voice mailboxes, the results can be very costly.
In Columbus, Ohio, 15-year-old Chad Webster was convicted of five felony counts including denying access to a computer, vandalism, unauthorized use of property and extortion.Police tape recordings revealed a deep, sinister voice (Chad's) threatening one business - a dial-up electronic-mail message service - saying he would destroy the business if he was not given free access to the voice-mail system and five mailboxes. The extortion, police charged, included threats to cause the company's computer systems to fail and to erase legitimate messages. In one instance, obscene messages were left in 75 customers' voice mailboxes resulting in a $15,000 loss.
Columbus police say Chad, as well as two Indianapolis boys and another Columbus youth, attacked five businesses in three Midwestern states. The victimized companies, in Indianapolis; Columbus, Ohio; and Oklahoma City, sustained damages of $50,000.
Detective Robert Snyder with the Columbus Police Department's organized crime squad says voice-mailbox fraud and hacker gang attacks on phone systems "seem to be the new wave." Chad and his friends were part of a much larger nationwide "gang" of 20 or more hackers, Snyder and others say.
"The voice-mail mess is national in scope," says Gail Thackeray, assistant attorney general for the state of Arizona. "We have several identifiable gangs. Hundreds and hundreds of people are involved."
Hackers traditionally have been interested primarily in invading or toying with other computer systems, usually by phone. Another renegade group of computer users, calling themselves Phone Phreaks, mainly use computer expertise to gain free long-distance service.
Now the two groups seem to be overlapping, in part because voice-mail systems are computer systems with voices recorded digitally and stored in a computer.
Here is how a voice-mail hacker may work: Late at night, he will sit at his desk with a personal computer. He hooks the computer, via a phone modem, to his phone line. He then programs the computer to randomly call toll-free 800 numbers.
Occasionally, a computerized voice-mail system will answer and ask for instructions. The hacker then presses the buttons on his touch tone phone in response to the system, which asks, among other things, whether he wants access to a personal voice mailbox. Before entry permission is given, a pass code of as few as two or as many as seven digits is required from the caller.
The hacker will program his computer to randomly input series of numbers until he discovers a voice-mailbox password. Once access is gained, he then proceeds to request a new password be given to the mailbox of his own choosing, thereby taking control of one voice mailbox.
Often voice mail is linked to PBX, or private branch exchange systems used by corporations. A PBX code allows the caller, such as a salesman in a remote location, to dial anywhere in the country or anywhere in the world using the company switchboard. There are an estimated 4,500 PBX systems in the United States.
But such systems are only secure as long as no one knows what is usually a five or seven-digit PBX code. With just two to five digits, voice-mail codes are usually even easier to break. The voice-mail systems often attached to PBX systems offers an anonymous mode of communication to computer and telephone hackers.
The result is an "enormous problem," which Thackeray says has been intense since this spring but growing for the past two years as voice-mail systems have grown. The first complaint to reach Thackeray was in December last year. By January, she was receiving one or two calls about voice-mail fraud each month. Now, she says, she gets one or two new complaints a week.
Telecommunications fraud is estimated to cost phone companies and corporations $500 million a year, says Rami Abuhamdeh, executive director of the Communications Fraud Control Association in McLean, Va. The bulk of the fraud involves illicit use of stolen long-distance access codes belonging to MCI, US Sprint, AT&T, and other long-distance companies in the United States.
So far, only a fraction of it involves voice mail. However, as long-distance companies make it harder to steal their access codes through improved security - such as 14-digit codes - regional and local long-distance companies, with less secure codes, and corporations with their own PBX codes and voice-mail systems are being hit harder.
"They are going after the smaller carriers that have the 5- or 6- or 7- digit codes," says Loren Proctor, a security specialist with US Sprint in Rosemonth, Ill. He also says that companies with PBX systems are being hit because of increased security among big long-distance carriers.