THIS IS A LITTLE BIT OF THE THINGS TELCO COMPPNIES ARE PRINTING ABOUT US..ILL KEEP YOU UP TO DATE REGARDING NEW INFO............



                   THE LONG DISTANCE LETTER
    NEWS AND ANALYSIS FOR THE TELECOMMUNICATIONS EXECUTIVE

                       DECEMBER 1985
                       WASHINGTON D.C.
                       VOL.3, NO. 11

                   PHILLIPS PUBLISHING, INC.
             "ACTIONABLE INFORMATION FOR THE 80'S"


Dear Executive:

FRAUD WASTES MILLIONS OF INDUSTRY'S DOLLARS!

     Fraudulent use of toll services costs the long-distance industry millions of dollars each year.  And unlike access charges or even advertising costs, expenses paid out as a result of unauthorized, illegal toll usage can never be rationalized as a true cost of or a potential benefit for the business.
     The problem of toll fraud diminishes the bottom line of every long-distance company, whether the company is AT&T or a regional reseller of service.  Fraud costs the alternate long-distance industry alone $10 million per month, estimated Teltec Saving President Robert Hurwitz, speaking at a Competitive Telecommunications Association meeting.

THE TYPES OF FRAUD

     The varieties of fraud, although many, are not indefinite.  Yet industry members readily agree that for every type of fraud that is either diminished or eradicated, another pops up.  James S. Minogue, a general attorney with Satellite Business Systems, listed several varieties of fraud:
     * BLUE BOXING occurs when people use tone generators, devices that generate tones to bypass telephony billing systems (usually from a payphone), to enter the network without being billed for the calls.
     *HACKERS--perhaps the most infamous group--use computers to identify authorization codes.  Hackers fall into 2 categories--true crooks, and those who indulge in breaking codes for ego gratification
("phone freaks").  The latter group uses the authorization codes.  But these computer whizzes also set up computer bulletin boards in which illegally obtained long distance numbers or authorization codes are posted so others may use them.
     A variation of hacker's fraud is "prison fraud", said Minogue. Prisoners have access to touch tone phones and simply sit by the phone and punch numbers.  "Sooner or later, they hit upon the right numbers," Minogue said.
     Prisoners have also been known to illegally obtain authorization codes, and by punching the pound key, hand the phone from inmate to inmate for their different calls, a practice that once kept an access line of Execulines of Florida, Inc. busy for more than 12 hours, Peter Sawn, marketing manager for the Orlando-based company, told us.
     That experience also included MCI, as the number used was an MCI travel card.  The prison was in Tennessee, but because of the switching equipment used at the time, the calls were made via incoming
lines from Orlando, confounding both companies initially as to where the calls were from.  The Prison warden wouldn't agree to replace the Touch-Tone phones with rotary dials, as Execulines suggested.  with the crooks already in prison, not much more could be done.
     An outgrowth of hacker fraud is the set-up of telemarketing groups based on the ill-gotten distribution codes.  "The primary expense in these boiler room or telemarketing operations is the telephone expense," noted Jim Yarborough, vice president of corporate development for Advanced telecommunications Corp., parent company of Transcall America and Direct Line, long-distance companies serving the Southeast and Western United States, respectively.
     A number of these cases where telemarketing groups are fraudulently using long-distance services are run by businessmen, and the chances of these businessmen not knowing that what they are doing is illegal are slim to none.  "Any businessman who's using a service and not paying for it knows it's illegal.  Th only free cheese is in a mousetrap," said Yarbrough.
     Some crooks barter with the stolen numbers.  One such entrepre-
neurial sort talked a jewelry store into giving him discounts on the merchandise.  In return, he would take care of the store's long-distance service, Chris Davis, an attorney with the Washington D.C.-based law firm Surrey & Morse, told us.  The jewelry store was delighted with the arrangement until the long-distance company whose service was used, came calling for bill payment.  The hacker who provided the number was long gone, along with his discounted jewelry.
     Ironically, long-distance companies themselves have contributed to the problem.  "Part of the problem is that the industry has been doing it to itself, through the drive for market share.  In their desire to sign up customers, checks are not made on the names and addresses of people signing up for the service," noted Davis.  And as with credit cards, people sign for the service with the express intent of defrauding the company.  Other groups that contribute greatly to fraud are schools, college campuses and military bases.

HOW CAN FRAUD BE THWARTED?

     Sometimes, it takes a thief to catch a thief.  Execulines' Peter Sawn suggests that several companies sponser an electronic bulletin board anonymously, to obtain the codes passed around.  Sawn warns that if a bulletin board is set up, the system must not contain a lot of other data, because a hacker can zap it quite easily out of existence.
     TelTec Saving had some success with posting a $10,000.00 reward for information leading to conviction of abusers on computer bulletin boards.  In the bulletin board message, TelTec also informed possible abusers that the company had automatic number identification (ANI) capability--to trace calls to the abusers.  Just telling them of ANI, even if you don't have it, may work for a while.
     TelTec Saving had experienced abuse costing up to $250,000.00 a month, but with a stringent plan reduced losses to $30,000-$70,000 per month (TLDL, March, p. 3).
     Software can also thwart fraud--at least for a while.  American Telemangement Corp. markets a software product that detects hackers trying to steal authorization codes, President William O'Reilly told us.  O'Reilly founded Lexitel Corp. and was one of the founders of the Association of Long-Distance Telephone Companies (ALTEL), now the Competitive Telecommunications Association.
     The Network Security Monitor software has been available on a limited basis for about 90 days.  Carriers using the program are Satellite Business Systems, TelTec Saving, Communications Co. and Microtel Inc. Cost of the software is based on the size of the company and the extent of the problem.
     O'Reilly admits the product won't stop fraud, but says it will keep losses down to a minimum.  Although no industry wide statistics
have been gathered, O'Reilly estimates that companies lose 1/2 of 1% of revenue per month, on the low side, to 3% per month on the high side.  (American Telemanagement Corp., 26899 N.W. Highway, Suite 420, Southfield, MI. 48034, 313/358-1414.)
     Software is indeed seen as a major solution to the problem-but after the fact.  MCI spokesman Gary Tobin says that with software the company developed, MCI can detect and then stop incidences of fraud on a real-time basis.
     "Fraud is now down to less that 3/10 of 1% per month with the new software; before fraud was much higher, although still "single-digit,"
Tobin said.
     For all its attendent maladies, the equal access conversion effort may help to reduce fraud.  Since authorization codes won't be used as much, with networks accessed from phones, rather than just through code numbers, Tobin says that fraud will continue to be diminished.
     While many industry members acknowledge that equal access helps in fighting fraud, that will be true only for those companies entered in the presubscription process, such as larger companies, both facilities-based carriers and resellers.
     Regional carriers that in many cases do not join the equal access process will still make use of the authorization codes, and of course, travel cards, calling codes and any type of service that uses access codes will remain at a high level of risk.

DETERRENTS TO FRAUD: PROSECUTION, THE PRESS AND PUBLIC AWARENESS

     While many long-distance companies expressed a reluctance to discuss the problem, fearing that mention of fraud in a trade periodical would incite further instances, Advanced Telecommunications' Jim Yarbrough noted that when the company prosecuted, the press coverage of the prosecution as well as the
prosecution acted as a deterrent.
     "The biggest deterrent is punishment.  When we caught some teenagers commiting fraud, the publicity generated by the prosecution resulted in bulletin boards passing the word to 'stay away from this company--it prosecutes,'" said Yarbrough.
     "I don't expect fraud to stop--it can't ever be stopped totally. But as people realize there are laws on both the state and federal level--once people realize that it's not a game, that people do go to jail, the type of fraud commited by phone freaks will dry up.  But the people who are selling codes and are crooks to begin with will continue to do so," predicated Yarbrough.
     Prosecution may include both criminal and civil action, noted SBS' James S. Minogue.   "In civil actions, judges can award punitive damages also.  Civil action is not as effective as criminal--law enforcement is preferable.  But if enforced, civil actions may also act as deterrents.  But criminal charges are a far more serious deterrent," noted Minogue.
     Another deterrent is public awarness.  AT&T has embarked on a fraud-awareness program developed by Bell Atlantic for AT&T.
     The program focuses on computer and credit card fraud and is aimed at junior and senior high school students, college students and military personnel.
     Four videotapes have been filmed, each one geared to a specific group. The tapes will be shown to schools, colleges and military bases as cornerstones of sessions dealing with fraud in a pilot program in New Jersey.  The tapes are based on an actual case of fraud showing a junior high school student selling a software progam for $5 to a friend, saying that with the program he can contact bulletin boards across the country without being charged for the calls.  The kid buys the program, goes to town with it and wham, is caught by telephone company investigators.
     The kid is hauled to juvenile court, found guilty and required to pay for the long-distance calls anbd is sentenced to community work.
     After showing the tape, a security representative discusses what constitues an illegal call and the penealties for making them. Literature about telephone fraud is also distributed.
     "The program shows that AT&T is determined not only to investigate and prosecute fraud cases, but also to educate potential abusers about the possible consequences of their actions," said Charles Schnitzelein, general security manager for AT&T Communications
     Security representatives of Bell Atlantic, acting as agents for AT&T, are approaching schools, colleges, school boards, parent-teacher associations and military bases to schedule the sessions.  AT&T is also working with other BOCs that are investigating fraud cases, so AT&T can extend the program nationwide.
     AT&T declines to say how much money the company lost to fraud last year, but before divestiture, the total Bell System, AT&T and the Bell operating companies lost $150 million annually as a result of all types of fraud, calling card, coin, third-party billing, etc., Neal Norman, AT&T-C district manager of corporate security, told us.
     AT&T has had problems with fraud not only domestically but internationally as well.  In March 1984, AT&T-C was permitted by the
FCC to restrict international card usage from those countries or international area codes where the company experienced a high incidence of fraud.
     Software has also enabled AT&T to diminish fraud, but the end is not yet in sight.  Norman concurs that reducing dependency on codes would help the industry with fraud, but notes that fraudulent users will always find a way.
     Making the customers aware of the Truth in Lending Act, under which cardholders are liable for the first $50 on fraudulent phone bills--as long as there is no intention to defraud the companyu--is another way to increase public security consciousness.
     Customers must be made aware that fraud is a problem, so they will exercise more control over their codes and numbers, and BOCs must join the effort to reduce fraud, said Norman,
     "BOCs must participate too.  They have problems of their own, although slightly different in nature," noted Norman.

FRAUD FIGHTERS GROUP FORMED

     Fraud fighters now have an association to aid their efforts.  The Communications Frauds Control Association, a nonprofit group incorporated in May, works to increase cooperation within as well as beyond the industry to promote fraud control, President Everick Bowens told us.
     Specificially, the association was formed to:
     *Establish and maintain closer communications regarding security matters.
     *Promote the mutual interests of telecommunications carriers to the extent of protection and efficiency of security operations.
     *Provide a forum where information can be collected, classified and then distributed to members for security purposes.
     The association resulted from meetings hosted by Network 1 in Florida last winter.  Members include local telephone companies as well as long-distance providers--both resale and facilities-based carriers.  Companies that provide computer services are also members.
     The association is working to collect statistics on the extent of fraud experienced by the industry, and even within the association, the company representatives are loathe to reveal losses due to fraud, Bowens said.
     To protect themselves from fraud, OCCs must build a better mousetrap, and first realize just how "un" secure their operations are, said Bowens.  "We have to produce better, safer, more secure
products.  The hardware and software for seitches must be more security-conscious," said Bowens.
     Sharing information is a necesity.  "The population of fraudulent users although great, is pretty static.  One may abuse AT&T for a while and then go on to an OCC.  Information on abusers must be shared," said Bowens.
     Local exchange companies and long-distance companies must cooperte more fully.  "Both segments must be allowed to communicate their needs to arrive at solutions.  We must identify and isolate given fraudulent situations.  The interexchange carrier has some information;  the exchange carrier has some--they must work jointly with law enforcement," said Bowens.
     "All long-distance companies should also keep in mind that fraud control is a serious project in terms of dollars and in terms of how secure the national telecommunications security systems really are. It behooves anyone in the industryu to band together to ensure tha security.  The ultimate victims are the general public.  No company will be able to exist if fraud is not taken care of," stated Bowens. (The Communications Fraud Control Association, PO Box 23891, Washington, DC 20026, 703/560-4069.)


This little tidbit of info for all you Phackers, has been brought to you from the VAULTS OF THE SWISS BANKER.

For an analysis of all of this please read "THE BALANCE SHEET."

