I never thought it could
happen to me.
Isnt that what all crime victims say?
Well thats me - a crime victim who never thought
it could happen to her. And the reason Im writing this column today is to
share that it not only happened, but that most people to whom this crime
happens dont even realize it is possible.
Im talking about hacking. But not hacking into
computers. Hacking into phone systems.
It happened over the long July 4th weekend, when no
one was in our office to catch that something was going wrong. Hackers accessed
our phone system and used our lines to place long distance calls.
The good news is that the fraud divisions at both
Sprint and AT&T caught the calls, putting a stop to them after 2 days.
The bad news is that once those major providers halted
our international service, they tell us it is likely the perpetrators started
using our lines to access those 10-10 services you see advertised all the time.
Worse news is that the extent of the long distance
calls placed from our phone system may be as much as $20,000 or more.
Even worse is the news that in at least the initial
stage of this fight, the phone companies have said we are liable for those
charges, and it appears some courts have backed them up.
But that's not the very worst of it.
The worst is that in those short 2 days, the calls
placed from our system included a 16 hour call to Saudi Arabia, 6 and 8 hour
calls to Yemen, Afghanistan, Pakistan, India and other countries the United
States has on watch during this time of war.
From Gotcha to Fighting Back
As happens with any crime, first you feel violated,
then you put things in order. And sometimes, depending on the crime, there is a
next step fighting back.
So the first thought running through my head when we
learned of the problem was consternation: There is a war going on, and my
phone is being used to make long illegal calls to countries that are both
directly and indirectly involved in that war. Its one thing to feel
violated after a crime, but this went beyond that feeling, bringing home to me
the fact that regardless of how each of us individually feels about it, the
world is in a state of war, and the tools of war and espionage have absolutely
But as we began to put things in order, learning as we
went, those feelings of being violated were replaced by a different sensation.
A single thought kept resonating louder and louder in my head:
WHY ISNT ANYONE TALKING ABOUT THIS?
Even those of us in the nonprofit world who have come
late to the technology party those who are finally seeing the need for a
website, or those who have finally grown accustomed to using email for much of
their communication regardless of how much or how little we know about
technology, we know about virus protection and spam filters. We know these
things because everyone seems to talk about them.
Then why is it not just as common knowledge that our
phone systems could be used as tools for international crime? How did this
How It Happened
From our crash course in phone security over these
past few days, weve learned a few of the things that allowed this to
First, lets clarify that this applies more to
multi-line office phone systems than it does to the single phone in your home.
That said, there has been a dramatic increase in hacking of cell phones and
Palm Pilot / other PDAs, as wireless technology makes that so easy. For the
sake of keeping this article brief, lets stick to office phone systems
for now. (Although if my cell phone is hacked next week, I may be back with a
Part 2 for this article!)
These days, modern office phone systems are little
more than computer systems. Many of the cool new features on these phones allow
not only remote access to your voice mail, but remote access to a dial tone.
For example, your voice mail system may, for your convenience, allow you to
Press 3 to return this call, even if you are away from the office
when you check your messages.
Well, if you can make that call from your office
system when you are not physically there, so can someone else. That feature may
be a convenience for you, but it allows easy access for those whose intentions
are less than noble.
Another part of the problem, though, is that our world
places tremendous emphasis on keeping our computers safe, but we hear virtually
nothing about keeping our phone systems safe. Even non-techies (such as myself)
know enough about the Internet to know I want a firewall and the latest virus
definitions, and that every so often I want my teenaged daughter to check my
system for spyware and other evidence of foul play.
But my phones?
Which leads to a related piece of the puzzle: There
havent been anywhere near the advances in protection for these systems as
have been made for our computers. A quick Internet search regarding this
problem found a Business Week article dating from 1991, describing the exact
methods the thieves used to gain access to our system - 13 years ago! In a
world where we are so used to techno-changes every few minutes, how is it
possible my phone system has the same hack-potential it had when the buzz on
the tech circuit was the latest version of DOS?
Until such time as there are more foolproof
phone-hack-protection measures available, there are things you can do to
protect yourself. The first is to contact whoever services your office phone
system, to have them run through their own checklists with your system. There
are a number of layers of protection they can add that will make your system
harder to crack.
It is equally important, however, to simply be aware.
If you dont need the feature that allows a remote dial tone, turn it off.
When employees leave the firm, change any passwords that employee might have
known. Make those passwords as LONG as possible. Like the Neighborhood Watch
programs that teach residents to make their house unappealing to thieves, make
your system too much effort to crack, and theyll head to an easier
Sprint has created an excellent tip sheet for how to
protect your phones. They also have a great tip sheet for protecting yourself
from whats known in the lingo as Social Engineering. An
example of Social Engineering (which I confess, sounds like some strange
eugenics project, but actually has to do with your phone system) is when the
people who want to use your phones for illegal activity will call and identify
themselves as Sprint or AT&T operators who need your password to keep the
system safe. This latter issue will be of particular interest to nonprofit
organizations with volunteers answering the phones, and you may want to have a
special phone security training session with those individuals.
We have posted both these tip sheets to a special
section at our website. (See Below) We urge you to download them
and provide them to all your organizations employees.
FREE PDF READER
To all who have expressed their concern for us, we
thank you. We have filed police reports and are reporting the "theft" to our
insurance company and will be protesting the charges with the phone companies.
But to us, this was a lesson. A lesson that says,
You never know. And if you can learn from our lesson, then perhaps
some good will come out of what is likely to become some long months of battles