================================[MiNDCRiME]================================ [FiLE #5:] eASE dROPPING aND cARDS y---[MiNDCRiME #2!]---y aRTICLE tYPED bY iP?! _ _ _____ 12.o4.94 ]____ _ _ Every now and then, those of us who take the time to be observant stumble across something remarkable. Let me relate to you one of those experiences. It was an all too lazy sunny afternoon in Indiana. I was bored, and I decided to listen to my Realistic PRO-2004 scanner. I flipped it on and scanned through the usual federal government, military aviation, and cordless phone frequencies, but there was no action to be found. I happened to come across some scrambled DEA transmissions and a droning cordless phone conversation by some neighbors I could not identify. So for a change I decided to scan through the marine radio channels. The scanner then stopped on marine radio channel 26, which is used to ship-to-shore telephone calls. A man was reading off his calling card number to the operator, who gladly accepted and connected his call. Calling card numbers over the airwaves! I was shocked -- astonished that such a lack of security could not only exist, but be accepted practice. I began mointoring marine telephone to find out more, and it turns our that using a calling card for billing is commonplace on VHF marine radiotelephone. People use calling cards for billing all the time. That's what the are for. But is it that big of a deal? [k0d3z!] You bet it is. Marine telephone uses two frequencies, one for the ship and one for the shore station. [obviously] The shore station transmits both sides of the conversation at a some-what considerable power, enough to offer reliable communications up to 50 miles offshore. Anyone with a standard police type scanner costing as little as $100 can listen in. People using marine radiotelephonecan be broadcasting their calling card number to a potential audience of thousands. [k0d3z] And that just shouldn't be happening, but it is. [I won't complain] And there is no doubt that calling card fraud is occurring because of this lack of security. From the phone compant's [many Bell and non-Bell companies provide marine telephone service] point of view it must be a trade-off for customer convenience. You see, there just aren't that many ways to bill a ship-to-shore call. Most calls are collect, a few are billed to the ship if they have an account, and a few go to third party numbers [hehe] or other special accounts. .. Sometimes the operators have trouble verifying billing information. I monitored one man, who after racking-up $40 worth of AT&T charges was informed that they couldn't accept his international account number. The operator finally coaxed him into giving a address for billing. Calls are often billed to third party numbers with verification [hmm], but calling cards make billing easy for both the customer and the phone company involved. It would also be tricky for a company to not allow calling card use [very tricky]. Doing so would be a inconvenience to customers and would force them to admit a lack of communications security. Of course people using marine radio should already realize that their conversations aren't private, but announcing the fact wouldn't help the phone compant at all. In fact, people may place less calls. The convenience offered by calling cards makes them an easy target for fraud. They can be used by anyone from any phone and with a variety of different long distance carriers via 10XXX numbers. No red of blue box hardware necessary here, just 14 digits, but of course, the number won't be valid for long after all those strange charges start showing up on someone's bill. It should be noted that when a calling cafd is used, the number called, time and date of call, and location [and often, the number] from which the call was placed are printed on the bill. A fraudulent user could be caught via that information if they were careless. Also, some long distance companies may contact the owner of the card if they notice and unusually high number of charges on the card. .. Long distance companies bear with the brunt of the bills caused by calling card fraud. However, if you read the fine print, the cards offered by many companies have a certain minimum amount that the customer must pay, say $25 or $50. [I have yet heard of a case where a phone compant got away with charging a customer when the only thing stolen was a number and not the card itself] .. So, whats the moral of the story? Simple. Be damn careful what you say over any radio, and that included cordless and cellular telephones. Also, be careful about how sloppy you are when using cards. If you are using a calling card, enter it with touch tones. =) If you happen to make VHF marine radiotelephone calls, bill collect or charge to your phone number as you would to a third party number -- without the last four calling card digits. For the most part radio communications are easy to intercept, and keeping them secure is up to you. Then again, it gives hackers and phreakers the cutting edge, and I must say no one is in any situation to bitch or complain.