Posted on 27-Jun-2003 08:31.
Filed under: News
AT&T has implemented new security procedures that have effectively eliminated the current version of "yes...yes...yes" voicemail fraud. Further, the company said that, as of today, it will forgive all outstanding charges from customers who have been victimized by this specific type of fraud, if the customers will resolve disputed charges with appropriate documents and agree to cooperate with AT&T in efforts to recover damages against any parties liable as a result of the fraudulent long-distance calling.
The "yes...yes...yes" voicemail fraud, which has affected fewer than 250 businesses and governmental agencies nationwide on the AT&T network since late last year, occurs when hackers outside the United States gain access to the voicemail systems of customers in the U.S. by compromising the password mechanisms that should be protecting the systems. In most cases, the customer passwords were easily guessed combinations, such as 1-2-3-4, or default passwords that the voicemail systems may have permitted to remain permanently in place without change.
Once inside the voicemail systems, which often are supplied by local telephone companies, the hackers effectively take control of the customers' outgoing greetings and record a "yes...yes...yes" string to dupe operators or automated systems -- at customers' expense -- into believing that the customers were accepting charges on the calls.
After AT&T identified this fraudulent activity, the company implemented additional security measures in its network to combat fraudulent long-distance calling in which AT&T also is victimized.
These safeguards, which have proven extremely effective, were added to neutralize the hackers' ability to exploit security weaknesses in the voicemail systems. The voicemail systems are not AT&T products, but usually are provided either by customers' local telephone suppliers, such as SBC or Verizon, or their PBX vendors.
AT&T's decision to forgive outstanding charges of past victims of the "yes...yes...yes" fraud is in keeping with the company's policy of reviewing fraud schemes on a case-by-case basis.
Experience has shown that hackers will try to take advantage of customers whenever they do not guard their telephone systems appropriately. Therefore, AT&T emphasized again today the need for consumers and business owners to take appropriate precautions to protect themselves from fraud by using hard-to-guess voicemail system passwords and changing them frequently.
AT&T also noted the critical role manufacturers and providers of local-network-based voicemail systems must play in making their products more secure by requiring that appropriate passwords are used during the installation process.
AT&T continues to urge customers to remain vigilant and take all the necessary steps to secure their voicemail systems, premises systems and phone lines since they are in the best position to do so. AT&T recommends voicemail users do the following to avoid falling prey to similar hacking scams going forward:
Always change the default password provided by the voicemail vendor;
Choose a complex voicemail password, of at least six digits, so it would be difficult for a hacker to guess;
Don't use obvious passwords such as an address, birth date or phone number;
Change the voicemail password often, and
Check announcements regularly to ensure greetings are genuine.