Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
627 posts

Ultimate Geek

Trusted

  Reply # 295823 3-Feb-2010 20:11 Send private message

jpollock: 1) Fails a reasonableness test.  Is it reasonable that the Telco is profitting from someone who _STOLE_MONEY_FROM_ME_?  Talk about an incentive to not investigate!
2) Isn't handled that way in other vendor/customer situations.


Credit card companies don't, power companies don't, health insurers don't, banks don't.

I don't completely agree.

The telcos certainly should implement protection of themselves - i.e. a bill 10X the norm should not be allowed, as maverick has said at least one telco implements credit control to protect themselves from this to avoid not getting paid.

However, I still take the view that the customer left themselves vulnerable.  I don't blame Toyota if I leave my car unlocked with the keys in it and it is stolen; and I don't blame my bank if I leave my ATM card with PIN written on it lying around and all my money is withdrawn (especially as I only get a bank statement once a month).

I can sympathise with the customer and I am sure the telco will come to an agreement with them, but they failed to adequately protect themselves, and that is not the telco's fault.

601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 295927 4-Feb-2010 07:46 Send private message

PenultimateHop:
jpollock: 1) Fails a reasonableness test.  Is it reasonable that the Telco is profitting from someone who _STOLE_MONEY_FROM_ME_?  Talk about an incentive to not investigate!
2) Isn't handled that way in other vendor/customer situations.


Credit card companies don't, power companies don't, health insurers don't, banks don't.

I don't completely agree.

The telcos certainly should implement protection of themselves - i.e. a bill 10X the norm should not be allowed, as maverick has said at least one telco implements credit control to protect themselves from this to avoid not getting paid.

However, I still take the view that the customer left themselves vulnerable.  I don't blame Toyota if I leave my car unlocked with the keys in it and it is stolen; and I don't blame my bank if I leave my ATM card with PIN written on it lying around and all my money is withdrawn (especially as I only get a bank statement once a month).

I can sympathise with the customer and I am sure the telco will come to an agreement with them, but they failed to adequately protect themselves, and that is not the telco's fault.



Those are all bad analogies. :)


They all involve direct theft by the criminal from the victim.  These thefts are international, indirect, facilitated by the network the carriers have designed, and _rely_ on the carrier collecting the stolen money from the victim.


I'm not sure a better analogy can be constructed, but I'll try.


Consider a situation where the criminal can steal money from you through an intermediary.  I guess credit cards are the best analogy, because what these criminals are really stealing from you is your authorization to incur charges with the phone company.


Credit card companies were forced to absolve individuals from liability in the event of theft, and to keep them relevant on the Internet, they had to protect all losses due to fraud as well.  I'm not sure how much of that is legislated, and how much is market driven.


The only difference between the CC and my phone is that the authorization on my home phone is limited to calls.  My mobile phone has a much broader authorization, and is able to purchase movies, tv shows, parking, drinks, and if NFC takes off, much much more.


Remember the howls of protest when banks tried to limit their liability in the event that a customer's account was hacked through a keylogger?  We're just not as concerned about PBX fraud because it is a company who has been attacked (although they're being hit by banking keylogger attacks to the same amounts, 100+k).  


The tune will very quickly change as more people use VoIP endpoints with CPE, like WorldXChange.  The first customer that has their Linksys endpoint hacked and used as a transit point for a VoIP termination fee scam will scream bloody murder.


As I think about it, it all comes down to trust.  The problem is that these authorizations are currently blanket, unlimited authorizations.  No one ever wants a blanket authorization.  That's what leads to the huge mobile roaming data bills, and enables all of this fraud.  EFTPOS cards have both hard and soft limits (2 daily limits, and then limited by the balance), Credit Cards also have soft and hard limits (fraud detection and balance).  Why doesn't my phone account - something which is susceptible to the same frauds?


While the libertarian in me is saying "Dude, you signed the contract, take it like a man", my sense of fair play is screaming out, "Why is my phone company collecting money for a thief?  Why are they making a profit from a crime?".




IT Professional
1320 posts

Uber Geek
+1 received by user: 37

Trusted
Subscriber

  Reply # 295990 4-Feb-2010 11:19 Send private message

jpollock:
PenultimateHop:
jpollock: 1) Fails a reasonableness test.  Is it reasonable that the Telco is profitting from someone who _STOLE_MONEY_FROM_ME_?  Talk about an incentive to not investigate!
2) Isn't handled that way in other vendor/customer situations.


Credit card companies don't, power companies don't, health insurers don't, banks don't.

I don't completely agree.

The telcos certainly should implement protection of themselves - i.e. a bill 10X the norm should not be allowed, as maverick has said at least one telco implements credit control to protect themselves from this to avoid not getting paid.

However, I still take the view that the customer left themselves vulnerable.  I don't blame Toyota if I leave my car unlocked with the keys in it and it is stolen; and I don't blame my bank if I leave my ATM card with PIN written on it lying around and all my money is withdrawn (especially as I only get a bank statement once a month).

I can sympathise with the customer and I am sure the telco will come to an agreement with them, but they failed to adequately protect themselves, and that is not the telco's fault.



Those are all bad analogies. :)


They all involve direct theft by the criminal from the victim.  These thefts are international, indirect, facilitated by the network the carriers have designed, and _rely_ on the carrier collecting the stolen money from the victim.


I'm not sure a better analogy can be constructed, but I'll try.


Consider a situation where the criminal can steal money from you through an intermediary.  I guess credit cards are the best analogy, because what these criminals are really stealing from you is your authorization to incur charges with the phone company.


Credit card companies were forced to absolve individuals from liability in the event of theft, and to keep them relevant on the Internet, they had to protect all losses due to fraud as well.  I'm not sure how much of that is legislated, and how much is market driven.


The only difference between the CC and my phone is that the authorization on my home phone is limited to calls.  My mobile phone has a much broader authorization, and is able to purchase movies, tv shows, parking, drinks, and if NFC takes off, much much more.


Remember the howls of protest when banks tried to limit their liability in the event that a customer's account was hacked through a keylogger?  We're just not as concerned about PBX fraud because it is a company who has been attacked (although they're being hit by banking keylogger attacks to the same amounts, 100+k).  


The tune will very quickly change as more people use VoIP endpoints with CPE, like WorldXChange.  The first customer that has their Linksys endpoint hacked and used as a transit point for a VoIP termination fee scam will scream bloody murder.


As I think about it, it all comes down to trust.  The problem is that these authorizations are currently blanket, unlimited authorizations.  No one ever wants a blanket authorization.  That's what leads to the huge mobile roaming data bills, and enables all of this fraud.  EFTPOS cards have both hard and soft limits (2 daily limits, and then limited by the balance), Credit Cards also have soft and hard limits (fraud detection and balance).  Why doesn't my phone account - something which is susceptible to the same frauds?


While the libertarian in me is saying "Dude, you signed the contract, take it like a man", my sense of fair play is screaming out, "Why is my phone company collecting money for a thief?  Why are they making a profit from a crime?".



I didn't think the analogies were that bad - OK, maybe you left your Toyota sitting in the dealerships carpark unlocked (whilst knowing that it's not a good idea to leave it unlocked and the dealership suggesting it be locked) and it then got stolen from their carpark.


I do sympathise with whoever is affect by PBX fraud, but at the end of the day they have an unsecured phone system attached to a public network and therefore they (or the provider who implimented it) are responsible for it and the activity on it. It all like trying to make the ISP's responsible because Jonny is illegally downloading music via them.


I would hope that a Telco would not use this sort of situation to profit, but it has to be remembered that they've incured costs from the fraud (billed by overseas Telco's or whatever) and therefore they have to try to recover that money from someone. Yes, in a totally fair world the overseas Telco/service they've had to pay the money to would help track down those responsible and recover the money, but reality is that's not likely to happen and therefore the NZ Telco has to recover what they can - and that will be from the customer. I imagine that the systems used to detect unusual activity are quite expensive so it may not be realistic to expect every Telco to have such a system, and especially if it is a Telco who offers services for a lot less than the big boys... as that is where the savings come from - not buying expensive management systems.


Two sayings come to mind - "Let the buyer beware", and "You get what you pay for".

3558 posts

Uber Geek
+1 received by user: 60

Trusted
WorldxChange

  Reply # 296052 4-Feb-2010 14:02 Send private message

As a side note Mycenius , would be interesed to hear what feedback you do get from Consumer rights groups, so wouldn't mind seeing how you turn out with the outcomes...

I think a lot of people will be interested in the proceedings and outcomes, especially since there are some pretty polarised views.




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications



97 posts

Master Geek


  Reply # 296068 4-Feb-2010 14:32 Send private message

Hi Maverick - no worries. I will try and follow up with any further info when (and if) available.

As mentioned at the end of the day its certainly not about bagging any Telco's specifically or anything - its more about what a customer could or should be able to expect as reasonable support/pro-active assistance? The case I have had experience with has seen the Telco be pretty helpful and understanding after the event (i.e. with the costs & such like).

I'm just still a bit bemused there was no rudimentary warning 'at the time' when the activity and account charges went unnaturally through the roof, not necessarily immediately but even after 1-2 weeks of the activity, when there had been nearly a years worth of costs on the account in under 14 days...

601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 296070 4-Feb-2010 14:37 Send private message

keewee01: 
I didn't think the analogies were that bad - OK, maybe you left your Toyota sitting in the dealerships carpark unlocked (whilst knowing that it's not a good idea to leave it unlocked and the dealership suggesting it be locked) and it then got stolen from their carpark.



I think you need to try harder.  The dealership isn't profiting from the theft.


How about, you have just bought the car, and signed the loan papers.  Before you can walk out the door, the car is stolen off of the lot.  The dealer then turns to you and says, "Pay up. 100% now, because the asset is no longer available to cover the loan."


Not only that, but this is a repeated occurrence across multiple dealerships.


Yeah, that's a good car analogy.




IT Professional
1320 posts

Uber Geek
+1 received by user: 37

Trusted
Subscriber

  Reply # 296080 4-Feb-2010 14:57 Send private message

jpollock:
keewee01: 
I didn't think the analogies were that bad - OK, maybe you left your Toyota sitting in the dealerships carpark unlocked (whilst knowing that it's not a good idea to leave it unlocked and the dealership suggesting it be locked) and it then got stolen from their carpark.



I think you need to try harder.  The dealership isn't profiting from the theft.


How about, you have just bought the car, and signed the loan papers.  Before you can walk out the door, the car is stolen off of the lot.  The dealer then turns to you and says, "Pay up. 100% now, because the asset is no longer available to cover the loan."


Not only that, but this is a repeated occurrence across multiple dealerships.


Yeah, that's a good car analogy.


And you know that the Telco is profiting form it? (I would expect them to have some profit on it, but not grossly).

The majority of what they will be asking the customer for is not for themsleves - they are passing on a charge which has been levied against them by someone else!!! Don't forget that. Your comments suggest that the entire amount being asked for by the Telco is going straight into their coffers as profit and this is simply not true. Telecom, by wiping lots of dollars in the cases that involve them, are taking a big financal hit (mind you they can afford to). A lot of other companies can probably not afford to as the margins are slim as it is.


3558 posts

Uber Geek
+1 received by user: 60

Trusted
WorldxChange

  Reply # 296094 4-Feb-2010 15:32 Send private message

jpollock:

How about, you have just bought the car, and signed the loan papers.  Before you can walk out the door, the car is stolen off of the lot.  The dealer then turns to you and says, "Pay up. 100% now, because the asset is no longer available to cover the loan."


Yeah, that's a good car analogy.


It's all good because he had to get insurance before he was able to purchase the car  Wink,  and I bet he will have no problem demanding the money off the insurance company as he has to pay the car dealer...thank god for insurance

sorry just a bit of humour to a serious subject 




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

435 posts

Ultimate Geek
+1 received by user: 25


  Reply # 296109 4-Feb-2010 16:00 Send private message

Most of the end users HAD been previously warned of this fraudulent activity.

It was up to THEM to take the necessary preventative action.

If they didn't, they can hardly cry "help" to their telco.

601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 296114 4-Feb-2010 16:22 Send private message

keewee01:

The majority of what they will be asking the customer for is not for themsleves - they are passing on a charge which has been levied against them by someone else!!! Don't forget that. Your comments suggest that the entire amount being asked for by the Telco is going straight into their coffers as profit and this is simply not true. Telecom, by wiping lots of dollars in the cases that involve them, are taking a big financal hit (mind you they can afford to). A lot of other companies can probably not afford to as the margins are slim as it is.




I never claimed it was all the telco's profit.  Are they profiting?  Yes, absolutely, definitely, 100%.  


Most vertically integrated telcos will be able to hide profits in other divisions.  Although, "hide" implies conscious effort, which isn't warranted.  For example, would TNZ be removing the charge for crossing the Southern Cross cable from the fee?  No?  Then they've just profited from the fraud.  If not them, then the carrier that they are using for international interconnection (who is their supplier).


I would expect that all carriers have in their agreements the ability to dispute charges.  Otherwise, they end up being open to some serious fraud along the lines of the current sales tax frauds that are happening in Europe.


Make no mistake, carriers are making money on these frauds.  It's not all going to the thief, just the same as the SMS scams on Vodafone.


As for the car analogy, you don't have to take fire and theft insurance (might be different on a lease/loan?), so :P







643 posts

Ultimate Geek


  Reply # 297337 9-Feb-2010 11:05

http://www.theregister.co.uk/2.../

By Dan Goodin in San Francisco
The Register
3rd February 2010

A Miami hacker has admitted he pocketed more than $1m by selling millions of minutes of voice over IP calls and surreptitiously routing them through the networks of telecommunications companies.

Edwin Andrew Pena pleaded guilty to two felonies in connection with the hacking spree, which spanned the years 2004 through 2006, according to court documents. He was apprehended last year in Mexico after skipping out on a $100,000 bond secured by the mother of his then girlfriend.

Pena appeared in US District Court in New Jersey on Wednesday and pleaded guilty to wire fraud and conspiracy to commit wire fraud and unauthorized access to a protected computer. He faces a maximum of 25 years in federal prison and fines of at least $500,000 at sentencing, which is scheduled for May 14.

Pena and cohort Robert Moore were arrested in June 2006 and accused of carrying out an elaborate scheme that routed more than 10 million minutes of VoIP calls over the networks of a dozen or so telecommunications providers without their permission. They breached the networks by using brute-force attacks that deduced the security telephone prefixes needed to gain access.




Sniffing the glue holding the Internet together

5342 posts

Uber Geek
+1 received by user: 208

Subscriber

  Reply # 297362 9-Feb-2010 12:50 Send private message

barf: http://www.theregister.co.uk/2.../

By Dan Goodin in San Francisco
The Register
3rd February 2010 

Pena appeared in US District Court in New Jersey on Wednesday and pleaded guilty to wire fraud and conspiracy to commit wire fraud and unauthorized access to a protected computer. He faces a maximum of 25 years in federal prison and fines of at least $500,000 at sentencing, which is scheduled for May 14.  



Now if he had done it in NZ he would have got community service or home detention at worst..




Regards,

Old3eyes

10913 posts

Uber Geek
+1 received by user: 446

Trusted
Subscriber

  Reply # 298737 13-Feb-2010 22:04 Send private message

Nahh, if he did it in NZ he would have a job offer ;)




Richard rich.ms

3558 posts

Uber Geek
+1 received by user: 60

Trusted
WorldxChange

  Reply # 299795 17-Feb-2010 14:36 Send private message

Info released today

17-02-2010

New Zealand targeted for PBX fraudulent hacking attempts 



What's happening?

Telecom's internal fraud team have confirmed that New Zealand is seeing an increased number of fraudulent hacking attempts into unsecured customer PBXs. We're advising you to contact your customers immediately to ensure their PBXs (traditional or IP) are appropriately secured.

What's the details?

We've been advised by Telecom's fraud team of an increased frequency of fraudulent hacking attacks on wholesale and retail customer PBXs. These types of attack are seemingly cyclical; with New Zealand last targeted on this scale two years ago.  However, hacking into customer PBXs can happen at any time.

We recommend that you contact your customers immediately and highlight the risk of fraudulent attacks on unsecured PBXs. Most customer PBX maintenance contracts include a 'fraud/audit service' and the audit will check for unsecured voicemail boxes, maintenance ports, the use of manufacturer default passwords from factory settings (many of which are readily available to hackers online) and DISA lines (Direct Inward System Access).
 
You can also check your daily CDR reports looking for any unusual activity or calling patterns which may indicate fraud on your end users PBXs.




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

19396 posts

Uber Geek
+1 received by user: 1226

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 299823 17-Feb-2010 16:00 Send private message

It's certainly a timely reminder especially if you're running Asterisk as well.

If you're not running something like fail2ban you should be.

Do not allow anonymous inbound SIP connections unless you truely understand the security implications of doing this. Also make sure all extension passwords are secure and ultimately should be locked down to your local network unless you need to use a remote extension.

If you want to really lock things down you could also lock down inbound SIP traffic on port 5060 to the IP address of your VoIP provider. This isn't without it's possible issues (ie your provider could change IP's) but means nobody can connect via SIP to your box.

1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Judith Collins: I am resigning
Created by Presso, last reply by Handle9 on 31-Aug-2014 16:11 (63 replies)
Pages... 3 4 5


Suddenly limited to 1mbps download speed on spark VDSL
Created by Jase2985, last reply by hio77 on 30-Aug-2014 17:39 (45 replies)
Pages... 2 3


Orcon Global Mode launched
Created by freitasm, last reply by tgzerozone on 31-Aug-2014 13:22 (123 replies)
Pages... 7 8 9


Sluggish Macbook
Created by SATTV, last reply by SATTV on 30-Aug-2014 22:21 (19 replies)
Pages... 2


2Degrees Fraud Prevention "Text TALK to 233 now to keep talking"
Created by ArcticSilver, last reply by sonyxperiageek on 30-Aug-2014 22:03 (19 replies)
Pages... 2


Lightbox press event release
Created by freitasm, last reply by IcI on 30-Aug-2014 17:54 (562 replies)
Pages... 36 37 38


Recommendations for soundbar or similar for <$1k?
Created by jonathan18, last reply by michaelmurfy on 29-Aug-2014 21:11 (17 replies)
Pages... 2


Lightbox quality comments
Created by ronw, last reply by NonprayingMantis on 31-Aug-2014 15:22 (66 replies)
Pages... 3 4 5



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.