please pass this on it has been confirmed, page-2

Now here is the supposed "true" version of your story:


Subject: New (?) Phone scam RESOLVED ("90# alert")
From: [email protected] (David Spalding)
Date: 1998/02/13
Message-ID: <[email protected]>
Newsgroups: alt.folklore.urban


I think I've gotten to the bottom of this growing net rumor:


>> * High Priority **
>>
>> On Saturday, 24 January 1998, Naval Air Station, Joint
>> Reserve Base, New Orleans' Quarterdeck received a telephone
>> call from an individual identifying himself as an AT&T
>> Service Technician that was running a test on our telephone
>> lines. He stated that to complete the test the QMOW should
>> touch nine (9), zero (0), pound sign (#) and hang up.
>> Luckily, the QMOW was suspicious and refused. Upon
>> contacting the telephone company we were informed that by
>> pushing 90# you end up giving the individual that called you
>> access to your telephone line and allows them to place a
>> long distance telephone call, with the charge appearing on
>> your telephone call. We were further informed that this scam
>> has been originating from many of the local jails/prisons.
>> Please "pass the word".


Somehow this smelled like a net rumor, maybe even a hoax, since it
follows the "Bait, Hook and Request" model that CIAC
(http://ciac.llnl.gov/) identified in Internet virus hoaxes. I've
started seeing this "90# alert" here on the ol' Internet, and it's
also been circulating through some government offices with the
authenticity of gospel.


But, as already discussed here, there is some validity to the claim
that some codes can cause a caller to access an outside line on a
company's PBX system. I gave it some deeper inquiry.


Earlier today (2/12/98), I discussed this alert with AT&T's Network
Security office (800-337-5373, [email protected]), which is referenced
in some versions. The specialist I talked to had heard of the rumor,
but discounted its validity AS POSTED. He noted that it could
conceivably be used against some common PBX systems. Here's how:


On many PBX systems, 9 will access an outside line, 0 will
request a local operator, and # ... well, most systems
wouldn't know what to do with that #, so the call to the
local operator would be CANCELLED. Soooo ... it's
conceivable that calling someone on a PBX, and asking the
recipient to hookflash, then dial 90#, will give the caller
an outside dial tone. Yeeha, the caller can now make long
distance calls that are charged to the hapless recipient.


This, of course, would require that a) the recipient is on a
PBX system that supports 9 for accessing an outside line, b)
the default "9" outside line has long distance dialing
privileges (some systems require a different code to get the
LD carrier) and c) the recipient doesn't see through the
obvious deception ("I'm an AT&T service technician, dial
this code....") and just hang up.


It's possible. It can be used as a scam. But the net rumor infers that
this "90#" code works anywhere. It just ain't so. Dialing 90# on a
home phone won't do squat. As to whether the calls are typically
originating from jails, AT&T's rep asserted that it's rarely
possible for a convict to pull such a scam.


I then called the Naval Air Station quarterdeck in New Orleans. The
petty officer who was manning the watch cheerfully confirmed that
they
had a clearly posted warning at the desk matching the quoted text
above almost word for word. Almost. He also looked up his log for 24
January 1998, and confirmed that the duty watchstander HAD received a
suspicious call. But the text he read me had one critical element
missing from the net posts that I've seen ... I'll simulate the
omission here:


>> Service Technician that was running a test on our telephone
>> lines. He stated that to complete the test the QMOW should


[snip] "touch the LINE key [for an outside line], then" [snip]


>> touch nine (9), zero (0), pound sign (#) and hang up.


This procedure COULD give the caller an outside line on the base's
phone system. What a surprise. But if the petty officer's account is
correct, the caller would seem to have known what kind of phone system
was installed there.


So the bottom line is that this warning has some validity for certain
PBXes, but no way near the "alarm factor" danger for any and all phone
systems. Your office or institution phone system may be vulnerable to
this technique, or this kind of technique, or even some form of
"social engineering" scam for abusing phone systems. But, folks, your
home phones are safe from danger. As Rob Carlson posted here, "Being
able to use one single sequence on the variety of phone switches is as
silly as expecting to run Intel machine code on a SPARC."



David "Every administration needs a loyal opposition" Spalding


I cover net hoaxes and scams regularly on my web site.
208.5.19.35/virus/hoax.htm. Visitors are always welcome. :)


"The secret of success is sincerity. Once you can fake that,
you've got it made." -- Jean Giraudoux
------------------------------------------------------------------