Hacker makes costly calls

Enlarge Image 

DAVID LIPNOWSKI / WINNIPEG FREE PRESS Alan Davison with a 50-page phone bill from MTS, detailing hundreds of calls to Bulgaria he never made.

Alan Davison, who owns HUB Computer Solutions, noticed something was wrong when "feature 36" -- a message unknown to him -- kept popping up on his phone.

He called MTS and found that hundreds of calls were recently made to Bulgaria, racking up $52,321.14 in overseas long distance due Jan. 5.

"If I have to pay that whole bill out of my own pocket, I'm looking at having to lay off one of my employees," Davison said. "It's quite obvious something was right out of whack. There were hundreds of phone calls."

The MTS representative sent Davison an e-mail outlining how to protect his company from theft of long distance.

Davison also reported the phone bill to the MTS fraud department.

MTS spokesman Greg Burch couldn't confirm the details of Davison's case Wednesday night. Burch said generally MTS will accept responsibilty if fraud involves their equipment.

"If there is an instance of fraud, we're going to take a look at that and that might include reducing or eliminating the charges," Burch said. "If it's an instance where it's your own equipment, you've purchased third-party equipment, you're responsible for that equipment and for securing that equipment."

Unfortunately for Davison, his company owns the phone system. But, he pointed out, his system has industry-norm safeguards in place and he feels MTS should have notified him when his phone bill suddenly soared beyond its normal pattern.

A hacker gained access to Davison's company voice mail and used the outbound transfer option to place hundreds of phone calls between Nov. 21 and Dec. 9.

Davison has a four-digit password on the voice mail. That doesn't stop professional hackers, said Brett Rhodes, an expert in the field who runs SME Teleresources Inc. in Winnipeg.

"Some of these people are very, very knowledgeable in the area and over time they are pretty good at running different passwords," Rhodes said. He added that hackers don't gain access to company voice mails necessarily to avoid large long distance bills. They often use a company's phone system to avoid being tracked by the police, he said.

"It becomes difficult to trace the call back. Anyone looking at that call would think that call came from HUB Computers," Davison said. "If there was any surveillance by law enforcement, it would not be traced back to the origin."

Davison brought Rhodes into his business on Dec. 15 to look at the voice-mail system's security. Rhodes said a good safeguard is to block any overseas calling and prohibit outbound transfers.

"In this era where we are carrying so many passwords in our head for ATM cards, Internet access, a lot of people go to a very simple password on their voice mail box not realizing there are people who have nothing better to do than dial in and break into mailboxes," Rhodes said.

While Davison had a password on his voice mail, he didn't even know the other options existed. He said that MTS should make their clients aware of the safeguards and that phone fraud exists.

"If the police know there are certain types of thefts going on in a neighbourhood, they make the neighbourhood aware," Davison said. "I don't think MTS stepped up to the plate and did their due diligence and gave notice to the community this was happening."

Davison is also shocked that, when his bill skyrocketed from only a few hundred a month to more than $52,000, MTS didn't notify him.

Credit card companies will usually call clients if out-of-the-ordinary charges show up, he noted.

"Why don't they have a system in place that will flag a company that doesn't make overseas calls that all of a sudden makes $52,000 worth?" Davison asked. "What's really getting me is that I know of at least one other company in town that had the same thing happen to them a few months ago."

Burch said MTS doesn't have the resources to monitor billing like a credit card company does when large purchases are made.

"It's not always possible to track everyone's billing and make determinations about what may or may not be going on," Burch said. "I'm not going to dispute this person didn't make these calls, but speaking generally, we're just not in a position to monitor everyone's minute-to-minute billing."

meghan.hurley@freepress.mb.ca

Republished from the Winnipeg Free Press print edition December 18, 2008 A4