Over the past year, a West Los Angeles couple received phone bills from MCI, their long-distance carrier, ranging from $462.84 to $3,510.70--the latter for 187 pages of calls they didn't make to Arkansas, California, Mississippi, Florida and New Jersey. "Our part," says the woman involved, "was $37.71, all from our phone number. The others had only an authorization code."
Compared to many accounts of such "toll fraud" in six figures, this particular episode was relatively modest in volume, if not annoyance value.
It's reminiscent of, but different from, the phone fraud of the 1960s, when "phone freaks" had "blue" boxes and "black" boxes that got them into the phone system free. Today's calls are often billed to existing customer accounts, and there are now more long-distance companies, more calling cards and more customer "authorization" codes, even within the same household. And while computers make it possible to commit bigger and better phone fraud--a half-billion dollars a year now--the industry has sophisticated ways to fight back.
Some of today's theft is the old-fashioned kind--a credit card, or one of the new travel card numbers, is stolen from the customer. Some get into the hands of thieves when they steal a wallet. Some are lost when customers leave their cards at pay phones. And with some, only the number is stolen, heard when the customer recites it to an operator or seen when he punches it in at a public phone.
But the bigger theft problem recently is of customer authorization codes--the numbers that customers use to make calls from home phones with touch tone. These, too, can be stolen from wallets and public places, but computers have revolutionized fraud.
Computerized thieves can stumble onto an active account by calling the carrier's general access number and then "automatically dialing combinations of digits," says Gary Tobin, MCI's director of public communications, "until they find one that works." Then, "once the code is developed," says Clo Fleming, manager of service security for U.S. Sprint, "it's disseminated," sometimes on electronic "bulletin boards" on which computer hackers communicate.
'Not Hurting Anybody'
Such thievery may spring from criminal minds, says Tobin, or simply from an attitude of "Gee, I'm not really hurting anybody." The latter seems concentrated in colleges and military bases, where the abusers, perhaps computer-equipped, are very "susceptible to peer pressure," says Gaston Sigur, a consultant for the Communications Fraud Control Assn. in Fairfax, Va., a year-old industry group established to share information about toll frauds and fraud control.
The stolen number may be widely disseminated, its ultimate users students, operators of telephone "boiler rooms," penitentiary inmates, "people of all professions and walks of life," says Fleming. "Some have no thought of criminality. It's just offered to them, maybe with the explanation that someone has 'bought blocks of time from telephone companies.' "
"Toll fraud" isn't victimless; such calls hardly travel "free," says Tobin, given the per-minute charges long-distance carriers must pay to local phone companies on each end of a call, the expenses of operating long-distance equipment and, with smaller companies, the cost of leasing facilities from the major carriers. The industry, which must make up such losses in their customer rates, is therefore prepared to pursue all such frauds.
It hasn't been easy. The various callers are identified not by the phone they use but by the punched-in code, which was stolen. At best, the particular code number, and the local access number used, may identify the region where the call was placed.
But industry members say there is emerging technology--that they prefer not to explain-- permitting better identification of the particular phone used. And they warn that they assiduously investigate the people receiving the calls, seeking indications that they were willing parties to the fraud and should share liability.
There are also some possible fraud discouragements. Consumers could exercise greater care in using the cards or the numbers within anyone's vision or hearing. Rotary phones could predominate in prisons, forbidding any use of codes at all.
The industry can also make it harder to "develop" usable codes by computer-dialing. Authorization codes could be lengthened, like some travel cards, which run to 14 digits: the more digits, the less chance of producing a successful combination at random. Carriers could be more careful to "take down" or retire codes that are no longer used, perhaps because the customer (like the West Los Angeles couple) was converted to direct-dial long-distance service and didn't need it.
The carriers themselves are now scanning the hacker's electronic bulletin boards. They're also establishing early warning systems that can monitor calling-card usage, drawing attention to an unusual level of activity on an account from one week to another, or even within a period of minutes.
"If a code is used 15 times in 15 minutes," says Sigur, "it could be someone calling a busy number over and over, or it could be abuse." They're also committed to prosecuting abusers, asking tough punishments that include restitution--from parents, if the abusers are kids, and even from people in jail, who must pay up very, very slowly.
The message to people "playing with the phone system," says Tobin, "is that they're really doing something they don't want to do and are going up against the FBI and the Secret Service, responsible respectively for interstate wire fraud and credit card fraud," not to speak of state and local authorities. Says Fleming: "It's nothing but a simple theft."