So, I used the phone card, and tried to call someone about an apartment that looked great. According to the advertisement, it was a woman that owned the apartment and she had an extra bedroom she was renting. I called, and a man answered. It went like this...
Me: Hi, I was calling about your apartment for rent online.
// Dogs barking in the background fairly loudly.
Him: Sorry, what was your name?
Me: John Doe
Him: It's difficult to hear, could you hold on a moment?
// He puts down the phone, and it sounds like he's taking the dogs outside or to another room. In the background a TV is playing. I'm getting annoyed, but he finally returns 4 or 5 minutes later.
Him: Are you still there?
// A woman starts talking to him from inside the house.
Him: Sorry, just give me one more moment.
// He starts talking and arguing with her. I wait two minutes, then hang up.
After the call, I was frustrated. The apartment sounded great online, but what a nightmare; dogs barking, people yelling at each other, and they wasted 10 minutes of my time. So, I moved on, and tried calling others. Sometimes I'd get through to the person, sometimes I'd get errors about not being able to reach the number. Fast forward a week, I changed my plans, and started looking at apartments in another Australian city, hundreds of kilometers from the first. I call for an apartment, and guess what I hear? That's right, the same recording from above. Now, I was confused. I didn't even expect it was a recording the first time. But, how was I getting the recording from a completely different number, in a different city? I called back, because I was getting curious at that point. To my surprise, someone answered the second time, and it was actually the person from the advertisement I was trying to call. It became obvious at that moment that someone in the middle was hijacking calls, and trying to keep people on the line as long as possible.
It's meant to keep telemarketers on the phone and waste their time, but it sounds like someone was using something similar for international phone fraud.
That's all of them (if the marketer stays on long enough).
For instance, when a call is made, add a certain number of seconds to the call amount at the end of a call.
So if you add 5 seconds to a call and are doing 6 second billing, then on average about 84% of customers will be charged an extra increment of time. Who keeps track of their calls to such an exact time? Nobody.
I used to buy phone cards to call home in Australia long before online calling was available. Wasted far too much money on it. I'm glad it's a thing of the past.
The cheekiest example I've seen was great in its own way: it defined an advertised minute as being 55 seconds long.
I wonder how dodgy these phone card companies actually are. You could target a specific demographic and then mess with any calls to places they're unlikely to dial.
Say you were doing it and selling the cards in British corner shops. The customers are most likely going to be calling Eastern Europe and South Asia. They're probably not going to be making many calls to the US, so you can mess with some percentage of those.
Incidentally, a friend once got "Microsoft" on the line and they gave a return number. Curious, I called it. "Microsoft" answered. Quick as a flash I said "I don't have much time, they're on to us!"
They were unphased. Until I abruptly disconnected, then called Crime Stoppers and then conference called them in. Crime Stoppers were very unhappy with me for doing so, but after that call I waited 5 minutes then called the original number. It was disconnected!
It made me long for some sort of professional association that kept track of naughty uses of technology. It's easy to think only about the happy path. But there are all sorts of unsavory people out there: abusers, mobsters, thieves, authoritarian governments. Once I know how they think, I can defend against them. But keeping up with how they think has always been a challenge for me.
That is 100% the case, at least in the US, for card-not-present (online, phone, etc) transactions.
The credit card companies have zero liability for fraud in those cases...the liability is 100% on the merchant seller. In fact, the CC companies collect a non-trivial chargeback fee, so they arguably profit from the fraud.
Predictably, since they have zero risk, they provide almost zero fraud protection for sellers. For example, if they changed the system to accept data like "shipping address vs just billing" or "ip address", they could use their aggregate view to squash A LOT of fraud.
It's win-win either way for the credit card network.
The quality of a real anti fraud solution, if it were to include all data, could be amazing.
Which is why it pisses me off when a company deploys insecure software or hardware, claiming that network security is the customer's responsibility.
So my home network should be reasonably secure, so that it doesn't become part of a bot net. Which means that I have to, or should, become at least knowledgeable enough to know what to buy, what to do, and what not to do. Which means that my router vendor better step up and sell me something secure.
Is it the responsibility of end users to submit bug tickets? I think it is.
Is it the responsibility of end users, or the vendors receiving reports, to publish discoveries of exploits in the wild? I think it is.
Is it the responsibility of a pedestrian who notices a skateboard on the sidewalk to move it aside and upside down so no one does a splat fall? I think it is.
We're all in it together.
If you're processing credit cards online, you should be using some sort of fraud detection, like Maxminds MinFraud or something like it.
Tl;dr you are on your own!
Businesses with high fraud numbers will get axed by Visa.
Margins in telecom can be super thin. Diverting, say, 1% of traffic to fake answering could mean increasing profits by 10%. If the scammer doesn't go overboard, users won't complain. They'll just say "the wires got crossed" and redial.
If you dial via a calling card, everything goes through their proxy before being handed off.
I've run into problems with services like Telegram not accepting my Google Voice number (my own real US number) and the recent NIST recommendations also state not to use SMS as 2-factor verification (citing VoIP concerns).
We have TLS/LetsEncrypt/etc to verify we're talking to who we think we're talking to on the Internet, but phone networks come from a previous era.
I worked for a telcom once in one country where if they no longer held a phone number (it got ported to another network), we just send it to all the other providers. The network that currently held the number would relay it and the others dropped it. I actually wrote the job to actually compare the ported number list and only forward to the right destination. Telecom is janky as shit.
I'm not convinced that this is the case - I'd imagine there are a number of calling cards that terminate a POTS line to a voip device in the US and then VOIP out for vastly cheaper international calling.
We had a few local clients with slightly complicated setups, so we got to implement some matching logic for Call Data Records. Their local end had three switches attached to external trunks (to other carriers) and trunked to each other, and a few digi-boxes which voiped to (say) Afghanistan (telcos always use Afghanistan for examples, since it's the first country in the price sheet).
They would list a cheap per-minute price to +93, accept incoming calls & terminate them at the digi-box (closing the CDR & generating a revenue event). The remote digi-box would then start a new outbound call (and CDR) from their partner's facility and (hopefully) get to a subscriber line without going through too many carriers.
The trick is (and we never asked or found out) is that most of the time the remote digi-box is actually a carousel of SIM cards with unlimited local calls. The carousel is used to automatically distribute the calls over the SIMs to impede fraud detection by the mobile carrier.
These setups are pretty common & are called grey routes.
I have seen this in action ... I was working late at night in our (rsync.net) Zurich datacenter and there was a man who had a very tall stack of SIM cards that he was punching out and inserting into these long PCI cards ... I couldn't not ask him what he was doing.
He was a little cagey about it, but I got the general idea (thanks, Swiss folks, for all speaking english!).
The thing I don't understand is, to whatever degree running all those cards through a single SIM is a fraud alert, then I would think running all of those calls through a single tower would be an even bigger fraud alert. And yet, that doesn't seem to be a problem.
Specifically in Switzerland and Germany, call termination costs are a great deal higher, where I'm paying .0014min avg in North America, I am paying a few multiples of that minimum in either country.
The companies themselves have little incentive to change things if it costs them money to do so and there's limited downside for doing nothing.
The free phone conference services are terminated at tiny little telcos that charge a much higher than normal fee for a north american long distance and the fee is split between the conference service operator and the telco (which may or may not be the same.)
Some of these services cannot be dialed via some VOIP providers (like Google Talk) for that reason.
I always knew this was the case, but I was never really bothered by it. Both the law (see intercarrier compensation) and the subsequent ban make sense.
However I've recently run it to a rash of people who I can't call because my carrier and Google Voice block their numbers. Each of them has a Puerto Rican area code. They are all cell phone numbers, they all live in Chicago like me, but I can't call or text them because their phone number is Puerto Rican. It doesn't make any sense, because Puerto Rico is a part of the United States, we are both in the US, and we each ostensibly have US phone numbers.
PR is an unincorporated territory i.e. not part of the United States.
It's really a colony, unlike US States it isn't a sovereign entity unto itself, and is essentially at the mercy of congress with respect to self-governance and other things.
Puerto Rico is territory of and subject to the jurisdiction of the United States.
Most of the hackers I know gave up on Phreaking once hacking became popular in their circles. To me, there will always be something more fascinating about the telephone infrastructure.
It feels magical to know that the same transport that delivers the sound of your voice was susceptible to tampering and rerouting by other sounds.
This is something other than phreaking, imo. It's straight forward service fraud and hacking. Bearer and Signal have been divorced. The attacker has to get privileged access to a network that is generally not accessible to the public. Phreaking was neat because literally anyone could do it if they knew about the methods.
Knowing the methods used here isn't enough. You need to get on the trusted SS7 network and have a roaming/interconnect agreement to start doing really interesting things.
Any sites you'd suggest?
That should give you a good head start. . .
I read all this as a kid... :)
 http://explodingthephone.com/ (AudioBook also available)
With so many frauds and crimes, corporate death sentences should be available for extreme, large or persistent cases.
These rates are passed up the carrier chain until they reach the caller's main carrier. If international calls are covered in the caller's contract, the carrier picks up the tab. If not, the caller is charged int'l rates for simply listening to a recording.
There should be some way for the main carriers to identify and block these shady "last stop" telcos but it seems as if they have no incentive to as they are probably cheaper to partner with than reputable carriers, and the customer ultimately pays the fee in one form or another.
My phone call [to a disconnected number] never actually made it to Cuba. The fraudsters make money because the last carrier simply pretends that it connected to Cuba when it actually connected me to the audiobook recording. So it charges Cuban rates to the previous carrier, which charges the preceding carrier, which charges the preceding carrier, and the costs flow upstream to my telecom carrier. The fraudsters siphoning money from the telecommunications system could be anywhere in the world.
I don't think this is right. I think the compensation difference has more to do with investor money, addressable market, culture etc.