Hacker News new | past | comments | ask | show | jobs | submit login
I Dialed a Wrong Number and Stumbled into International Phone Fraud (theatlantic.com)
453 points by nols on Dec 2, 2016 | hide | past | web | favorite | 107 comments

I have a related story. I was in North America, looking for an apartment in Australia. At the time I'd buy phone cards for long distance calls, and they'd always work fine.

So, I used the phone card, and tried to call someone about an apartment that looked great. According to the advertisement, it was a woman that owned the apartment and she had an extra bedroom she was renting. I called, and a man answered. It went like this...

Him: Hello

Me: Hi, I was calling about your apartment for rent online.

// Dogs barking in the background fairly loudly.

Him: Sorry, what was your name?

Me: John Doe

Him: It's difficult to hear, could you hold on a moment?

Me: Sure

// He puts down the phone, and it sounds like he's taking the dogs outside or to another room. In the background a TV is playing. I'm getting annoyed, but he finally returns 4 or 5 minutes later.

Him: Are you still there?

Me: Yes

// A woman starts talking to him from inside the house.

Him: Sorry, just give me one more moment.

// He starts talking and arguing with her. I wait two minutes, then hang up.

After the call, I was frustrated. The apartment sounded great online, but what a nightmare; dogs barking, people yelling at each other, and they wasted 10 minutes of my time. So, I moved on, and tried calling others. Sometimes I'd get through to the person, sometimes I'd get errors about not being able to reach the number. Fast forward a week, I changed my plans, and started looking at apartments in another Australian city, hundreds of kilometers from the first. I call for an apartment, and guess what I hear? That's right, the same recording from above. Now, I was confused. I didn't even expect it was a recording the first time. But, how was I getting the recording from a completely different number, in a different city? I called back, because I was getting curious at that point. To my surprise, someone answered the second time, and it was actually the person from the advertisement I was trying to call. It became obvious at that moment that someone in the middle was hijacking calls, and trying to keep people on the line as long as possible.

Have you heard of the "It's Lenny" bot?


It's meant to keep telemarketers on the phone and waste their time, but it sounds like someone was using something similar for international phone fraud.

Great link, although Lenny has now wasted my time too.

Similar and much more polished is the Jolly Roger Telephone Company: http://www.jollyrogertelco.com

Goldmine. I just listened to a call where Lenny put the telemarketer on hold for a 2nd time to quiet his ducks. It's amazing how getting telemarketers to repeat themselves for the fifth time to a bumbling old man really takes the optimism out of their voice.

> Lenny put the telemarketer on hold for a 2nd time to quiet his ducks

That's all of them (if the marketer stays on long enough).

This makes me want to create an Eliza implementation that's optimized to waste as much telemarketing time as possible. All that would be needed is a phone that lets you write your own telephony application and use it to answer calls.

A friend who is in the voip business said that the calling card companies can buy software to manage the billing. In the billing software itself is a tunable to determine how much fraudulent charges to add to each call.

For instance, when a call is made, add a certain number of seconds to the call amount at the end of a call.

So if you add 5 seconds to a call and are doing 6 second billing, then on average about 84% of customers will be charged an extra increment of time. Who keeps track of their calls to such an exact time? Nobody.

Sounds like a real life variant of redirecting the cents hidden by rounding.

I created an account to reply to you. This happened to me as well! Literally the exact same thing. The dog, the man, the argument, everything. Thought I'd dialled the wrong number.

I used to buy phone cards to call home in Australia long before online calling was available. Wasted far too much money on it. I'm glad it's a thing of the past.

I'm surprised they bother when the scams cheap cards pull are often waaaaay easier.

The cheekiest example I've seen was great in its own way: it defined an advertised minute as being 55 seconds long.

I wonder if they've done any research on what sort of recording keeps people on the line the longest.

I'd like to offer you a job in our marketing org

I would guess fake ringing tones, because the victim would think the phone hasn't been picked up yet. Animal Farm might work once or twice for curiosity's sake, but eventually people will cotton on. With a fake ring tone, they'd keep dialling until someone picks up.

That is weird. Did you ever see a charge from the call? Or I guess if it was a prepaid card, the minutes just drained faster?

Yep, it was a cheap prepaid card from an Asian grocery store, so it just deducted the connection fee + minutes. I can't remember the cost, but it was likely less than a dollar for the call. I guess if you're hijacking hundreds of calls an hour though, it's a big business.

>Yep, it was a cheap prepaid card from an Asian grocery store, so it just deducted the connection fee + minutes. I can't remember the cost, but it was likely less than a dollar for the call. I guess if you're hijacking hundreds of calls an hour though, it's a big business.

I wonder how dodgy these phone card companies actually are. You could target a specific demographic and then mess with any calls to places they're unlikely to dial.

Say you were doing it and selling the cards in British corner shops. The customers are most likely going to be calling Eastern Europe and South Asia. They're probably not going to be making many calls to the US, so you can mess with some percentage of those.

If that's an Australian number, we actually have a reasonably decent enforcement regime. If you post the number then I'll have it reported to the ACCC, who I suspect would dearly love to actually catch an Australian fraudster given most of their reports are from India or Pakistan and somewhat untouchable.

Incidentally, a friend once got "Microsoft" on the line and they gave a return number. Curious, I called it. "Microsoft" answered. Quick as a flash I said "I don't have much time, they're on to us!"

They were unphased. Until I abruptly disconnected, then called Crime Stoppers and then conference called them in. Crime Stoppers were very unhappy with me for doing so, but after that call I waited 5 minutes then called the original number. It was disconnected!

It was using a calling card, so I needed to dial the local calling card number, type in my prepaid ID, and then the destination number. So, although the destination number was Australia, the issue occurred somewhere en route before then.

That's hilarious. I wonder if the scammers hired actors + set up a scene to make the recording.

thanks for taking the time to type that story - great story.

Long ago I did some contract coding for a company that processed donations via credit card. To my amazement, we had to watch out for people trying to donate small amounts to the Red Cross. Why? Because people with a list of possibly-valid credit card numbers would use small donations to brand-name charities as a way of validating credit cards.

It made me long for some sort of professional association that kept track of naughty uses of technology. It's easy to think only about the happy path. But there are all sorts of unsavory people out there: abusers, mobsters, thieves, authoritarian governments. Once I know how they think, I can defend against them. But keeping up with how they think has always been a challenge for me.

Should that have really been your concern? If every company that processes cards has to be fraud detecting experts, then they CC system is totally broken.

>If every company that processes cards has to be fraud detecting experts, then they CC system is totally broken.

That is 100% the case, at least in the US, for card-not-present (online, phone, etc) transactions.

The credit card companies have zero liability for fraud in those cases...the liability is 100% on the merchant seller. In fact, the CC companies collect a non-trivial chargeback fee, so they arguably profit from the fraud.

Predictably, since they have zero risk, they provide almost zero fraud protection for sellers. For example, if they changed the system to accept data like "shipping address vs just billing" or "ip address", they could use their aggregate view to squash A LOT of fraud.

It sounds like you've stumbled upon the next great way for credit card networks to make money! Charge for fraud detection, and if a customer doesn't want fraud detection, then do the chargebacks. I'm kind of surprised they don't do this already (or maybe they do?).

It's win-win either way for the credit card network.

To me that sounds like borderline racketeering.

Many processors do have fraud checks that work quite well, and you can always use services like Amazon Payments which includes fraud protection.

Some do, but they are working with a much smaller subset of data than would be possible of the cc companies were to do it.

The quality of a real anti fraud solution, if it were to include all data, could be amazing.

As Harry Tuttle said, "We're all in it together." https://www.youtube.com/watch?v=xlCPkmb6cuY

Which is why it pisses me off when a company deploys insecure software or hardware, claiming that network security is the customer's responsibility.

So my home network should be reasonably secure, so that it doesn't become part of a bot net. Which means that I have to, or should, become at least knowledgeable enough to know what to buy, what to do, and what not to do. Which means that my router vendor better step up and sell me something secure.

Is it the responsibility of end users to submit bug tickets? I think it is.

Is it the responsibility of end users, or the vendors receiving reports, to publish discoveries of exploits in the wild? I think it is.

Is it the responsibility of a pedestrian who notices a skateboard on the sidewalk to move it aside and upside down so no one does a splat fall? I think it is.

We're all in it together.

I heard a neat definition of responsibility the other day: "If it is to be, it's up to me"

This is why I get angry at people who say things like "mind your own business" or "that's not your job." It is, and it is. Anyone who doesn't like that can take their own advice.

I get that, but the problem is we all accepted the system into our lives before it was ready and now the key players have, by their own design, no incentive to improve. Who do we submit bugs to in this scenario?

we lost thousands in a couple weeks due to fraud and had to up our game in detecting fraud and now are overzellous in rejecting cards due to fraud

I cynically wonder if any anti-fraud companies have posted vulnerable sites to carding forums to help make a sale.

Of course they did! Escalating that was an instant win-win-win.

It does seem to be broken and yes, if you run an online store it seems we have to be somewhat informed about CC fraud.

it is.

After launching several SaaS with a $1 trial and such, this also happens there.

I think the candy japan guy from around here talks about it a lot.. people using candy to validate stolen CCs...

I'm surprised this surprises anyone. This is common in brick and mortar stores as well.

If you're processing credit cards online, you should be using some sort of fraud detection, like Maxminds MinFraud or something like it.

Then what the heck are we paying visa for?

You are paying for "nice business you have here, it would be a shame if your money were lost somewhere".

Not fraud detection, I can assure you. Not even YC darling Stripe will help you much: https://www.google.com/amp/s/www.buzzfeed.com/amphtml/joseph...

Tl;dr you are on your own!

For processing the legitimate transactions.

Businesses with high fraud numbers will get axed by Visa.

A real great scam recording is the following: A "maid"-sounding voice answers, pretends to not understand for a second, then says "oh yeah I'll go get them". In the background there's a TV and people talking. I've had it happen to me twice, and it was effective on keeping me on the line, despite not having a TV or the woman not sounding like anyone I know.

Margins in telecom can be super thin. Diverting, say, 1% of traffic to fake answering could mean increasing profits by 10%. If the scammer doesn't go overboard, users won't complain. They'll just say "the wires got crossed" and redial.

The article mentions VoIP being the issue, but comments here show issues with calling cards as well. It's not VoIP, it's trusting your service provider, the destination service provider and everything in-between.

If you dial via a calling card, everything goes through their proxy before being handed off.

I've run into problems with services like Telegram not accepting my Google Voice number (my own real US number) and the recent NIST recommendations also state not to use SMS as 2-factor verification (citing VoIP concerns).

We have TLS/LetsEncrypt/etc to verify we're talking to who we think we're talking to on the Internet, but phone networks come from a previous era.

I worked for a telcom once in one country where if they no longer held a phone number (it got ported to another network), we just send it to all the other providers. The network that currently held the number would relay it and the others dropped it. I actually wrote the job to actually compare the ported number list and only forward to the right destination. Telecom is janky as shit.

> It's not VoIP

I'm not convinced that this is the case - I'd imagine there are a number of calling cards that terminate a POTS line to a voip device in the US and then VOIP out for vastly cheaper international calling.

I used to work for a company which wrote & sold telco switch management software. Mostly is was for automatically calculating the Least Cost Route, given a list of carrier price sheets and rates for prefix bands.

We had a few local clients with slightly complicated setups, so we got to implement some matching logic for Call Data Records. Their local end had three switches attached to external trunks (to other carriers) and trunked to each other, and a few digi-boxes which voiped to (say) Afghanistan (telcos always use Afghanistan for examples, since it's the first country in the price sheet).

They would list a cheap per-minute price to +93, accept incoming calls & terminate them at the digi-box (closing the CDR & generating a revenue event). The remote digi-box would then start a new outbound call (and CDR) from their partner's facility and (hopefully) get to a subscriber line without going through too many carriers.

The trick is (and we never asked or found out) is that most of the time the remote digi-box is actually a carousel of SIM cards with unlimited local calls. The carousel is used to automatically distribute the calls over the SIMs to impede fraud detection by the mobile carrier.

These setups are pretty common & are called grey routes.

"The trick is (and we never asked or found out) is that most of the time the remote digi-box is actually a carousel of SIM cards with unlimited local calls. The carousel is used to automatically distribute the calls over the SIMs to impede fraud detection by the mobile carrier."

I have seen this in action ... I was working late at night in our (rsync.net) Zurich datacenter and there was a man who had a very tall stack of SIM cards that he was punching out and inserting into these long PCI cards ... I couldn't not ask him what he was doing.

He was a little cagey about it, but I got the general idea (thanks, Swiss folks, for all speaking english!).

The thing I don't understand is, to whatever degree running all those cards through a single SIM is a fraud alert, then I would think running all of those calls through a single tower would be an even bigger fraud alert. And yet, that doesn't seem to be a problem.

Yeah, the thing is telecom and especially cellular fraud detection is often a manual process when you get to that cell or tower level. Carrier backends are not friendly toward it for the fraud detection employees, thus it rarely is done.

Specifically in Switzerland and Germany, call termination costs are a great deal higher, where I'm paying .0014min avg in North America, I am paying a few multiples of that minimum in either country.

A variation is to use a mobile number so subscribers of the same telco can use their free/unlimited minutes http://apcmag.com/optus_threatens_customers_over_voip_calls....

Last year I recorded a bunch of calls on a hacked pbx.. I wasn't expecting to hear regular calls of folks who didn't even know they were being routed through a hacked pbx system.


Thank you for this. I had no idea this was possible.

The problem with stopping fraud is that people generally do not fight fraud as hard as fraudsters fight to keep their income.

Definitely. There's also the same sort of issue with gazelles and cheetahs. Both are fast, but for the cheetah to get its dinner, it only has to be faster than the slowest gazelle. I'm sure some of the phone companies are reasonably fraud-resistant, but securing a whole industry is harder.

Well, in that case the companies just have to not be the slowest gazelle, right? That doesn't seem like much effort involved, so the problem is probably in knowing what the other companies are doing so you're not the mark.

I think in this example the slowest gazelle is the sucker that has to pay exorbitant international calling fees for a service they did not receive.

The companies themselves have little incentive to change things if it costs them money to do so and there's limited downside for doing nothing.

The "free" phone conference service work in a somewhat similar way. There's a fee charged for long distance call even in the US/Canada. The fee is low enough that most people now get free long distance.

The free phone conference services are terminated at tiny little telcos that charge a much higher than normal fee for a north american long distance and the fee is split between the conference service operator and the telco (which may or may not be the same.)

Some of these services cannot be dialed via some VOIP providers (like Google Talk) for that reason.

>Some of these services cannot be dialed via some VOIP providers (like Google Talk) for that reason.

I always knew this was the case, but I was never really bothered by it. Both the law (see intercarrier compensation[1]) and the subsequent ban make sense.

However I've recently run it to a rash of people who I can't call because my carrier and Google Voice block their numbers. Each of them has a Puerto Rican area code. They are all cell phone numbers, they all live in Chicago like me, but I can't call or text them because their phone number is Puerto Rican. It doesn't make any sense, because Puerto Rico is a part of the United States, we are both in the US, and we each ostensibly have US phone numbers.


> Puerto Rico is a part of the United States

PR is an unincorporated territory i.e. not part of the United States.


That's not really accurate. That status was developed for the transitional period after the Spanish American War, and subsequent legislation and court cases evolved that initial state.

It's really a colony, unlike US States it isn't a sovereign entity unto itself, and is essentially at the mercy of congress with respect to self-governance and other things.

That's a distinction without a difference for the purposes of the comment to which you replied.

Not really. As it has its own administration and ergo telecoms system. It makes as much sense as "the UK is part of the US"

Right, yeah, who could forget how the US has sovereignty over the UK? What a nonsensical comparison.

Puerto Rico is not a state of the United States.

Puerto Rico is territory of and subject to the jurisdiction of the United States.

I understand the political nuance, but PR phone numbers work just like a phone number from the 50 states for everyone else I know.

There is a regulatory push in the US to end intercarrier usage billing, which should lead to the end of the blocking and may lead to the end of the free conferences (maybe not, I imagine costs are fairly low, but they'll need new revenue). It's already reduced the amount of mostly free VoIP offerings.

Yeah, carriers offering free DIDs are rapidly disappearing, first ipkall and recently I had another one up and close their doors on me.

When i was travelling in italy with a lycamobile sim card, i experienced what i think is something like this - when i tried to call numbers i would often get a busy signal or unavailable phone number message, but repeated attempts after a wait would sometimes go through. It became apparent that not all was on the level when i heard the real versions of those messages and figured out that lycamobile (at least i assume it was them, who else can i blame here?) was part of the time intentionally failing to allow calls to go through and masking that action by making it seem like the telephone number was wrong or unavailable. Often calls that did go through were dropped after 1 - 3 minutes... And that's just the worst part of the experience i had with them (the most charitable interpretation of how far the service fell short of what their website promised would be that they hire solely non-native english writers for all their marketing copy, but i suspect they are actively attempting to deceive prospective customers)

Interesting to note that Phreaking is still very much alive and kicking.

Most of the hackers I know gave up on Phreaking once hacking became popular in their circles. To me, there will always be something more fascinating about the telephone infrastructure.

I think of phreaking as a byproduct of an era where signal controls were integrated in bearer traffic.

It feels magical to know that the same transport that delivers the sound of your voice was susceptible to tampering and rerouting by other sounds.

This is something other than phreaking, imo. It's straight forward service fraud and hacking. Bearer and Signal have been divorced. The attacker has to get privileged access to a network that is generally not accessible to the public. Phreaking was neat because literally anyone could do it if they knew about the methods.

Knowing the methods used here isn't enough. You need to get on the trusted SS7 network and have a roaming/interconnect agreement to start doing really interesting things.

This was a fun read for me for much of the same reason. Alliance teleconferencing 0-700-456-1000 may not be there anymore, but there are still some old numbers that work. Here's a loop: 513-241-1018 - you gotta find the other end :)

>Interesting to note that Phreaking is still very much alive and kicking.

Any sites you'd suggest?

>That should give you a good head start. . .

I read all this as a kid... :)

Phil Lapsley's book "Exploding The Phone" [0] gives a well written overview for anyone interested.

[0] http://explodingthephone.com/ (AudioBook also available)

Does it count as phreaking if you own the infrastructure?

Does it count as hacking if you own the network? I think it still does, the outcome is different but the methods are similar.

Sounds like the solutions needs to be orders of magnitude larger fines than the amount that would be gained. If each individual user is only losing $1-3, they won't or can't fight it, and the company also won't in many cases. If the minimum payout/fine for such a scam was, say, $100 per occurrence and that was written into all the contracts, there'd be enough incentive at every stage for companies to clean up their act.

> Sounds like the solutions needs to be orders of magnitude larger fines than the amount that would be gained.

With so many frauds and crimes, corporate death sentences should be available for extreme, large or persistent cases.

A forced end to fraudulent business' would work wonders for the economy (IANAE).

The solution is the internet. No need for a telco for international calls.

A colleague had a $700 telco bill because of a scammer making calls to Cuba via his PBX. He had never changed the default password. Hard lesson to learn.

So is it that easy to establish as a call operator? Considering how much secure stuff we do over the phone, this seems highly insecure.

Yeah, lots of businesses will use greyroutes from "Freddy's Swiss SIM Bank" cause it's 1 cent a minute versus 2.7 cents directly.

I still don't understand, how do the scammers actually get paid?

The scammers are the "last stop" telco carriers. They charge high, Cuban rates to connect someone who thinks they are calling Cuba to a cheap/free recording. They arbitrage the cost of playing a recording (0) against the cost of actually connecting the customer to a party in Cuba (non 0).

These rates are passed up the carrier chain until they reach the caller's main carrier. If international calls are covered in the caller's contract, the carrier picks up the tab. If not, the caller is charged int'l rates for simply listening to a recording.

There should be some way for the main carriers to identify and block these shady "last stop" telcos but it seems as if they have no incentive to as they are probably cheaper to partner with than reputable carriers, and the customer ultimately pays the fee in one form or another.

"My phone call never actually made it to Cuba. The fraudsters make money because the last carrier simply pretends that it connected to Cuba when it actually connected me to the audiobook recording. So it charges Cuban rates to the previous carrier, which charges the preceding carrier, which charges the preceding carrier, and the costs flow upstream to my telecom carrier."

The scammers in this case are apparently a small-time telco. In other cases, the scammers set up 1-900 (or equivalent) numbers and try to get their marks to call the number.

FreeConferenceCall (dot) com has a version of this as their business model.

What do they do?

the end of the story just made me smile :)

Yes it was a clever ending. I wish I could write that well.

tl;dr This summarizes it perfectly.

  My phone call [to a disconnected number] never actually made it to Cuba. The fraudsters make money because the last carrier simply pretends that it connected to Cuba when it actually connected me to the audiobook recording. So it charges Cuban rates to the previous carrier, which charges the preceding carrier, which charges the preceding carrier, and the costs flow upstream to my telecom carrier. The fraudsters siphoning money from the telecommunications system could be anywhere in the world.

lol: "Global capitalism abhors a vacuum."

Why is that funny?

Shame that global capitalism doesn't abhor US dev salaries being double Aussie or European ones. :-[

Reason: place is still important to productivity. https://smile.amazon.com/Gated-City-Kindle-Single-ebook/dp/B...

I doubt it is to do with productivity. More like supply and demand.

Supply and demand aren't disconnected from productivity.

Can you explain? High demand causes employees to be more productive?

I'm going to take a wild guess and say the relationship being posited is that people are willing to pay more for more productive workers

Yes thanks but I'm not seeing any interesting analysis here beyond the one liners. Why are American employees more productive than in the countries. Better education? Work ethic?

I don't think this is right. I think the compensation difference has more to do with investor money, addressable market, culture etc.

If you go back up this thread you'll find the claim that location increases productivity. If we accept that, and if we accept that people are willing to pay more for higher productivity, well, presto, we've explained why US wages should be higher.

I don't accept the claim though. Oh nevermind!

That's fine, but you seemed confused about how the argument fit together rather than interested in arguing about the claims it's built on.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact