Email a colleague    

February 2019

The History of PBX Hijacking Fraud: Phreakers, Payphone Hacks & Muddled Accountability between Enterprises & Telcos

The History of PBX Hijacking Fraud: Phreakers, Payphone Hacks & Muddled Accountability between Enterprises & Telcos

Of all kinds of telecom toll fraud, PBX hijacking is the largest money loser for both telecoms and enterprises.

Once the password to a PBX account is compromised, the hijacker uses the call forwarding feature of the PBX to artificially pump thousands of fraud calls to destinations around the world.

The CFCA, an association of telecom providers and fraud solution vendors, conducts a bi-annual survey of its members and estimates artificially pumped fraud cost telcos $9.9 billion a year.  If we assume that 80% of this figure is done through PBX hijacking and that enterprises lose about the same as telecoms, then enterprises alone lose about $7.9 billion a year to PBX hijacking.

What’s somewhat incredible: this fraud has been going on for at least three decades — with no end in sight.

Today we know “computer hacking” is a key enabler of PBX fraud.  But before digital switching arrived, the telecom network hacking was done by “phone freaks” or phreaks as they proudly called themselves.

The phreaks would reverse engineer the dial tones used to route long-distance calls and make free calls around the world on the phone company’s dime.  In fact, two soon-to-become-famous people in the phreaker community were Apple’s cofounders Steve Jobs and Steve Wozniak (who decades later paid telecoms back countless billions of dollars thanks to the iPhone).

Here to explain some more of the history of PBX hijacking is Colin Yates of Yates Consulting.  The former head of Fraud Management at the Vodafone Group, Colin remains one of the leading consultants in the field of telecom fraud.

Dan Baker, Editor, FraudTech Journal: Colin, I find the history of PBX fraud and efforts to block it fascinating because it follows the contours of tech innovation.  And each new era required different control solutions.

Colin Yates: It’s true, Dan.  In the early 1990’s I was with Telecom New Zealand (as it was known at that time).  Back then, the major control weakness that allowed a PBX to be hacked was the default passwords on their maintenance and DISA ports.  Often these were never changed from the default (000000 or 123456) until after a PBX had been compromised.  This issue still occurs today.

PBXs were hacked from payphones in New York City

One of our major PBX fraud problems at that time was calls coming into the PBXs from New York payphones.  Call Selling was a big issue in those days.

A Fraudster on the streets of New York, armed with calling card or credit card numbers (that he had obtained by shoulder surfing or dumpster diving) would offer “customers” the opportunity to place calls anywhere in the world.

And the price he offered them was a fraction of their normal price.  Of course, in those days, long distance and international rates were quite high so it was doubly attractive to people.

Often the “customers” would want to speak to friends or family in places like the Dominican Republic or some African countries.  Now because these were high risk destinations, they could not be called from a payphone in New York.

So to get around that limitation, the fraudster (or his associates) would use war-dialler programs such as ToneLoc to scan networks for insecure PBXs and Voicemail Systems.

Once they found an insecure PBX in New Zealand (or any other country), the fraudster would place a call to the PBX using his compromised Calling or Credit card, get dial tone from the PBX and redial a call from the PBX to the number in the country that had been blocked from New York payphones.  His customer could then talk for whatever length of time he had paid the fraudster for.

Sound like a powerful scheme.  Surprised that law enforcement wasn’t able to stop that fraud since these were using public phones.

Well, the fraudsters were rarely caught because they could simply repeat their process by moving to another payphone.  They made lots of money.  Once they were set up with a compromised PBX, their biggest limitation was the number of outgoing trunks available.

It was common to see every outgoing trunk in a business being used in the weekend when no-one was working.  Then on Monday morning the fraud reduced their calls to only 50% of the available trunks to enable the business to continue and so they would not suspect their PBX had been compromised.

A tool like Oculeus PBX Guard back in those days would have saved us millions of dollars since in many cases the fraud losses were absorbed by Telecom New Zealand in order to retain the business customer.

Now in those days, the Telcos would actually supply the hardware PBX to the enterprise.

That’s right.  It was common for the local Telco to also be the CPE Provider, so they would supply, install and maintain the PBX.  If the installation was poorly done and default passwords were not changed, then the Telco had to accept the responsibility for any PBX fraud that resulted from this vulnerability.

The Nortel Merdian was a popular PBX in the 1970s and 80s

Many Telcos moved away from the CPE Business after year 2000 and the majority of PBXs were then supplied, installed and maintained by private CPE Providers.  So if one of these installed PBXs was compromised through poor installation or poor network security, and a PBX Fraud resulted from this, then it became unreasonable to expect the Telco Network Provider to absorb the costs of this fraud.

Some would argue however that the Telco Network Provider should have the necessary tools in place to identify things like a major change in a business customer’s calling profile, particularly when multiple calls are being made to a country like Somalia when the business has never called that country previously.

Often, in these circumstances, the Enterprise and the Telco Network Provider will agree to split the fraud loss, however the cost to the Enterprise will often still be significant.

One of the things I’ve always wondered: why can’t the telecom operator simply refuse payment if they know the calls are fraudulent?

It’s one of the peculiarities of the telecom business.  They simply cannot do this unless every party in the Telco call transit chain agrees.

Each carrier is contractually obliged to pay for all calls exiting their network whether or not they are fraud.  Today we are starting to see some payment withholding creeping in, however the common argument against this is that if carriers — particularly smaller Tier 2 and 3 carriers — know that they will not have to pay for any fraud leaving or transiting their network, then they will make no investment in fraud prevention and detection.

For some years, many carriers, and some Enterprises who had PBXs with the capability to block destinations, simply blocked countries that were considered high risk, and that prevented any fraud to those countries.

However the global destination risk profile has changed significantly over the past year or two.  For example, in January 2018, 42% of all International Premium Rate Numbers (IPRN’s) advertised by IPRN Providers related to 10 countries, such as Cuba, Latvia, Somalia etc.  In January 2019, only 20% of the IPRN’s advertised related to these top 10 destinations.

The remaining 80% were spread across 110 other destinations, some of which hardly featured 12 months ago.  So, blocking a country code is no longer a sound strategy (and it is in breach of ITU Recommendations).

Another question: is there such a thing as an enterprise contracting with its carrier to insure against any fraud loss?

Yes, some Telco Network Operators do provide an ‘insurance’ type product that reduces the Enterprises liability for fraud, at a level dependent on the premium paid.

To attract customers, some other Telco’s may contractually agree to cover the cost of any fraud that occurs while you are using their network services.  However, these levels of service are uncommon, and it should be incumbent on every enterprise to manage their own risk, particularly the risk of telco and PBX fraud.

Colin, many thanks.  It’s been fun travelling down PBX fraud memory lane.

For more insights on Telecom Fraud, see other interviews with Colin Yates on our sister magazine, Black Swan Telecom Journal:

Copyright 2019 FraudTech Journal


About the Experts

Colin Yates

Colin Yates

Colin started his working life in Law Enforcement in New Zealand, then after 18 years moved to a Risk and Fraud Management role in Telecom New Zealand.

After 12 years there, he moved to Vodafone New Zealand and for the next 12 years had roles with Vodafone in New Zealand, Australia, Germany and the UK, leaving Vodafone in 2012 as Group Head of Fraud Management and Investigations, having had responsibilities for managing fraud and investigations right across the Vodafone footprint.

Colin has held Management positions in the GSMA Fraud Forum, CFCA, FIINA and Pacific Partners.

He is currently managing his own firm, Yates Fraud Consulting Limited which consults back to industry operators to review their Fraud and Revenue risk maturity.  He also manages an IPR Test Number database currently in use by some of the world’s largest operator groups.

Colin is a Certified Fraud Examiner (CFE) and is also a Fraud Adviser to PITA (Pacific Islands Telecommunications Association).   Contact Colin via

Recent Articles