Call me, my life
Call me, call me, any, anytime
Call me, for a ride
Call me, call me for some overtime
Take me out, and show me off
Put me on the scene                Deborah Harry ~ Blondie ~ 1980

Let me tell you about a friend of mine. (Smart, tech savvy, handsome, small business owner, and staff of 35 in two Bellingham locations, real estate brokerage services) All right you guessed it.....me.

He, correction, I just got off the phone with calls from the Fraud Departments of AT&T, MCI, Ameritell, Startech, and Qwest. Seems our little PBX voicemail system (that I thought was properly secured with pass codes and so forth) was garnering charges for calls from our seven business telecom lines to such exotic locales as India, the Philippines, Nepal, Liberia, Qatar, Eritrea, Senegal, Kenya, Pakistan, Saudi Arabia, and Afghanistan. Hacked to the an amount approaching $4,000 from 1:00 AM to about 7:00 AM on a Saturday morning in September... Ouch!

Symptoms: Incoming calls didn't ring at the reception station but the lines were lit! Staff thought it was a slow day with all the media hype on the Bellingham real estate meltdown, who could fault their logic?

Hack: Bad guys hacked a voicemail extension to call forward and auto-dial 1010 and international calling access codes and also set voicemail announcement to audibly say, "YES" at timed intervals to computer generated collect calls or third party billing authorizations. Clever buggers.

Duration of Attack: Under four hours on a Saturday morning.

The Fix: Vendor reset system, upgraded the software for the telecom hardware, new random generated pass codes, system audit, disallowed remote line access and setting changes.

Financial Ramifications? 

According to the FCC it is the responsibility of an individual or business to secure and maintain their telecommunications system (even if it is a single home phone.) Ergo, were responsible for paying the charges even though it is an outright determined fraud on our business.

According to our long distance provider (and the companies that have billed them) It's our responsibility to pay the charges on the bill even though they know we were compromised illegally. They have offered a 10% discount on the charges, which they say, is the cost they are being billed. Gee, thanks.

Current Action Plan?

• Add ongoing telecom audit to security program.
• Change pass codes regularly.
• Keep upgrading security options on software and hardware for all systems.
• Company Policy Revision No personalization of extensions on office telecom system.
• Contact Department of Homeland Security (considering some of the call destinations)
• Contact Sheriffs department.
• Pay the bills.
• Sell Bellingham real estate.
• Move on.