|
How phone phreaks are caught
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # HOW PHONE PHREAKS ARE CAUGHT #
# from 2600 magazine V4 #7 July 1987 #
# written by NO SEVERANCE #
# typed by G. A. ELLSWORTH #
# #
#()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()(#
Until about four months ago, I worked for a large long distance company. I was given the pink sp because some guy in my office found out that I did a little hacking in my spare time. It seem hat most companies just aren't into that anymore. I feel I should do all I can to keep phreaks frm etting caught by the IC's(Independent Carriers or Interexchange Companies). Remember: a safe phrak s an educated phreak.
When you enter an authorization code to access a long distance company's network there are a w things that happen. The authorization code number you enter is cross referenced in a list of coe. When an unassigned code is received the switch will print a report consisting of the authriation code, the date and time, and the incoming trunk number (if known) along with other misellneous information.
When an authorization code is found at the end of a billing cycle to have been "abused" in thewitch, one of two things is done. Most of the time the code is removed from the database and a nwcode is assigned. But there are times when the code is flagged "abused" in the switch. This i vry dangerous. Your call goes through, but there is a bad code report printed.(this is similar to n uassigned code report, but it also prints out the number being called.) You have no way to know his s happening but the IC has plenty of time to have the call traced. This just goes to show thatyou sould switch codes on a regular basis and not use one till it dies.
ACCESS
There are several ways to access an IC's network. Some are safe and some can be deadly.
FEATURE GROUP A (FGA). This is a local dial-up to a switch. It is just a regular old telephonnumber (for example 871-2600). When you dial the number it will ring (briefly) and give a dial toetelling you to proceed. There are NO identifying digits (i.e. your telephone number) sent to a sith. The switchis signaled to give you a dial tone from the ringing voltage alone. The only wayyoucould be caught hacking codes on an FGA would be if Telco (your local telephone company) were o pu an incoming trap on the FGA number. This causes the trunk number your call came over to be prnted ut. From the trunk number Telco could tell which central office (CO) your call was coming frm. Frm there Telco could put an outgoing trap in your CO which would print the number of the erson pacing the call to that number--that is provided that you are in an ESS or other Electronic Sitch. Tis is how a majority of people are caught hacking codes on a FGA access number.
Next down the line we have Feature Group B (FGB). There are two FGB signalling formats cled FGB-T and FGB-D. All FGBs are 950-XXXX numebers and Ihave yet to find one that doesn't use FGBTformat.
When you dial an FGB number your call can take two paths: 1) Large COs havedirect trunks going the different IC's. This is more common in Electronic offices. 2) Your call gets routed throug large switch called a tandem, whichin turn has trunks to all the ICs.
When you dial an FGB-T number the IC's switch receives: KP+ST
This prompts the switch to give you a dial tone. The IC gets no informationregarding your phoneumber. The only thing that makes it easier to catch you is that with a direct trunk from your cenrl office when you enter a bad code the IC knows what office your coming from. Then it's just a mttr of seeing who is calling that 950 number.
On the other hand, when you dial an FBG-D number the switch receives:
KP+(950-XXXX)+ST followed by
KP+0+NXX-XXXX+ST or KP+0+NPA
NXX-XXXX+ST
The first sequence tells that there is a call coming in, the 950-XXXX (optional) is the sa 950 number that you call. The second sequence contains your number (ANI-Automatic Number Identifction). If the call comes over the trunk directly from your CO it will not have your NPA (Area Coe) If the call is routed through a tandem it will contain your NPA number. FGB-D was originallydevlopd so that when you got the dial tone you could enter just the number youwere calling and your cal wold go through; thus alleviating authorization codes. FGB-D can also be used as FGB-T, wher the ustomer enters a code but the switch knows where the call is coming from. This could be use to deect hackers, but has not been done, yet at least not to my switch.
FGB-D was the prelude to FEATURE GROUP D (FGD). FGD is the heart of Equal Access. Since FGD c only be provided by electronic offices, equal access is only available under ESS (or any other elcronic office). FGD is the signalling used for both 1+ dialing (when you choose an IC ove A&T) and 10XXX dialing. The signalling format for FGD goes as follows:
KP+II+10D(10 digits)+ST followed by
KP+10D+ST
The first sequence is called the identification sequence. This consists of KP. information digs(II), and the calling party's telephone number with NPA (10D ANI) finished up with ST. The secon ddress seqeunce has KP, the called number (10D) followed by ST. There is a third FGD sequence no sown here whichhas to do with international calling--I may deal with this in a future article. Whe th IC's switch receives an FGD routing it will check the information digits to see if the cal is pproved and if so put the call through. Obviouslyif the information digits indicate the call i comig from a coin phone, the call will not go through.
This is a list of information digits commonly used by Bell Operating Companies.
Code Sequence Meaning
00 identification Regular line, no special treatment
01 identification ONI(Operator Number Identification) mulitparty lines
02 identification ANI failure
06 identification Hotel or Motel
07 identification Coinless,hospital,inmate etc.
08 identification InterLATA restricted
10 address 10X test call
13 international 011-plus:direct distance dialed
15 international 01-plus:operator assisted
27 identification Coin
68 identification InterLATA-restricted hotel or motel
78 identification InterLATA-restricted hospital, coinless, inmate etc.
95 address 959-XXXX test call
There is a provision with FGD so when you dial 10xxx# you will get a switchdial tone as if you al a 950. Unfortunately, this is not the same as dialing a 950. The IC would receive:
KP+II+10D(ANI)+ST
KP+ST
The KP+ST gives you the dial tone, but the IC has your number by then.
800 NUMBERS
Now that we have the feature groups down pat we will talk about 800 numbers. Invisible your eyes, there are two types of 800 numbers. There are those owned by AT&T--which sells WATSsrvice. There are also new 800 exchanges owned by the IC's. So far, I believe only MCI, US SRIT, and WesternUnion have bought there own 800 exchanges. It is very important not to use cods o 800 numbers in an exchange owned by an IC. But first...
When you dial an AT&T 800 number that goes to an IC's switch the following happens. The AT&T 8 number is translated at the AT&T switch to an equivalent POTS (Plain Old Telephone Service). Thisnmber is an FGA number and as stated before does not know where you're calling from. They might knw hat your general region is since the AT&T 800 numbers can translate to different POTS numersdepending on where you're calling from. This is the beauty of FGA and AT&T WATS but this is alo wh it's being phased out.
On the other hand, IC-owned 800 numbers are routed as FGD calls--very deadly. The IC receis:
KP+II+10D+ST
KP+800 NXX XXXX+ST
When you call an IC 800 number which goes to an authorization code-based service, you're taki a great risk. The IC's can find out very easily where you're calling from. If you're in an eletonic central office your call can godirectly over an FGD trunk. When you dial and IC 800 number foma non-electronic CO your call gets routed through another switch, thus ending up wit th same undesirable effect.
MCI is looking into getting an 800 billing service tariffed where a customer's 800 WATS ll shows the number of everyone who has called it. The way the IC's handle billing, if they wantdto find out who made a call to their800 number, that information would be available on billing taps. The trick is not to use codes on an IC owned 800
The way to find out who owns an 800 exchange is to call 800-NXX-0000 (NXX being the 800 exchan). If this is owned by AT&T you will get a message saying, "You have reached the AT&T Long Dsance Network. Thank you for choosing AT&T. This message will not be repeated." When you al an exchange owned by an IC you will usually get a recording telling you that your call canot e completed as dialed, or else you will get a recording with the name ofthe of the IC. If you cll aother number in an AT&T 800 exchange (i.e. 800-NXX-0172) the recording you get should alays hve an area code followed by a number and a letter, for example, "Your call cannot be completedas diaed. Please check the number and dial again. 312 4T." AS of last month, most AT&T recordigs are one in the same female voice. An MCI recording will tell you to"Call customer service at 80-444-444" followed by a switch number ("MCI 20G"). Some companies such as US Sprint, are redesining thei networks. Since the merger of US Telecom and GTE Sprint, US Sprint has had 2 seperate etworks. Te US Telecom side was Network 1 an dthe GTE side was Network 2. US Sprint will be joiing the two thus forming Network 3. When Network 3 takes effect there will be no more 950-0777 o 10777. Allcustomers will have 14 digit travel cards (referred to as FON cards, or Fiber Opti Network card) based on their telephone numbers. Customers who don't have equal access will be gien seven digt "home codes". These authorization codes may only be used from your home town or ciy. The access umber they will be pushing for travel code service will be 800-877-8000. This utover was suppoed to be completed by June27th, 1987 but the operation has been pushed back.
One last way to tell if the port you dialed is in an IC's 800 exchange is if it doesn't ring bore you get the tone. When you dial an FGA number it willring shortly but when you dial 10XXX# yougt the tone right away. Last but notleast, I will provide you with a list of 800 exchanges that ar oned by IC's. Amajority of them are owned by MCI.
1800-XXX-....
MCI
XXX= 234,274,283,284,288,289,333365,444,456,627,666,678,727,759,777,825,876,888,937,950,955,999
US SPRINT
XXX= 347,366,699,877
WESTERN UNION XXX= 988
And to avoid confusion, these are the AT&T 800 exchanges:
XXX= 202,212,221,222,223,225,227,228,231,232,233,235,237,238,241,242,243,245,247,248,251,252,253,25557,258,262,263,265,267,268,272,282,292,302,213,321,322,323,325,327,328,331,332,334,336,338,341,342,4,344,345,346,348,351,352,354,356,358,361,362,363,367,368,372,382,387,392,402,412,421,422,423,424,46,28,431,432,433,435,437,438,441,442,443,445,446,447,448,451,452,453,457,458,461,462,463,456,468,47,48,492,502,512,521,522,523,524,525,526,527,528,531,532,533,535,537,538,541,542,543,544,545,547,548551,52,553,554,555,556,558,561,562,563,565,567,572,582,592,602,612,621,622,624,626,628,631,632,633,34,63,637,638,641,642,643,645,647,648,652,654,661,662,663,665,667,672,682,692,702,712,722,732,742,72,762,72,782,792,802,812,821,882,824,826,828,831,832,833,835,841,842,843,845,847,848,851,852,854,85,858,86,872,874,882,892,902,912,922,932,942,952,962,972,982,992
(Other exchanges can be used by local phone companies--New Jersey Bell, MountainBell, etc.)
|
|
