A pounds 54,000 telephone bill? You've been phreaked!

Telephone hackers, or 'phreakers', have learnt to break into voice- mail systems and can run up huge bills at others' expense. Charles Arthur meets rogue, victim and sleuth
To anyone who spends a lot of their day on the telephone, voice- mail often seems like the curse of modern life. Everyone knows that sinking feeling when you are desperately trying to contact somebody and instead get an artificial voice saying, "To leave a message, press 1. For other options, press 2. To transfer to an operator, press 0." Americans call this phenomenon "voice-mail jail".

Voice-mail in the UK is one of the great success stories of the Nineties. Sales grew 65 per cent in 1994 to reach pounds 61.5m; market estimates suggest that 38 per cent of companies have some form of voice-mail, compared to fewer than 200 systems installed nationwide in 1989.

But voice-mail is not always good news for the companies that install it. Phone hackers - "phreakers" - have found the automated switchboards that let you transfer between extensions are a fruitful area for attack. With a little skill and applied intelligence, they can guess the code number of the owner of a voice-mail "box" (the answering-machine aspect of the system) and listen to messages there. Some more experimentation lets them set the extension up so that they can dial out to the extension of their choice. From there, the sky's the limit - especially where the company's telephone bill is concerned.

The phreaker's tale

(We met in a pub near a big city station. He had the etiolated late-teenager look of someone who has spent too much time awake when it is dark. How did it start?)

"I had wanted to be a hacker since I was quite young, but I never had a powerful computer. Then in 1992 I read a book called Approaching Zero which was about data crime in the computing world. I got more interested in becoming a hacker, but still didn't have a computer and modem.

"One paragraph of the book covered voice-mail and mentioned that it could be hacked, though it didn't say how. But you didn't need a computer, just a domestic phone. I already had that.

"So I bought a computer magazine, figuring that computer companies would advertise there and they would be likely to have voice-mail. One of them had an 0800 number. I called it one night, got the automatic response, and started pressing the star and hash keys and various numbers pretty much at random. After a while I found I had broken into their voice-mail system. It was a great moment, a terrific moment, that first time.

"I realised that on a lot of extensions the key to the voice-mail was the same number as the extension. That was the default and no one had changed it. I broke into people's mailboxes and listened to their messages. Then I found you could set it to divert incoming calls to another number. I spent a couple of nights playing around to find out how: at first it seemed not to work. Then I realised I had to prefix the numbers with '9' to get an outside line. That meant if the extension wasn't answered - and it wasn't going to be because I was calling between 10pm and 7am - then it would divert to the outside number I had set. They wouldn't notice during the day because they would either pick it up, or else the person ringing them who got diverted would think something odd had happened, but not bother about it.

"After that I just started going for 0800 numbers, working through the Yellow Pages. It takes about 1,000 calls to find one company you can crack. It takes about one night of dialling hard to go through that many. I was really good at cracking the SDX switchboards and the BT Meridian.

"At the end of 1993, I read a newspaper article about voice-mail hacking and began to realise there were quite a few other people doing what I was doing. Once, I hacked a voice-mail system so I was the system administrator - I had the power to set up voice-mail boxes for myself. All this from my phone in my bedroom. As I was going through the mailboxes, listening to the messages, I found a small community of hackers in the system, using a spare box. I left them a message telling them to get in touch.

"I could use those voice-mail systems I'd broken into from anywhere in the country, and talk for hours for free. The companies paid for the 0800 number and they paid for the outgoing calls, too. If somebody did it to me, though, I'd be really pissed off.

"The people who sell these systems could tell customers about these flaws, but they don't. Instead, they wait until the customer is defrauded or somebody tells them. Sure, you can argue that it's still an offence for someone to drive away a car even if you've left it unlocked with the keys in the ignition. But it's like the voice-mail companies know there are thieves out there but they don't put in locks and they just have a switch for the ignition."

The company's tale: the information systems manager

"BT installed one of the Meridian switchboards when we moved to Richmond. At first we thought we had a problem with nuisance calls. At about 5.30pm there'd be a call, and when the person answered it the phone would be put down. We didn't think much more of it.

"I discovered totally by fluke that people were calling in, waiting for a number, inputting '9' and ringing places like the US and Pakistan all night. It was between October and December of 1994, for six weeks. We had 48 lines going out of the building and at some times - at about 4am - they would all be busy. I just happened to be late in the building one night when I heard some phones ringing. Then I checked the exchange to see the load on the phone switchboard. I drove home and started dialling our company number and messing around and suddenly I hit it. It gave me the willies, I can tell you.

"I told BT straight away, and they reprogrammed the switchboard remotely so that particular facility was disabled. But they had never told us people could just dial in and dial through like that. The hackers cost us pounds 54,000 during those six weeks."

The consultant's tale

(John Chatterton, based in Wargrave, Berkshire, has helped a number of companies fend off phreakers.)

"Virtually any phone exchange can be hit. Once a system is breached, the number of calls rises quickly for about a week or two and then reaches a plateau. Then it rises very sharply again, and goes to different countries as the number is spread to other phreakers over bulletin-board systems. Then it plateaus again. Then there's a final phase where calls get made to places like Africa, Russia and Pakistan, by which time the word is really all over.

"Most companies that get invaded are big, because they need a facility- rich exchange such as something that lets people dial in remotely to get voice-mail. Like computer hacking, no [company] tells the truth about being hit because it's too embarrassing. I have been trying to get cases brought to court but the companies are paranoid about anybody finding out that they were hit. In one week a team of phreakers could tot up a phone bill to a company of pounds 50,000, accelerating up to pounds 100,000 per week. The limiting resource is how many outgoing lines there are at the company.

"But hacking could always have been avoided. It's carelessness. The trouble is, these systems are being provided to people who haven't got the technical competence, which makes them natural victims. Or else the company's been getting rid of its telecoms department and replacing them with this switchboard, so there's no expertise inside the company."