Feeds

AT&T lets phone fraud victims off the hook

'Yes-Yes' voicemail subversion

  • alert
  • submit to reddit

SANS - Survey on application security programs

AT&T said Wednesday that it would forgive all of the outstanding long distance charges that the company had been trying to collect from victims of the notorious "Yes-Yes" voicemail subversion fraud.

The announcement follows months of fierce criticism of AT&T by consumer advocates, and the filing of two class-action lawsuits charging the company with unfair business practices. "It's good news for these consumers who have been scared blind by these charges and have developed health problems and stress problems dealing with these things," says Linda Sherry of Consumer Action, a non-profit group that championed the fraud victims. "AT&T dug in their heels for so long."

Last year fraudsters began cracking weak and default PINs on individual and small business voice mail boxes provided by local phone companies, then changing the outgoing messages to say "yes, yes, yes" over and over again. The newly-agreeable voice mail could then be used for third-party billings, with AT&T's voice recognition-based billing verification system -- and even live operators -- easily fooled by the virtual yes men.

The scam left scores of victims holding the bag for thousands of dollars of long distance calls they never made -- typical bills ran between $8,000 and $12,000. AT&T insisted that the victims pay up, arguing that it was the consumer's poor voice mail security that was at fault.

Telephone Turing Test

When pressed, the company sometimes offered to absorb 35% of a fraudulent billing, but pursued collection against consumers that didn't pay the rest. "We held the customer liable because it's the customer's voice mail service," says AT&T spokesman Jim Byrnes. "If they choose not to pay, we eat the expense."

The company announced Wednesday that it's will abandon those collection efforts against consumers who "resolve disputed charges with appropriate documents and agree to cooperate with AT&T in efforts to recover damages against any parties liable as a result of the fraudulent long-distance calling," according to a statement.

"It comes as fabulous news to me," says San Francisco travel agent Maureen Claridge. Claridge was billed for $8,000 for 36 hours of phone calls made from Saudi Arabia after her voice mail was cracked last November. Claridge refused to pay, and was served with legal notice from AT&T last week. "They served me last Tuesday... This is incredible," she says.

AT&T says the amnesty offer only applies to past victims of this particular type of fraud -- the company counts less than 250 among its own customers.

To combat the scam, the AT&T recently added a Turing test to its billing verification process: to accept a third-party billing now, a customer must prove to AT&T's computer that he or she is human by repeating a randomly-chosen number, the company says. AT&T claims the measure has all but eliminated the Yes-Yes fraud on their network. "We're confident that we have implemented these measure to handle this fraud adequately," says Byrnes, who nevertheless advises consumers to secure their voice mail. "We're urging customers to remain vigilant to safeguard their systems."

© SecurityFocus

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.