Feeds

AT&T lets phone fraud victims off the hook

'Yes-Yes' voicemail subversion

  • alert
  • submit to reddit

Security for virtualized datacentres

AT&T said Wednesday that it would forgive all of the outstanding long distance charges that the company had been trying to collect from victims of the notorious "Yes-Yes" voicemail subversion fraud.

The announcement follows months of fierce criticism of AT&T by consumer advocates, and the filing of two class-action lawsuits charging the company with unfair business practices. "It's good news for these consumers who have been scared blind by these charges and have developed health problems and stress problems dealing with these things," says Linda Sherry of Consumer Action, a non-profit group that championed the fraud victims. "AT&T dug in their heels for so long."

Last year fraudsters began cracking weak and default PINs on individual and small business voice mail boxes provided by local phone companies, then changing the outgoing messages to say "yes, yes, yes" over and over again. The newly-agreeable voice mail could then be used for third-party billings, with AT&T's voice recognition-based billing verification system -- and even live operators -- easily fooled by the virtual yes men.

The scam left scores of victims holding the bag for thousands of dollars of long distance calls they never made -- typical bills ran between $8,000 and $12,000. AT&T insisted that the victims pay up, arguing that it was the consumer's poor voice mail security that was at fault.

Telephone Turing Test

When pressed, the company sometimes offered to absorb 35% of a fraudulent billing, but pursued collection against consumers that didn't pay the rest. "We held the customer liable because it's the customer's voice mail service," says AT&T spokesman Jim Byrnes. "If they choose not to pay, we eat the expense."

The company announced Wednesday that it's will abandon those collection efforts against consumers who "resolve disputed charges with appropriate documents and agree to cooperate with AT&T in efforts to recover damages against any parties liable as a result of the fraudulent long-distance calling," according to a statement.

"It comes as fabulous news to me," says San Francisco travel agent Maureen Claridge. Claridge was billed for $8,000 for 36 hours of phone calls made from Saudi Arabia after her voice mail was cracked last November. Claridge refused to pay, and was served with legal notice from AT&T last week. "They served me last Tuesday... This is incredible," she says.

AT&T says the amnesty offer only applies to past victims of this particular type of fraud -- the company counts less than 250 among its own customers.

To combat the scam, the AT&T recently added a Turing test to its billing verification process: to accept a third-party billing now, a customer must prove to AT&T's computer that he or she is human by repeating a randomly-chosen number, the company says. AT&T claims the measure has all but eliminated the Yes-Yes fraud on their network. "We're confident that we have implemented these measure to handle this fraud adequately," says Byrnes, who nevertheless advises consumers to secure their voice mail. "We're urging customers to remain vigilant to safeguard their systems."

© SecurityFocus

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.