cat cell Some Articles on Cellular Fraud from the Telecom Digest on the Usenet Uploaded by Elric of Imrryr (lll-lcc!csustan!elric) Article #1 Well, although Cellular is "untraceable" in the same way that regular phones are, it still is not the ideal system to commit toll fraud on. >From what I understand about how the cellular system works, a new subscriber is assigned a phone number, and then given a 4 digit code that is unique to his cellular phone. Thus, the chip that is placed into a cell phone to identify it may have a # like this: 212-909-1234-5555. The 5555 is the 4 digit ID code, very much like the PIN number on Bell System Calling Cards. When you request service, you have to have your number "turned on" at the Cellular Company. And, like a calling card, the Cell Co. checks to see if the special ID # matches before it puts the call through (It checks a lot of other things too, like signal strength and stuff, but that's not important now...). So in order for someone to make free calls, he has to know an active number, and then go to the dealer who sold the phone with that number and ask the dealer what the ID number is. If the dealer is unscrupulous, he will give out the ID number, and THEN you can make free calls. However, in no more than a month, if the customer finds that there are a lot of calls which he did not make, he can call the Cell. Co. and demand that they remove the calls from his bill. The Cell. Co. will also change the ID number, and if they are smart will check out the Cellular phone dealer to see if he gave away the ID code to that specific number. So what free Cellular service will get you is at best a month's worth of calls, and that's about it. Also, you will have to go to different dealers all the time, since if it happened with the same dealer a lot the Cell Co. might investigate the Cellular phone dealer. Also, you would have to change your number every month if you wanted people to call you. Stolen Bell Cards work the same way, although faster. If you steal a Bell System Calling Card, and you use it a lot, the local Bell Company (or, heaven forbid, the GTE company if you can manage to use a calling card there! :-) ) will call the paying customer and ask "did you make 300 calls today?". Usually, the customer says no, so they just cancel the card and issue a new PIN number to the customer, usually right away. (The system to assign PIN numbers is almost instantaneous, it seems. The minute they assign you a PIN # you can use it!). Assuming the free calls were made from a payphone, the Bell Co. will still call the destination numbers to see if anyone knows who called them, in hopes of catching the person. If they get enough people to say "Sure, I know Mr. so-and-so", then they may go after the person who stole the card. The point is that Bell Calling Cards have a built in safety system to protect against fraud. (The alternates don't have anything quite as sophisticated...). It would not be very hard to put a similar "excessive use" system of cellular phones. Thus, if cell fraud becomes pervasive, it should be a relatively simple manner to end it, and thus Cell Fraud is really not much better than the standard stuff people do at payphones. Also, Bell System Calling Cards can be used as frequently as you like. The normal "warning" occurs if you have more that 30 calls in 3 hours (or is it 36?). However, if you use your Bell Card a lot (like I do), then you can ask your local Bell Co. to put a little note on your account that you are a heavy user of the card. That way, if you make more than 30 calls in 3 hours (or whatever), you don't get the card turned off. This is VERY convenient if you are away from home and don't want to worry about how many calls you make. Basically then, the people who designed the Cellular System were smart, and they made sure you can't cheat it too easily or too long. Seeing how easy it is for them to stop Calling Card fraud, I see no reason why with the Cellular system set up the way it is that they can't prevent Cell fraud as well... (I'm sure I made a few mistakes there, so any corrections are welcome...) Well, that's my two cents worth! - -Doug REUBEN@WESLYN.BITNET S.D-REUBEN%KLA.WESLYN%WESLEYAN.BITNET@WISCVM.ARPA ...seismo!weslyn.bitnet!reuben (UUCP) ------- Article #2 Excuse me...YOU ARE WRONG! The Electronic Serial Number is an 8 digit Hexidecimal number. It is not easily changed. Both the MIN, (Mobil Id Number, your phone number) and the ESN are sent out when you press the send key. Your MIN is easily changed by reprogramming your phone, but the ESN is not easily changed. To change your phone number, both the phone, and the cell system must be changed. Depending on the cell system you are trying to commit fraud on, you may get several months of free calls, or just one. If you are using one of the systems that participate in the fraud detection systems in use, (the name slips my mind at the moment), your service will be cut off after the first fraudulent call--in all of those systems. You may have gotten the 5 digit code from the lock feature that comes with most cell phones these days. This is just a security feature to keep your phone from being used while it's unattended. It has nothing to do with the cell system itself. My phone only has a 3 digit security code. I usually see this security code set to the last n digits of the phone's phone number. -Mike Article #3 The "PIN" on the telephone number is NOT assigned by the Cellular Phone company, but rather is the serial number of the radio you are using. Every radio has a unique serial number, supposedly on a chip that is epoxied onto the radio's PC board. The number is in the format XX-0-XXXX where X represents hex digits. The first XX is the manufacturer's code (e.g. for EF Johnson phones it is 83) and the last XXXX is the manufacturer's serial number for your phone. The PROM which has your cellular phone number, features, etc., is removable, of course. The only "security" thing on this PROM (sometimes called a NAM) is the lock-code for your phone, which of course can be easily read (the main purpose of the lock-code is to keep away randoms who might try to use your phone in your car. When your phone initiates a call it transmits the phone number and the radio serial number. They must match for the call to go through. That is why if you change the radio on your phone you (or your dealer) must call your cellular phone company to tell them about the new radio. The weakness in this system is that a thief could get ahold of a phone without a epoxied serial number (either by building one or by buying one of the cheapos that don't epoxy the serial number chip in it) and then change it. I suspect the easiest instance of fraud is to use an out-of-service-area phone number (e.g. a San Diego phone number in San Francisco) that has roamer privileges. Generally, the companies don't have serial number records for roamers (consider the problems of keeping records of some other company's customers!) and rely upon hot-listing known bad guys. So you pick a fraudulant phone number and serial number pair, and change it periodically when the company finds out it ain't real. This must be what the drug pushers and similar slime are doing. They aren't particularly clever, they're relying upon the deregulation mania of the present US regime to guarantee poor communication between telephone service providers. ------- Article #4 If the cellular ID numbers are sent from the car are unencrypted, someone with the right (underground) connections could make quite a fortune by building a box that pulls these numbers "out of the air". Are protocols used by cellular phones published anywhere? Mike Article #5 Path: csustan!lll-lcc!ames!ucbcad!ucbvax!TOPAZ.RUTGERS.EDU!ron From: ron@TOPAZ.RUTGERS.EDU (Ron Natalie) Newsgroups: comp.dcom.telecom Subject: Re: Cellular Fraud Date: 2 Jun 87 15:29:25 GMT Organization: Rutgers Univ., New Brunswick, N.J. Lines: 17 > The Electronic Serial Number is an 8 digit Hexidecimal number. It is not > easily changed. Both the MIN, (Mobil Id Number, your phone number) and the > ESN are sent out when you press the send key. Your MIN is easily changed > by reprogramming your phone, but the ESN is not easily changed. To change Make that, it is not supposed to be easily changed. While the ESN is not in that NAM (the EPROM with the phone number) in it's nice ZIF socket, many manufacturers just put it in another ROM which anybody with a small amount of electronics background can change. I would expect the most common sort of Cellular fraud involves using phones from another system through automatic ROAM agreements. Presumably the ESN/Phone number checking isn't as rigourous or as up-to-date in remote systems as it is in your home system. -Ron Article #6 Path: csustan!lll-lcc!ames!ucbcad!ucbvax!hoptoad.UUCP!gnu From: gnu@hoptoad.UUCP (John Gilmore) Subject: Re: Cellular Fraud -- trivial Date: 4 Jun 87 10:53:18 GMT Organization: The ARPA Internet Lines: 32 Approved: telecom@buit1.bu.edu In article <8705312136.AA01347@mimsy.umd.edu>, mgrant@MIMSY.UMD.EDU (Michael Grant) writes: > The Electronic Serial Number is an 8 digit Hexidecimal number. It is not > easily changed. Both the MIN, (Mobil Id Number, your phone number) and the > ESN are sent out when you press the send key. Your MIN is easily changed > by reprogramming your phone, but the ESN is not easily changed. To change > your phone number, both the phone, and the cell system must be changed. The whole thing is pretty silly. Each unit has a serial number and the serial number is "supposed to be" impossible to change. Actually in many systems it is in a PROM in a socket, so no biggy. Even if it was impossible to change, it's not impossible to change the ROMs that hold the program that runs the phone, so you could always reprogram it to ignore the ROM. You could embed the whole phone in epoxy, but who would buy a $2000 phone that you have to throw away if any little thing breaks? The best deal would be to make a program ROM where if you put it in this mode, it would listen on the control channel for phones making calls or answering rings, and save away 10 or 20 of their phone number/ serial number pairs. Anytime you wanted to make a call, it would pick one at random and pretend to be that phone. The load on any individual's bill would be light enough that you'd be hard to catch. This would not let you receive calls for free, but I seem to recall some scheme for that, too. Geoff Goodfellow, Bob Jesse, and Andrew Lamothe published a paper on this in the November 1985 issue of Personal Communications Technology magazine (FutureComm Publications Inc., 4005 Williamsburg Ct., Fairfax, VA 22032, 703/352-1200). The cellular phone standard is called "EIA IS-3-B" though I think they recently upgraded it to "-C". You can get a copy from Global Engineering Documents (call 800 information). It is not lucid but it is readable if you flip around a lot and think about it. well?