💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › CELLULAR › cellfrd.txt captured on 2022-06-12 at 17:27:09.

View Raw

More Information

-=-=-=-=-=-=-


cat cell
Some Articles on Cellular Fraud from the Telecom Digest on the Usenet
        Uploaded by Elric of Imrryr (lll-lcc!csustan!elric)

Article #1

Well, although Cellular is "untraceable" in the same way that regular phones
are, it still is not the ideal system to commit toll fraud on.

>From what I understand about how the cellular system works, a new
subscriber is assigned a phone number, and then given a 4 digit code
that is unique to his cellular phone. Thus, the chip that is placed
into a cell phone to identify it may have a # like this:
212-909-1234-5555. The 5555 is the 4 digit ID code, very much like the
PIN number on Bell System Calling Cards.

When you request service, you have to have your number "turned on" at the
Cellular Company. And, like a calling card, the Cell Co. checks to see if the
special ID # matches before it puts the call through (It checks a lot of other
things too, like signal strength and stuff, but that's not important now...).

So in order for someone to make free calls, he has to know an active number,
and then go to the dealer who sold the phone with that number and ask the
dealer what the ID number is. If the dealer is unscrupulous, he will give out
the ID number, and THEN you can make free calls.

However, in no more than a month, if the customer finds that there are a lot
of calls which he did not make, he can call the Cell. Co. and demand that they
remove the calls from his bill. The Cell. Co. will also change the ID number,
and if they are smart will check out the Cellular phone dealer to see if he
gave away the ID code to that specific number.

So what free Cellular service will get you is at best a month's worth of calls,
and that's about it. Also, you will have to go to different dealers all the
time, since if it happened with the same dealer a lot the Cell Co. might
investigate the Cellular phone dealer. Also, you would have to change your
number every month if you wanted people to call you.

     Stolen Bell Cards work the same way, although faster. If you steal a Bell
System Calling Card, and you use it a lot, the local Bell Company (or, heaven
forbid, the GTE company if you can
manage to use a calling card there! :-) ) will call the paying customer and
ask "did you make 300 calls today?". Usually, the customer says no, so they
just cancel the card and issue a new PIN number to the customer, usually right
away. (The system to assign PIN numbers is almost instantaneous, it seems. The
minute they assign you a PIN # you can use it!). Assuming the free calls were
made from a payphone, the Bell Co. will still call the destination numbers to
see if anyone knows who called them, in hopes of catching the person. If they
get enough people to say "Sure, I know Mr. so-and-so", then they may go after
the person who stole the card.

    The point is that Bell Calling Cards have a built in safety system to
protect against fraud. (The alternates don't have anything quite as
sophisticated...). It would not be very hard to put a similar "excessive use"
system of cellular phones. Thus, if cell fraud becomes pervasive, it should be
a relatively simple manner to end it, and thus Cell Fraud is really not much
better than the standard stuff people do at payphones.

     Also, Bell System Calling Cards can be used as frequently as you like. The
normal "warning" occurs if you have  more that 30 calls in 3 hours (or is it
36?). However, if you use your Bell Card a lot (like I do), then you can ask
your local Bell Co. to put a little note on your account that you are a heavy
user of the card. That way, if you make more than 30 calls in 3 hours (or
whatever), you don't get the card turned off. This is VERY convenient if you
are away from home and don't want to worry about how many calls you make.

    Basically then, the people who designed the Cellular System were smart,
and they made sure you can't cheat it too easily or too long. Seeing how easy
it is for them to stop Calling Card fraud, I see no reason why with the
Cellular system set up the way it is that they can't prevent Cell fraud as
well...

    (I'm sure I made a few mistakes there, so any corrections are welcome...)

    Well, that's my two cents worth! -

    -Doug

REUBEN@WESLYN.BITNET
S.D-REUBEN%KLA.WESLYN%WESLEYAN.BITNET@WISCVM.ARPA
...seismo!weslyn.bitnet!reuben (UUCP)

-------

Article #2

Excuse me...YOU ARE WRONG!

The Electronic Serial Number is an 8 digit Hexidecimal number.  It is not
easily changed.  Both the MIN, (Mobil Id Number, your phone number) and the
ESN are sent out when you press the send key.  Your MIN is easily changed
by reprogramming your phone, but the ESN is not easily changed.  To change
your phone number, both the phone, and the cell system must be changed.

Depending on the cell system you are trying to commit fraud on, you may
get several months of free calls, or just one.  If you are using one of
the systems that participate in the fraud detection systems in use, (the
name slips my mind at the moment), your service will be cut off after the
first fraudulent call--in all of those systems.

You may have gotten the 5 digit code from the lock feature that comes with
most cell phones these days.  This is just a security feature to keep
your phone from being used while it's unattended.  It has nothing to do
with the cell system itself.  My phone only has a 3 digit security code.
I usually see this security code set to the last n digits of the phone's
phone number.
-Mike

Article #3

The "PIN" on the telephone number is NOT assigned by the Cellular
Phone company, but rather is the serial number of the radio you
are using.  Every radio has a unique serial number, supposedly on
a chip that is epoxied onto the radio's PC board.  The number is
in the format XX-0-XXXX where X represents hex digits.  The first
XX is the manufacturer's code (e.g. for EF Johnson phones it is
83) and the last XXXX is the manufacturer's serial number for your
phone.

The PROM which has your cellular phone number, features, etc., is
removable, of course.  The only "security" thing on this PROM
(sometimes called a NAM) is the lock-code for your phone, which of
course can be easily read (the main purpose of the lock-code is to
keep away randoms who might try to use your phone in your car.

When your phone initiates a call it transmits the phone number and
the radio serial number.  They must match for the call to go through.
That is why if you change the radio on your phone you (or your dealer)
must call your cellular phone company to tell them about the new
radio.

The weakness in this system is that a thief could get ahold of a
phone without a epoxied serial number (either by building one or by
buying one of the cheapos that don't epoxy the serial number chip in
it) and then change it.  I suspect the easiest instance of fraud is
to use an out-of-service-area phone number (e.g. a San Diego phone
number in San Francisco) that has roamer privileges.  Generally, the
companies don't have serial number records for roamers (consider the
problems of keeping records of some other company's customers!) and
rely upon hot-listing known bad guys.  So you pick a fraudulant
phone number and serial number pair, and change it periodically when
the company finds out it ain't real.

This must be what the drug pushers and similar slime are doing.  They
aren't particularly clever, they're relying upon the deregulation
mania of the present US regime to guarantee poor communication between
telephone service providers.
-------

Article #4

If the cellular ID numbers are sent from the car are unencrypted, someone
with the right (underground) connections could make quite a fortune by
building a box that pulls these numbers "out of the air".

Are protocols used by cellular phones published anywhere?

        Mike


Article #5
Path: csustan!lll-lcc!ames!ucbcad!ucbvax!TOPAZ.RUTGERS.EDU!ron
From: ron@TOPAZ.RUTGERS.EDU (Ron Natalie)
Newsgroups: comp.dcom.telecom
Subject: Re:  Cellular Fraud
Date: 2 Jun 87 15:29:25 GMT
Organization: Rutgers Univ., New Brunswick, N.J.
Lines: 17


> The Electronic Serial Number is an 8 digit Hexidecimal number.  It is not
> easily changed.  Both the MIN, (Mobil Id Number, your phone number) and the
> ESN are sent out when you press the send key.  Your MIN is easily changed
> by reprogramming your phone, but the ESN is not easily changed.  To change

Make that, it is not supposed to be easily changed.  While the ESN is not
in that NAM (the EPROM with the phone number) in it's nice ZIF socket, many
manufacturers just put it in another ROM which anybody with a small amount
of electronics background can change.

I would expect the most common sort of Cellular fraud involves using
phones from another system through automatic ROAM agreements.  Presumably
the ESN/Phone number checking isn't as rigourous or as up-to-date in remote
systems as it is in your home system.

-Ron


Article #6
Path: csustan!lll-lcc!ames!ucbcad!ucbvax!hoptoad.UUCP!gnu
From: gnu@hoptoad.UUCP (John Gilmore)
Subject: Re:  Cellular Fraud -- trivial
Date: 4 Jun 87 10:53:18 GMT
Organization: The ARPA Internet
Lines: 32
Approved: telecom@buit1.bu.edu

In article <8705312136.AA01347@mimsy.umd.edu>, mgrant@MIMSY.UMD.EDU (Michael Grant) writes:
> The Electronic Serial Number is an 8 digit Hexidecimal number.  It is not
> easily changed.  Both the MIN, (Mobil Id Number, your phone number) and the
> ESN are sent out when you press the send key.  Your MIN is easily changed
> by reprogramming your phone, but the ESN is not easily changed.  To change
> your phone number, both the phone, and the cell system must be changed.

The whole thing is pretty silly.  Each unit has a serial number
and the serial number is "supposed to be" impossible to change.
Actually in many systems it is in a PROM in a socket, so no biggy.
Even if it was impossible to change, it's not impossible to change
the ROMs that hold the program that runs the phone, so you could
always reprogram it to ignore the ROM.  You could embed the whole
phone in epoxy, but who would buy a $2000 phone that you have to throw
away if any little thing breaks?

The best deal would be to make a program ROM where if you put it in
this mode, it would listen on the control channel for phones making
calls or answering rings, and save away 10 or 20 of their phone number/
serial number pairs.  Anytime you wanted to make a call, it would pick
one at random and pretend to be that phone.  The load on any
individual's bill would be light enough that you'd be hard to catch.
This would not let you receive calls for free, but I seem to recall
some scheme for that, too.  Geoff Goodfellow, Bob Jesse, and Andrew
Lamothe published a paper on this in the November 1985 issue of
Personal Communications Technology magazine (FutureComm Publications
Inc., 4005 Williamsburg Ct., Fairfax, VA  22032, 703/352-1200).

The cellular phone standard is called "EIA IS-3-B" though I think they
recently upgraded it to "-C".  You can get a copy from Global Engineering
Documents (call 800 information).  It is not lucid but it is readable
if you flip around a lot and think about it.


well?