AT&T Demands Payment, Doesn’t Care If Business Owner Made $900K Worth Of Calls To Somalia Or Not

When a small Massachusetts business that never in the past ever called the Africa nation of Somalia racks up almost $900,000 in calls in four days to that country, some might find that unusual. Instead, AT&T decided that was totally normal and that the business — which usually runs up a bill of about $700 per month — should be on the hook for $1.5 million, including charges and interest. And the kicker? AT&T apparently doesn’t think he made those calls either.

The owner of  the small manufacturing firm is now being sued by AT&T for $1.15 million for charges incurred over a four-day period in September 2009. He claims someone hacked into his company’s phone system to make hundreds of calls to Somalia.

“Nothing about this makes sense,” he told the Salem News, adding that a bill that size would force him into bankruptcy, and leave 14 employees without jobs.

His business, which makes equipment and supplies for machine shops, uses a private telephone network system called PBX with eight lines. A hacker could potentially gain access by dialing the company and then entering access codes until they get in, allowing them to then place calls anywhere.

The business’s phone service is provided by Verizon, which did notice an unusual amount of international calls — $260,000 worth — in one weekend, and shut down the company’s ability to make such calls. Verizon later wrote off the bill.

AT&T was used as by the hackers as a “dial around” long-distance service, claims the business owner, who says he never had a contract with AT&T for phone service.

“This is the crazy part,” he said. “AT&T is not arguing over whether these calls were fraudulent. There’s no dispute there.”

AT&T claims the company should’ve taken more precautions to prevent unauthorized access to its phone system, and that under Federal Communications Commission regulations, it’s allowed to collect the money from the owner of the phone line used to make the calls, even if the business wasn’t the one making the calls.

The business owner has filed a countersuit against AT&T, alleging abuse of the legal process and violation of state consumer protection laws. The case is scheduled for a mediation session next month.

“It could all be over if there’s a judgment against us,” said the business owner. “It’s my life. It’s 14 families that I love dearly. We’re all vulnerable.”

A million-dollar bill: Victim of phone hacking now facing lawsuit over charges [The Salem News]

Comments

Edit Your Comment

  1. Jawaka says:

    Ok math time. I think that there’s 1440 minutes in a day and therefore 4320 minutes in a weekend (if you count Friday). Verizon is claiming that $260,000 worth of calls were made in a single weekend? Correct me if I’m wrong but wouldn’t that be over $60 a minute for the calls?

    • AstroPig7 says:

      It was likely used for multiple simultaneous calls. I assume access was shared to other interested parties.

      • Jawaka says:

        So they spoke 24/7 for the whole weekend?

        • AstroPig7 says:

          The calls could have been made to premium numbers, possibly to hide the true source of Internet access. How willing would a Somalian ISP be to help identify an American access source? vnlindstrom also has a good point about the cost of international dialing.

        • iesika says:

          There are 8 phone lines through the business, so that’s up to 8 simultaneous calls.

          There’s more to this than talk-time, I am willing to bet, but I’m not exactly sure how it would work. I’m wondering if someone was somehow using this to get cash out at the other end, or for something related to hawala money transfers, or data transfer, or…I don’t even know. But they didn’t do it to get free phone calls home to mom. My bet right now would be on the transfer of data rather than voice.

        • edman007 says:

          They could easily be international pay numbers, set up a system in africa that charges $10/min to call (and listen to hold music or something stupid like that) and put that money into you account, and then hack a buisness, dial your number, and the effect is you siphon money from the buisness to your account, internationally through their phone bill.

          Due to the international nature of it, verizon and ATT do not have much recourse to get that money back, it’s probably gone and the country the scammer picked is good for the scammer, that leaves the US companies fighting over who has to foot the bill to pay the scammer, you can’t sue the scammer.

        • drkkgt says:

          We had something like this at my job. They would call for only a few seconds, then call again. With Provider math – that equals one minute (or more) per connection plus international fees. So three connects and disconnects in a minute would be three minutes in bills. Sort of makes you wonder if its someone tied to the Somalian phone companies doing it. One a side note – our phone company blocked it but still hit us up for the bill. Our phone manufacturer made it good for us by extending our support contract an equal amount (and fixing the hole.)

        • quail20 says:

          Not certain about the particulars of this case but criminals in the day would create ‘call centers’ that would operate off of cloned cell phones and hacked land lines. Immigrants would then show up and pay their money to call back home. These ‘call centers’ would operate around the clock in NYC, Chicago, L.A., etc. I’ve got the feeling his network was hacked partially for this type of transaction.

          They probably used it too to make fraudulent credit card charges off of those older, phone-line credit card readers.

    • Costner says:

      There were eight lines, so that knocks it down to $7.50 a minute. Still doesn’t smell right though… must have been a lot of additional connectivity charges etc. International calls can be expensive, but I wouldn’t expect more than a couple of bucks a minute.

    • vnlindstrom says:

      I wouldn’t be totally surprised if the math “checks out.” If this is a business that doesn’t make international calls, and is trying to save money by not buying a global long distance plan, calls to a place like Somalia, they’re going to get slammed at $10 or $20 or more per minute. They really screw business customers who don’t buy plans.

      Then when you consider there are eight lines at the company, it could add up correctly. It’s pretty ridiculous that this is even an issue, though, given that AT&T has admitted the calls were fraudulently made.

    • clarkis117 says:

      First off, I’m still wondering why they are charging for long distance calling, it cost them less than a penny for a phone call. Second, this is the year 2012 there are no more telecom systems, its all Voice Over Internet Protocol, but they still charge as if the call is going through a old telecom system. So, my question to the greedy telecom companies is WTF?

      • 2 Replies says:

        Your thinking with a first-world mentality.
        In third-world countries, *cough*somalia*cough*, there ARE likely to still be old telcom systems since they don’t have the means to set up the state-of-the-art infrastructure for a VOIP system.

      • bhr says:

        Can you read even a little? First, this all happened in 2009, not 2012.

        Second, VOIP is still not the dominant tech in phone service. This company was running off a PBX with 8 hard lines.

        Finally, you do realize that things don’t really cost less than a penny right?

        In reality, ATT is likely liable for the charges from the international carrier, (likely one they don’t have an agreement with ) and is going after the customer rather than footing the bill themselves.

        The real question (and it’s a fair one) is how much are we responsible for securing our own property?

        IF I make international calls from my cellphone I am responsible for the charges, obviously. If I lend it to a friend and they make those calls I am as well. What if I leave it on my desk all day and those charges show up? Or if I lose my phone and don’t report it immediately? Or if someone manages to spoof it?

        There is a moving line right now of when we are responsible for charges, and part of the problem is that every company has a different standard.

        • Brontide says:

          AT&T is involved after Verizon ( primary long distance carrier ) cut off service because of possible fraud. The hackers then used an old trick to direct dial into an alternate long distance carrier. The physical equivalent would be putting a lock on your pool and having the neighbors hop the 4 foot fence and throw a kegger while billing your house for the services rendered. While it might be possible to secure against this it’s bordering on absurd to have to have several different layered filters just to be able to claim that you have properly secured a PBX.

    • AustinTXProgrammer says:

      Dial around is going to activate the highest fee rates. AT&T needs better fraud detection to mitigate damages and this lack of mitigation attempt should be the businesses defense.

      I’m guessing AT&T is out quite a bit over this and business owners do have an obligation to keep their phone systems secure. Was it setup and maintained by a PBX vendor? If so there may be liability (and insurance) to cover this.

    • MeowMaximus says:

      AT&T used to be good. I was with them for many years, until I moved to Colorado. Now they are the Sears of phone companies.

  2. Costner says:

    Why do these types of stories always involve Somalia or Nigeria? Does anyone calling those countries actually do so legally?

    • Coffee says:

      That’s actually a good question. I bet that they don’t. I would imagine that they set up a small local switchboard in Nigeria, say, then hack into someone’s phone, call their own number, and charge exorbitant amounts.

  3. Blueskylaw says:

    I blame the small business owner for doing business in Somalia. He should have started with a more business friendly country such as Nigeria.

    • The Beer Baron says:

      Mmm; quite. I’ve been conversing with a chap from Nigeria for quite some time now. He’s a deposed prince or some such. Upstanding chap running into a bit of money troubles, it seems. I’ve invested in a project he proposed to me over electrical-post, though I’ve yet to see a return on it. But I have faith, sir! I have faith.

      • nugatory says:

        hmmm, would you be interested in investing in a monorail project in North Haverbrook?

  4. Lyn Torden says:

    This is why you need to make sure your phone system is tightly secured. Sue the provider of the phone system if you depended on them making it secure.

    • Martha Gail says:

      How do you secure a phone line? You need phone service, the company installs and turns it on. What else can you do?

      • kobresia says:

        It wasn’t the phone line itself that was cracked, it was the business’ PBX that was poorly configured.

        A PBX, or “private branch exchange” is basically an internal, typically automated switchboard system for a business. There’s usually a pool of external lines, in this case apparently 8 of them, and then there are usually dozens or hundreds of internal lines that provide a tone to each extension.

        So in this case, apparently the PBX was badly configured and opened the door to some phone phreaking, in which someone was able to dial-in into the system (the “press 1 for…or if you know your party’s extension, dial it now” greeting & menu is an example of the PBX user interface), get back to an outside line (dial 8 or 9), and then use that to make toll calls.

        What one can do to stop this is program the PBX to prevent any incoming external calls from being able to route externally. It’s probably either obsolete firmware or bad configuration that would allow this to happen.

        One can also set a password for toll calls (users who don’t have the password are limited to only local and toll-free external calls), all automated PBX systems that I’m familiar with support that. I suppose it’s possible to bypass that too if the system is really an obsolete wreck with known exploits, but it’s more likely that someone was just too cheap to pay a telecom tech to configure the PBX correctly.

  5. MunkyBoi says:

    Similar situation happened to me a couple years back, but for much much less. 3 calls, each for less than 2 minutes each – all to Nigeria – around $600.

    AT&T “legacy” managed out of India INSISTED that they were made on our line and would not discuss any differently. I asked if any other companies (including their technicians) had access to the local trunk for maintenance and repairs… you see what I’m getting at.

    They were the ULTIMATE authority on the matter and refused further discussion.

    Eventually after an EECB I got a US rep higher up the food chain to reach out to me and make the adjustments, but I was floored at how difficult it was to get results.

    • Lyn Torden says:

      You are dealing with a corporation. That’s bad enough. But this one is the worst of the worst of the worst. Just avoid doing ANY business with AT&T whatsoever.

  6. There's room to move as a fry cook says:

    Is AT&T on the hook for $1 million to another telco?

  7. Hi_Hello says:

    who are suppose to make sure it is secured? wouldn’t that person(s)/company(ies) be responsible?

  8. Blueskylaw says:

    60 minutes * 24 hours * 14 employees * 4 days = 80,640 possible minutes if all 14 employees had a business line and used it 24 hours a day for 4 days straight.

    $900,000 dollars divided by 80,640 minutes equals $11.16 a minute.

    I blame the OP since this sounds reasonable.

    • Blueskylaw says:

      Sorry, just read he had eight lines. That should read:

      900,000/(60 * 24* *8 *4) = $19.53 per minute.

      • vnlindstrom says:

        The only way I could ever see this as remotely reasonable is if AT&T really was on the hook to Somali Telecom (or whichever intermediary provider) even if the calls were fraudulent. I suspect AT&T’s network access deal with those providers is far more forgiving than the OP’s deal with AT&T.

      • Lyn Torden says:

        Be sure to account for the lines coming in to use the lines going out. What point is using 8 lines out to Somalia if the calls can’t be used because there are no lines in available. Try 4 lines out, used by 4 lines in.

  9. AustinTXProgrammer says:

    AT&T needs to back off the $22/minute rate (in article). I just looked up rates to Somalia with my carrier and it’s $0.40-0.60 and would have still stung. I of course have no idea what it was 3 years ago.

    Even Iridum should be less than $2/minute

  10. aischneider says:
  11. sparc says:

    they should settle for less, but he should still pay something for neglecting the problems with the system that were known since the first time the guy got hacked under Verizon.

    Ignorance is not a defense….

    • Lyn Torden says:

      … unless Verizon misrepresented the cause of the problem and led him to believe it was the account that got hacked instead of the PBX.

    • AustinTXProgrammer says:

      That is what I thought at first, but I believe it was the same event. The hackers started using a dialaround as soon as Verizon blocked the calls.

  12. Pete the Geek says:

    A followup article says that AT&T has dropped the suit:

    http://www.salemnews.com/local/x2004685445/AT-T-drops-suit-against-fraud-victim

    • Lyn Torden says:

      Looks like he got the outcome he wanted. So who configured his PBX? AT&T should now sue them.

      • Pete the Geek says:

        I was thinking that his business insurance should have covered it, but perhaps there are limits and, frankly, it is not something you would even know to specifically cover.

        • nbarnard says:

          Well this means that $1m that AT&T shelled out is going to be paid by all of us in little bits.. (Yeah, AT&T probably only paid $200k for the calls, but after interest, the employee time, and legal fees $1m isn’t out of the park..)

    • Beef Supreme says:

      A follow up article? Are you suggesting consumerist should fact check? PSHAW!

  13. kcvaliant says:

    I would tell the somali telco to get bent if I am at&t.

    Seriously I agree, how many legal calls go through to that pirate nation?
    System wide telco block would work besides prepaids.

  14. Peggee has pearls and will clutch them when cashiers ask "YOU GOT A WIC CHECK MA'AM?" says:

    AT&T claims the company should’ve taken more precautions to prevent unauthorized access to its phone system

    How exactly does one do this? What if it wasn’t a company (a small one, run by a mere mortal, at that), but some random person? Exactly how much power do people have to prevent a hacker who does this for a living from breaking into their phone system?

  15. impatientgirl says:

    That is the dirtiest, douchiest thing I’ve ever heard of a company doing.

  16. HogwartsProfessor says:

    *hits AT&T in the head with ancient rotary phone*

    Assholes. I wish to God I could find a job that would allow me to afford the Mediacom bundle. Then I could quit my landline (I need it for internet) and AT&T forever.

    • Alex d'Indiana says:

      Apparently not. This business didn’t have AT&T service either, but the hackers used it to make the calls anyway.

      • humphrmi says:

        Unfortunately there’s a little loophole in the system, you can dial out from your any phone using any carrier, with special dialing codes. For instance, to make a call from your phone using AT&T (if you don’t have AT&T service), you can dial 10-10-288 then the country code and number. And, unfortunately, you are responsible for all calls placed from your phone using this method.

  17. humphrmi says:

    For those wondering how the intruders made calls with AT&T from the victim’s insecure PBX system when the victim didn’t have AT&T service, they’re called Carrier Access Codes and they’ve been around for years:

    http://en.wikipedia.org/wiki/Interexchange_carrier#Carrier_identification_code