phreakThis past week a very large corporation on the east coast was hacked in what seems to naive old me to be a new way — through their corporate phone system. Then one night during the same week I got a call from my bank saying my account had been compromised and to press #4 to talk to their security department. My account was fine: it was a telephone-based phishing expedition. Our phone network has been compromised, folks, and nobody with a phone is safe.

Edward Snowden was right we’re not secure, though this time I don’t think the National Security Agency is involved.

Here’s how this PBX hack came down. Step one begins with looking for companies that have outsourced their IT help desk to a third party company, preferably overseas. There are today many, many such companies and it is easy to find them and to find out who is running their offsite or offshore help desk.

Step two is robocalling at night into the corporate phone system, punching-in each possible extension number. Live and dead extensions are mapped respectively and any voicemail greetings that are encountered are mined for the user’s name.

Step three happens during normal business hours, not at night. An employee of the target company is called at their desk by someone claiming to be from the outsourced help desk company. The incoming caller ID is spoofed to look right, the caller addresses the employee by name, it all feels legit. “I’m from the (outsourcing company name) IT help desk,” the Bad Guy says, “and we’re having an issue with the network, possibly originating at your workstation, so I need you to: 1) install a software tool (malware, virus, etc.) or; 2) allow a remote access session so I can fix the problem.”

It’s social engineering and it’s happening all over the place.

My call from the bank was different. I don’t remember if they said my name or not, but I am a current customer.  A friend of mine who faced a similar experience recently was called about an account he had closed but I wasn’t so lucky. I was really tempted to press #4 but precisely because I’d heard of my friend’s experience just the day before, I didn’t. Instead I logged-in to my online banking account where there were no alerts and nothing seemed amiss. My bank can text me if there’s a problem but they hadn’t, and no money seemed to be missing. Then I called the number on the back of my ATM card to talk to the bank security department and they were closed. The call center was supposed to be open until 10PM local time and it was only 8:15. Could they have been breached and a zillion numbers like mine stolen so quickly?

I called back the next day, the bank said there had been no problem with my account, but they couldn’t explain why the call center was down.

This was Bank of America, by the way.

We’ve lost control of our phone network. I’m not lobbying here for a return to the AT&T monopoly of pre-1983, but what we have now is not safe. Haven’t you noticed the uptick in sales calls to your number that you thought was on the National Do Not Call Registry? That registry, and the law that created it, are no longer enforceable. The bad guys won but nobody told us. They are operating from overseas and can’t be traced. If they steal our money it can’t be traced, either.

What do you think can be done about this problem? I have some ideas, what are yours?