Computer virus protection If you're not using anti-virus software, you need to consider getting some, and soon. Click here to choose some from Amazon.com. If you're connected to the Internet with an "always on," broadband connection (cable modem or DSL), consider getting some firewall software, or a hardware solution for your entire home network.
About the "Hoax du Jour"
The "Hoax du Jour" is a recurring column providing updated
information and commentary on the Internet community. It is a feature of
Korova Multimedia's "e-v-mail" page.
What is a "hoax du jour?" With the
advent of widespread use of the Internet as a medium for sharing
information, the phenomenon of sharing misinformation has
exploded. Conventional urban folklore and
propaganda have blossomed on the Internet. Intentionally
misleading information is broadcast on a professional and personal level.
On the Web, misinformation wants to be free. It also likes to be free
of authenticity and corroboration, when such grounding deflates the
credibility of the content.
The result? Naive users of the Internet are subjected to a daily
barrage of data that are erroneous, slanderous, and sometimes even
destructive. This page is dedicated to discussing intentional
misinformation, or 'Net hoaxes.
Disclaimer The opinions expressed here are
entirely my own, and do not reflect policy or intentions of any persons,
groups or companies referred to or linked from this site. I, my guest
writers, or Korova Multimedia are not responsible for content or sites
linked to from the "Hoax du Jour" column.
In the past couple of weeks, a convincing "phone scam alert" has spread
through U.S. Government offices and the Internet. Though the seed of this net
rumor is factual, the alert has been abridged and misquoted to the
extent that it's alarming ... and inaccurate.
On Saturday, 24 January 1998, Naval Air Station, Joint Reserve Base, New
Orleans' Quarterdeck received a telephone call from an individual
identifying himself as an AT&T Service Technician that was running a test
on our telephone lines. He stated that to complete the test the QMOW should
touch nine (9), zero (0), pound sign (#) and hang up. Luckily, the QMOW was
suspicious and refused. Upon contacting the telephone company we were
informed that by pushing 90# you end up giving the individual that called
you access to your telephone line and allows them to place a long distance
telephone call, with the charge appearing on your telephone call. We were
further informed that this scam has been originating from many of the local
jails/prisons. Please "pass the word".
Somehow this smelled like a net rumor, maybe even a hoax, since it
follows the "Hook, Threat and Request" model that CIAC (http://ciac.llnl.gov/) identified in
Internet chain letters and virus hoaxes.
I discussed this with AT&T's Network Security office (800-337-5373, firstname.lastname@example.org), which is referenced
in some versions of the alert. The specialist I talked to had heard of the
rumor, but discounted its validity as posted. He noted that it could
conceivably be used against some common PBX systems. Here's how:
On many PBX systems, 9 will access an outside line, 0 will request a
local operator, and # ... well, most systems wouldn't know what to do with
that #, so the call to the local operator would be CANCELLED*. It's
conceivable that calling someone on a PBX, and asking the recipient to
hookflash, then dial 90#, will give the caller an outside dial
tone. The caller can now make long distance calls that are charged to the
hapless recipient. (See "Inmate fraud" link.)
[A writer on USENET informed me that this is a "call completion" code,
which signals a PBX system that the number is complete, and initiates
dialing. In essence, 90# would connect an internal line to the outside
operator, and 900# would connect a line to an outside long
distance operator (depending on the PBX being used).]
This, of course, would require that
the recipient is on a PBX system
that supports 9 for accessing an outside line,
the default "9" outside line has long distance dialing privileges
(some systems require a different code to get the LD carrier) and
the recipient doesn't see through the obvious deception ("I'm an AT&T
service technician, dial this code....") and just hang up.
It's possible. It can be used as a scam, but most likely on systems that
the series of numbers is known to provide a long distance dial tone. The
original alert, within a single Navy installation, has some validity. The
resulting net rumor, though, infers that this "90#" code works
anywhere. It just ain't so. Dialing 90# on a home phone won't
do squat. As to whether the calls are typically originating from jails,
AT&T's rep asserted that it's rarely possible for a convict to pull such a
scam. (See the exception referenced in the links.)
To get to the bottom of the source incident, I called the Naval Air
Station quarterdeck in New Orleans. The petty officer who was manning the
watch cheerfully confirmed that they had a clearly posted warning at the
desk matching the quoted text above almost word for word. Almost. He also
looked up his log for January 24, 1998, and confirmed that the duty
watchstander had received a suspicious call. But the text he read me had
one critical element missing from the net posts ... I'll
simulate the omission here:
> Service Technician that was running a test on our telephone
> lines. He stated that to complete the test the QMOW should
<snip> touch the LINE key [for an outside line], then <snip>
> touch nine (9), zero (0), pound sign (#) and hang up.
This procedure COULD give the caller an outside line on the base's
phone system. What a surprise.
So the bottom line is that this warning has some validity for certain
PBXes, but no way near the "alarm factor" danger for any and all phone
systems. Your office or institution phone system may be vulnerable to this
technique, or this kind of technique, or even some form of "social
engineering" scam for abusing phone systems. But, folks, your home phones
are safe from danger. As Rob Carlson posted on alt.folklore.urban, "Being
able to use one single sequence on the variety of phone switches is as
silly as expecting to run Intel machine code on a SPARC."
Here are several tips you can apply to minimize your risk to phone scams
like the one prophecied in this net rumor.
Don't give out personal information over the phone. This includes
passwords, PINs (personal identification numbers) for your calling card or
ATM card, your Social Security Number, home phone, address. Those who
need this information should already have it, and often WILL NOT ask for it
over the phone.
Those who need to do "checks" and maintenance work on phones and
computer systems ... don't need to ask you for access codes. They already
have them, or don't need them.
Phone technicians don't need user intervention to check equipment.
Often, they don't even need to bother you at all, it's all done in the
Be suspicious of strange callers who claim to be within your company,
and need you to transfer them or perform some unusual function.
Social engineers may ask you several innocuous questions before hitting
the real question. Be suspicious of anyone who calls up to "confirm your
information" and asks the obvious questions.
When in doubt, get a return phone number where you can call the person
back. Legitimate entities will provide a company number; hackers will often
just hang up.
This alert has resurfaced lately, just in time to ride the coattails of
various returning rumors regarding Internet
Access Charges & Taxation. In its new version, all the
corroboration from the U.S. Navy has been replaced with a
supposed personal account. Oddly, this makes it even less
credible, but seems to appeal to the belief that a warning told in
the first person "I" will be more believable.