Private Lines
About Private Line

Private Line covers what has occurred, is occurring, and will ocurr in telecommunications. Since communication technology constantly changes, you can expect new content posted regularly.

Consider this site an authoritative resource. Its moderators have successful careers in the telecommunications industry. Utilize the content and send comments. As a site about communicating, conversation is encouraged.

Writers

Thomas Farely

Tom has produced privateline.com since 1995. He is now a freelance technology writer who contributes regularly to the site.

His knowledge of telecommunications has served, most notably, the American Heritage Invention and Technology Magazine and The History Channel.
His interview on Alexander Graham Bell will air on the History Channel the end of 2006.

Ken Schmidt

Ken is a licensed attorney who has worked in the tower industry for seven years. He has managed the development of broadcast towers nationwide and developed and built cell towers.

He has been quoted in newspapers and magazines on issues regarding cell towers and has spoke at industry and non-industry conferences on cell tower related issues.

He is recognized as an expert on cell tower leases and due diligence processes for tower acquisitions.

« History isn't boring. But texts and teachers sometimes are . . . | | Wireless number portability begins today in the States »

November 22, 2003

Posted by Tom Farley & Mark van der Hoek at 02:47 AM

Wireless fraud before cellular

I sent our radio-telephone expert Geoff Fors the following paragraphs. I think they are from a 1985 article in Personal Communications Technology Magazine. I asked for his comments which you can read below:

"The earliest form of mobile telephony, unsquelched manual Mobile Telephone Service (MTS), was vulnerable to interception and eavesdropping. To place a call, the user listened for a free channel. When he found one, he would key his microphone to for service: 'Operator, this is Mobile 1234; may I please have 555-7890.' The operator knew to submit a billing ticket for account number 1234 to pay for the call. So did anybody else listening to the channel--hence the potential for spoofing and fraud."

"Squelched channel MTS hid the problem only slightly because users ordinarily didn't overhear channels being used by other parties. Fraud was still easy for those who turned off the squelch long enough to overhear account numbers."

"Direct-dial mobile telephone services such as Improved Mobile Telephone Service (IMTS) obscured the problem a bit more because subscriber identification was made automatically rather than by spoken exchange between caller and operator. Each time a user originated a call, the mobile telephone transmitted its identification number to the serving base station using some form of Audio Frequency Shift Keying (AFSK), which was not so easy for eavesdroppers to understand."

"Committing fraud under IMTS required modification of the mobile--restrapping of jumpers in the radio unit, or operating magic keyboard combinations in later units--to reprogram the unit to transmit an unauthorized identification number. Some mobile control heads even had convenient thumb wheel switches installed on them to facilitate easy and frequent ANI (Automatic Number Identification) changes."

Geoff here. The term squelch is a little misleading here, actually what is meant is "busy channel lockout." The MTS system went through a number of phases, and it depended upon where you were and what equipment the Telco installed in your car as to what you could do with it. Busy channel lockout was primarily a GE feature which lit a yellow lamp ("Busy") and wouldn't let you listen in if there was traffic on the channel. Older MTS sets didn't have that. I can put together some photos of assorted MTS control heads for you for future reference.

I think there was a busy channel lockout over-ride switch on the back of the control head on some GE models, intended for emergency use. The Motorola "Pushbutton Dial" system (not MTS and not IMTS but a proprietary scheme that laid an egg) had an emergency over-ride switch which also gave out a tone to let the parties using the channel know that someone was listening (as on the logo painted on the face of Nazi wartime military radios - "Feind hort mit." )

IMTS fraud wasn't widespread, maybe for one reason. The phones were so expensive that the general public had no access to them. The IMTS ANI is sent by the mobile at the beginning of the off-hook transmission. However, listening to traffic on the channels would pretty quickly reveal people giving their mobile number to the operator for various reasons. Smaller cities had a "block" of mobile numbers, and once you knew one, it would be easy to hack the others. For example, Chualar California (Salinas - Pacific Bell) had the mobile block of 679-5000 to 679-5100 as IMTS numbers. A crook could just pick one and away he went. It was also possible to park a scanner on the car to station channel in bigger cities and record calls, then slow the tape down and count the pulses of the ANI to determine the number. Then it would be obvious that any adjacent numbers were also IMTS. Not that I did this, but that's how it worked.

I never saw any control heads modified with thumbwheel switches by hackers. I suspect, frankly, that virtually all of the fraud was performed either by industry insiders or a few people who bought the equipment from them. Even though the mobile would have been hard to trace, the land side would not, as each call appeared on your bill with the number called and the time duration. Telephone company security did devote some time to this issue, with the usual result that the particular mobile number would get changed. I don't think they made much of a publicity issue out of it because 1) it would give others the idea and 2) bad for the company's shareholders to give out negative publicity.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Human Verification:


Subscribe to Private Line's feed
[What is this?]

Article Index

Recent Posts

Powered by
Movable Type 3.2