Yeah, it's one thing to charge companies for phone calls when they were going to call you anyways, it's another thing to suggest to a company that you're interested in a bulk order, and then charge them to send you the information that you requested. That's sounds more just like theft.
You are correct. I'm pretty deeply involved with telco fraud and it's countermeasures. This is really tip of the iceberg as to what goes on.
The latest scams involve making your iPhone show missed calls even though your phone didnt ring by sending it a really short call attempt. Guess what the caller ID of the missed call is? Premium rate number. The amount of people who ring back these calls is incredible.
When you call the line you hear a long dial tone. You think its dialling the number but its already been answered and is charging you per minute...
Again, I'm not making any representations that these things are ethical, but they absolutely go on today, and these are the only kinds of scams I feel comfortable sharing - the reality is a lot scarier.
I've seen lots of toll fraud at my work. Often a VoIP device like an Asterisk server or a VoIP phone will be compromised and used to send calls to a premium rate number, usually at a very high call rate. This is their downside, they're exploited by people who want to make a quick buck. And carriers are forced to pay them because they have contracts with their toll trunk providers that all calls sent through those trunks are legitimate calls.
jdee, have you ever had any success prosecuting anyone committing fraud? Wonder if that's even possible.
Some of the offices in our building are serviced and come with telephony systems included. The owner of these offices has been hit with exactly this attack and ended up with a bill for £150k . Nearly ruined his business and the carriers are not at all sympathetic.
I've not heard of a single case where successful prosecution has occurred. I think OFCOM and the police view these attacks against financial institutions as a 'cost of doing business' - if you dont want fraud, dont run a bank - attitude.
The whole point of publicizing gambits is to make them less effective. (Sounds like you could write a book and make a killing on this topic.)
Edit: An obvious hack in the US would be to spoof a bank's caller id and start calling as the "fraud department" ... Leaving the rest to the imagination.
Without going into details there are vulnerabilities that are being exploited today that are netting fraudsters millions a day and there is very little can be done to stop them.
The most interesting thing you learn about these fraud teams is that it is a job to them - meaning they work 9-5.30, dont work weekends or holidays. This is industrialised fraud on an enterprise scale.
If you wanted my advice:
Dont trust any 2 factor authentication system that uses your mobile unless its for a large bank
Dont data roam with your mobile when abroad, better still, leave your mobile at home.
Before doing anything secure with your phone, call it to ensure its not been redirected
Dont say anything in a call that you wouldnt want played back to you at some point in the future...
Joined a startup as CTO/investor at an IVR company. Built up 4 years domain knowledge working with telephony fraud. exited a month ago as part of a $150m sale.
Final anecdote. A certain attack requires the fraudster to call the target's bank and ask a few questions. For some reason in ALL of these calls there is the sound of a baby crying in the background.
Our theory is that while testing the attack vector, the first time it 'worked' a baby must have been crying. The fraudsters think it works as some kind of high frequency disruption to confuse any biometric systems that are processing the call, so they play a RECORDING of a baby in the background of all subsequent calls.
It reminds me of learned behaviour in animals. The pigeon stands on one leg and gets a treat. The pigeon now thinks the one legged approach is what makes the treat appear.
The icing on the cake was when I got a call from a bank asking if there are any biometric systems that can detect the sound of crying babies...