Toll Fraud MICS 6.1 PRI can't isolate the access into the system

[mailmax]

I am trying to isolate a toll fraud event that happened two days in a row. The phone company notified us that there were intl. calls in excess at a time when our office closed. Thankfully they suspended intl. dialing. Unlike AT&T who let a client rack up get this a $64,000.00 bill over one month and never turned the service off. This customer did not even have AT&T LD they just used 1010. We need to make these calls so intl. must be un restricted.

Now I thought I had secured the system months ago and I am pretty experienced at this. RESTRICTION FILTER ( 1 ) is for local and domestic calling and ( 2 ) is for local, domestic and intl. dialing. Only certain DN's are allowed FILTER ( 2 ) about 5 admin handsets. The Call Pilot 150 is set for COS-1 for all mailboxes with no external outdialing and COS-2 for external outdialing and COS-16 for UM/DM and outdialing. Only one user is actually using cell phone transfer with his out-dial and his number still shows as local when I printed out a MB report. The CP-150 DN 2999 is set for FILTER-1. We have no DISA in service and only a few DID's in service. Line Redirect is off on all sets.

I am scratching my head and I just can;t figure out any other way the calls ( about 100 of them a few seconds apart ) could have been made.

Does anyone have any idea what I could have missed?

 

[curlycord]

Did you carefully inspect each mailbox report and look at the outdial numbers?
Look for a long distance number in both Mailbox Acivity -(Log is deleted after 6 days)
Look for a long distance number in the Outdial under Mailboxes


=----(((((((((()----=
curlycord

http://www.curlycord.com

Toronto Canada

http://www.telcopc.ca

 

[mailmax]

As I mentioned only ( 1 ) user is allowed to use OUTDIAL and his number is his local cell number. He is the only one using that COS. I thought maybe that someone called in pretending to be a phone company repair tech and asked someone to help them and had them use F4 to forward calls outside the system but I checked all the REDIRECT on all the DN's and they are all disabled ( N ).

 

[curlycord]

Yes I do know what you said, but my questions still stands.
Reason is we think, make a mistake or we read too fast or be too dismissive etc.






=----(((((((((()----=
curlycord

http://www.curlycord.com

Toronto Canada

http://www.telcopc.ca

 

[joelunchpail]

Have you tried putting restrictions on all your voice mail ports.
restrict them to only allow local calls, then it doesn't matter what the individual mailbox programming is.
don't forget *67 and *80 etc probably *anything.

 

[Brutalis]

Every instance of LD fraud I've come across has been by way of mailboxes with simple passwords. I've had success with the following procedure:
- review all mailboxes and make outdial NONE
- adjust all COS's in use to disallow OUTBOUND TRANSFER
- remove lines and/or line pool access from all voicemail DNS

 

[curlycord]

See this too in case something missed

http://www.tek-tips.com/faqs.cfm?fid=7271

=----(((((((((()----=
curlycord

http://www.curlycord.com

Toronto Canada

http://www.telcopc.ca

 

[mailmax]

I have dug thru every configuration carefully. The voice mail boxes all have COS-1 which has no Message Notification and no Out Bound Transfer. All DN's have FILTER 01 which is for domestic and local calling only, they can not dial 0,011,1010,5551212,1xxx5551212, 900, 976, 1900. REDIRECT for all DN's is DISABLED. I only have password access to the MICS and to the CP-150 and I changed the password months ago.

I just can't figure out how this was done. I have even tried to hack into the system myself.

 

[trvlr1]

It may not be the system, they could be clipping on to the wires outside the building and making calls, possibly a butt set, or home made rig. At one location we had several occurrences of someone actually pulling the lines down off the poles and connecting up to make calls, then stealing the copper they had pulled down once they finished!

 

[hawks]

I noticed in your filter you had 1010 blocked, you need to block 101 because that's what the Pick Codes start with not 1010.

 

[joelunchpail]

I don't see *67 in your filter or *80 or *anything i'm not sure how many *codes telcos allow these days but they can be used to spoof the restriction table unless they are restricted.
and by "All DNs " i hope you mean all call pilot DNs or ports,

 

[curlycord]

Yep I just block 10.
However not so sure which systems you can restrict the vmail ports as some you can and some you cant....test it to see.
Even so why is is not on the reports.
Any more info on the fraud? How many calls, minutes etc.






=----(((((((((()----=
curlycord

http://www.curlycord.com

Toronto Canada

http://www.telcopc.ca

 

[joelunchpail]

I guess this is getting old I wonder if mailmax has found the leak
blocking 1 and 0 should cover 101 or 1010 1+ and 0+
If only one person uses the v mail to call out to his cell RESTRICT all numbers 0 thru 9 plus the * and make an exception for his cell number.
If that doesn't work you have some other problem. unless the # key can be used to fool the restriction table, which i doubt, block that too.

 

[mailmax]

I was never able to find the leak and all calls were billed to Cox and not to ATT which would have indicated that they used a Pick Code. Thank you for bringing that to my attention I was just thinking about the ATT pick code of 1010. So t is best to restrict [ 10 ]. Yes I do also restrict * and #. If the users needs to use call forwarding I add *72 and *73 as an exception ALLOW. I have currently blocked all intl. calls right from Cox but they are going to need to use intl. to call some of their clients.

 

[curlycord]

Setup a COS password for those that need to dial international calls and have it use a filter that you built.



=----(((((((((()----=
curlycord

http://www.curlycord.com

Toronto Canada

http://www.telcopc.ca