Unlocking The Secrets Of SMS (Summer, 2008)

Hello, and greetings from the Central Office! After an unusually cold and rainy winter here in the Pacific Northwest, summer is in full swing. With so little good weather in this part of the world, people head outdoors and make the most of it—even with gasoline hovering near $5 per gallon.

For many young people, this means it’s time for noisy outdoor concerts, which I’m told are even louder than our diesel backup generator here at the Central Office. At a huge music festival with sound systems approaching the decibel level of a 737 taking off, how do you find your friends? Increasingly, text messages are the solution.

You may not think about it much when you’re sending “HEY CRACK DAWG WHERE U @” to your friend, but sending and receiving small text messages is incredibly complex—in fact, much more complicated than e-mail. Making matters worse, there are multiple versions of SMS, and multiple technologies involved in mobile phone systems (for example, CDMA IS-95, CDMA2000, GSM CSD, and GSM GPRS). For this article, I’ll focus on GSM networks, which are operated by AT&T and T-Mobile (along with some smaller regional carriers such as Edge Wireless) in the US.

Text messages are governed by the Short Message Service (SMS) standard. This is currently defined as part of the European Telecommunications Standards Institute (ETSI) GSM 03.38 standard. It incorporates, by reference, the MAP part of the Signaling System 7 (SS7) protocol. The specification allows for 140 byte messages. In North America, this translates to 160 characters because the character set used is limited to 7-bit ASCII characters. In Unicode alphabets (such as Arabic, Chinese or Cyrillic), where characters are 2 bytes apiece, SMS messages can only be 70 characters in length. Whichever alphabet you use, larger messages are generally split apart to be delivered (and billed) as multiple text messages. However, because additional metadata is required to accomplish this, the size of each message is reduced by 6 bytes (7 ASCII characters).

To understand how a SMS message is delivered, it’s important to first understand a little about how GSM switching works. So, here’s a crash course.


When you sign up for service, your phone number, the IMSI from your SIM card, and information about the capabilities of your account are input into the Home Location Register (HLR). This is a database operated by your wireless carrier, and it largely controls what your handset is both allowed and configured to do on the network (e.g. place and receive calls, send and receive text messages, forward calls to voicemail, use data services, and so forth). The HLR also keeps (approximate) track of your location on the network, in order to deliver calls and messages appropriately. In general, each wireless carrier operates one HLR topology, and large carriers split up subscribers between HLR nodes. The HLR is the nerve center of a wireless carrier, and if it fails, a very bad day is guaranteed for the person who administers it. At a minimum, nobody will be able to receive incoming phone calls, text messages will be delayed, calls will not forward to voicemail, and self-important people in SUVs everywhere will be unable to use their BlackBerrys while running over old ladies in crosswalks. So, as you might imagine, an HLR outage means the carrier may lose thousands of dollars per minute. Fortunately, redundancy and failover capability are fairly sophisticated. For example, Nortel’s NSS19 platform allows for both local and geographical redundancy. HLR databases themselves are also designed with a high degree of redundancy and fault tolerance, allowing rapid recovery in the event of failure.


An MSC is a Mobile Switching Center. In effect, this is a Central Office for mobile phones. However, unlike traditional wireline Central Offices, which generally cover only one city (or in large cities, as little as one neighborhood), MSCs generally cover an entire region. These incorporate all of the functionality you would expect from a modern Central Office, along with a lot of whiz-bang features specific to mobile phone applications (such as the VLR described below).

MSCs can be either local or gateway MSCs. A gateway MSC is analogous to a tandem switch, and can communicate fully with other wireless and wireline networks. A local MSC is analogous to a local switch, although these switches can often route directly to the PSTN (and increasingly, VoIP networks) for voice calls. 


Your mobile phone will generally be registered in the Visitor Location Register (VLR) of the Mobile Switching Center (MSC) serving the area in which it is located (although the HLR does not necessarily have to be decoupled, so in smaller GSM systems the VLR may be the same as the HLR). The VLR retrieves a local copy of your subscriber profile from the HLR, so most routine queries can be processed against the VLR rather than the HLR. This minimizes load on slow and expensive inter-carrier SS7 (and sometimes even X.25) links and the HLR servers. These systems are also designed with a high degree of fault tolerance, because it’s also bad if they fail. However, the failure of a VLR will cause only a localized outage. Failed calls will generally be forwarded to voicemail in the interim, and SMS messages will be held for delivery until the VLR is again operational.


The MXC (also referred to as MC) handles messaging. On GSM systems, this includes voicemail, SMS, and fax features (yes, the GSM standard includes sending and receiving faxes for some reason).


Hey, we finally got to the piece that really matters. The SMSC is the component of the MXE which handles SMS origination and termination. SMS messages sent or received generally pass from your handset to the MSC to the MXE to the SMSC, and then either in the reverse direction (for on-network SMS) or to the gateway MSC for inter-carrier delivery.

Message flow

I’m a visual person, so here’s a visual depiction of how an SMS is sent. Read it from left to right:


Diagram showing how SMS originates

Figure 1: Mobile SMS Origination (Diagram drawn by Carre)

Note that the SMS protocol accounts for the unreliability of wireless networks by using an acknowledgement sequence.

Next, here’s a visual depiction of how your phone receives SMS messages from the network. Read it from right to left:

Diagram of how GSM phones receive SMS

Figure 2: Mobile SMS Termination (Diagram drawn by Carre)

Note that the acknowledgement sequence is also end-to-end, as in Figure 1.


While the GSM standard defines how the SMS protocol works and the data structures associated with it, billing is left up to the carriers. This is a contentious issue, particularly overseas where carriers do not charge for receiving SMS messages. Unlike e-mail, SMS is billed per message, and carriers will generally not deliver messages unless they have a billing arrangement with the originating carrier. This has given rise to inter-carrier SMS providers, such as VeriSign, who negotiate wholesale billing arrangements on behalf of carriers. Generally, in the absence of a billing arrangement, carriers will refuse delivery of SMS messages. This is a particularly glaring issue when using SMS short codes. For example, the popular 8762 (UPOC) short code is not available to Sprint subscribers, because Sprint lacks a billing arrangement with Dada (the owner of Upoc).

Well, it’s the end of my shift here in the Central Office, so enjoy the rest of your summer and please wear ear plugs if you dance near the big speakers. Instead, save your hearing for The Last HOPE in New York, where I’ll be speaking this year!


http://www.nowsms.com/discus/messages/1/1103.html – This message board thread provides a detailed description and listing of the SMS character set.

http://www.nortel.com/solutions/wireless/collateral/nn117101.pdfNortel whitepaper for the NSS19 HLR platform.

http://www.eventhelix.com/RealtimeMantra/Telecom/ – Detailed flowcharts of common GSM call flows and sequences.

http://en.wikipedia.org/wiki/GSM_services – Well-written Wikipedia article outlining consumer services available on GSM networks.


The Rapacious Prison Phone Industry (Spring, 2008)

Hello, and greetings from the Central Office! Spring has sprung here in the Pacific Northwest. Birds are singing, flowers are blossoming, and the rain is even a little warmer. At least, that’s what they tell me. It’s still noisy, dusty, and a less than comfortable 62 degrees here in my windowless conclave, so it’s been nothing but spring cleaning for me the past few weeks.

Across town, there’s a building that looks very similar to my Central Office. It’s anonymous, grey, concrete, but unlike the Central Office, it has a few slits for windows mounted high on the on the wall. Inside, it’s also noisy and dusty, just like my Central Office. And, if my county adheres to nationwide statistics, it is home to over 1 out of every 100 men in the county, unless you’re black—in which case it’s 1 out of every 9. Yes, I’m talking about the county jail, a particularly infuriating place to me because they’re served by a filthy CLEC (which prevents me from performing “service monitoring”).


Telephone service is very unique in this environment. Depending upon the provider (either the ILEC or CLEC) the line class varies, but is nearly always distinct from other service types. For example, DD8 is the most commonly used line class in AT&T territories. This line class only allows automated collect calls, complete with an announcement that the collect call is from an inmate. The RCMAC guys had a pretty big laugh when the county sheriff’s home phone was “accidentally” coded DD8 a few years ago. Word to the wise, jilting a lover who works in translations is a very bad idea!

Inmate phones are big business. In New York State alone, gross revenues exceeded $39 million between 2001 and 2002. The business model used by prison telephone service providers is borrowed from the COCOT industry. These companies, such as Global Tel*Link and Correctional Billing Services (the two largest nationwide providers) generally provide all of their equipment and technology to correctional institutions at no charge. In addition, they pay kickbacks to the prison. These can be outrageously high and are effectively a tax on inmates’ families and loved ones. For example, the New York Department of Correctional Services, until recently, received a 57.8% commission. For many years, the prison system attempted to spin this as a benefit to the inmates (rather than an arbitrary and capricious tax levied against—demographically—some of the poorest people in the state) because the money was spent on prison operational costs. California collected over $26 million in commissions in 2007, according to the Los Angeles Times.

Global Tel*Link is one of the largest inmate phone service companies

Global Tel*Link is one of the largest inmate phone service companies

To subsidize inmate telephone sets, telephone service, and surveillance/control technologies to prisons at no charge (along with the above mentioned kickbacks), firms such as Global Tel*Link and Correctional Billing Services (CBS) charge rates that are several times the market rate for collect calls. For example, according to CBS’ tariff on file with the FCC, a one-minute collect call is billed as follows:

  • $2.49 – monthly billing fee
  • $1.49 – bill processing charge
  • $3.95 – operator service fee
  • $.89 – call charge, billed per minute
  • $.40 – voice biometrics charge, billed per call
  • $1.00 – USF administrative fee, billed per call

As a result of these high charges, the unfortunate recipient of a one-minute call from prison is charged a whopping $10.22. Despite such high charges, many consumers complain of poor customer service from inmate-focused telephone companies. For example, Global Tel*Link’s call center is located in Argentina. Representatives working there are paid approximately $350 per month for a 35 hour week (which works out to approximately $2.50 per hour). It’s a typical call center environment; poorly lit, slow computers, and inflexible policies that do not favor the consumer.

There has been an ongoing campaign to draw attention to this situation, and a pressure group called the ETC has had some recent success in New York. After the ETC Campaign successfully lobbied New York Governor Spitzer, rates for calls from state prisons were reduced to some of the lowest in the country. Calls now cost 6.8 cents per minute plus a $1.28 connection fee regardless of where in the US the call is placed (local calls are not billed at a flat rate). Prior to April of this year, calls cost 16 cents per minute with a $3 connection fee.

In a few states, inmate phone service providers charge much lower prices for collect calls. Nebraska and Missouri largely prohibit the payment of kickbacks to jails and prisons, resulting in much lower costs (as little as 60 cents flat rate for local calls in Nebraska). As these states are equally able to provide collect calling services to their inmates as their higher-priced neighbors, arguments about higher operational costs for calls from prisons seem to ring hollow. Operational costs are indeed higher in prisons, but usage is also higher (creating much higher revenues than average for a pay telephone). The customer base, after all, is captive in both a literal and figurative sense. Equipment is also more durable, and with no coins to collect, telephones must be serviced only in the event of vandalism or failure.

Telephone equipment in prisons is rapidly evolving to take advantage of the latest technologies, along with both the surveillance-friendly and litigation-heavy legal climate. Rather than typical fortress phones, specialized (and, as you might imagine, highly durable) stations are used. Most of these are customer owned; numerous companies manufacture and market inmate telephone equipment. These days, technology has evolved far beyond the blue Western Electric “charge-a-call” stations of the early 1980s. For example, Global Tel*Link, the largest player in the inmate telephone market, offers a particularly innovative inmate phone. Inmates are assigned a PIN to place calls, which must match their thumbprint (a thumbprint scanner is built into the phone). A pinhole camera is built into the phone, and every call is digitally recorded, associated with the thumbprint, and videotaped—all wrapped in a digital envelope that meets legal chain of custody requirements. Since all calls are associated with a PIN, inmate conversations can quickly be reviewed weeks or months later.

Texas Inmate Phones makes a very durable prison phone (TIP 2000 Inmate Phone aka “The Safe” officially, and perhaps “The Don’t Sue Us Phone” unofficially) that does not have a cord. The handset is recessed inside the 14 gauge steel chassis. Obviously, this phone is very uncomfortable to use because the inmate must stand right next to the wall, bend down, and tilt their head against the phone. However, this design is popular with police departments who would otherwise have to escort inmates to a telephone. As is the common practice with other inmate telephone service providers, Texas Inmate Phones installs one of these phones in each cell at no charge, subsidizing the service by billing high collect call rates. It’s virtually impossible to vandalize these phones, and there is no handset cord for inmates to use for suicide attempts.

This cord-free phone from Wintel is similar to Texas Inmate Phones' product.

A similar cord-free phone from Wintel

The specific people (and the number of people) that inmates are allowed to call depends upon the rules of the facility. For example, Oregon allows its state prison inmates to call a pre-approved list of up to 15 people. Knowing who inmates call gives valuable information to law enforcement; they can openly engage in fishing expeditions as warrants are not required to monitor inmate conversations. Additionally, pre-clearing the list prevents inmates from harassing law enforcement, judges, witnesses, jurors, and prosecutors involved with their case. Such individuals would not be (in theory, at least) approved on an inmate’s calling list.

As an inmate, you’re generally subject to a number of additional restrictions on your calling. Here are some example policies from Oregon:

  • Billing is via collect call, prepaid collect call, or debit (prepaid outgoing) account.
  • Collect calls to a particular number are subject to a credit limit until there is an established customer relationship with Qwest and/or Global Tel*Link as applicable. After the limit is reached, collect calls can no longer be made to that number by the inmate until the bill is paid.
  • As is typical, inmate must place the phone number on a list for prior approval by the department of corrections.
  • Call forwarding is not allowed, nor are three-way calls. If the inmate is discovered to be calling numbers that are forwarded or that 3-way call, calling privileges are suspended. Also, “clicks” heard on the line will result in calls disconnecting.

And, with that, it’s time to bring another issue of The Telecom Informer to a close. My phone is ringing. It’s a collect call from Pennsylvania, and I hope it isn’t Bernie S!


http://www.etccampaign.com/ – Equitable Telephone Charges pressure campaign, leading an effort to make rates more equitable.

http://www.globaltellink.com/ – Global Tel*Link, largest provider of prison telephone services in the United States.h

ttp://www.securustech.net/ – Securus Technologies, parent company of Correctional Billing Services. Check out the “testimonials” videos.

http://www.texasinmatephones.com/ – Texas Inmate Phones, manufacturer of the TIP 2000.


The Dangerous Game Of 911 Spoofing (Winter, 2008)

Hello, and greetings from the Central Office! It’s hard to believe that it’s already winter, but the Cascades are covered in snow and ski racks are on almost every car. This is a time of year when a lot of emergencies happen, and the telephone system plays—now more than ever—a vital part in emergency response.

These days, 911 is the virtually universal way throughout the US and Canada to summon the police, fire department, or an ambulance (sometimes all three at once). There is an extremely detailed and rigorous set of standards around how 911 systems and facilities are designed and constructed, and the standard-setting organization is the National Emergency Number Association (NENA).

When you dial 911, the telephone switch invokes a SS7 route that has been specially configured for this purpose. In most cases, your call will be routed over a dedicated trunk to a dedicated 911 switch (although in some areas this is a shared tandem switch—not the recommended configuration but it’s better than nothing). The 911 switch looks at your inbound ANI, and based on that, routes you to the appropriate Public Safety Answering Point (PSAP) via a dedicated trunk. At this point—only a couple of seconds after you placed the call—the call answerer will inquire “911, what’s your emergency?”

The information available to the 911 call answerer is dependent upon the 911 infrastructure in your area. In most cases, this will be some form of E911, the current standard (most recently updated in 2004). At the network level, E911 consists of a voice circuit (over which you communicate with the call answerer), and a data circuit. The data circuit (which is private, runs a proprietary protocol, and isn’t connected to the Internet) is a redundant dedicated connection to an Automatic Location Identification (ALI) database.

Basic 911 provides only a voice connection to the PSAP, with no other identifying data. While call takers have the ability to trace calls, it requires a call to the local phone company which can take up to 10 minutes. The limitations of this system are evident when 911 calls are received by people who are disoriented or experiencing medical emergencies, and may be unable to answer many questions or even provide the location from which they are calling.

In an effort to solve this problem, the E911 standard was developed. E911-capable PSAPs use Automatic Number Identification (ANI) data to identify callers. Based on this data, your phone number will display on the call answerer’s console. The E911 system will also query the ALI database based on your ANI data. In most cases, this database is maintained by Intrado, Incorporated (a private company) and contains CNA (Customer Name/Address) data for nearly everyone in the United States with a phone—even including unlisted numbers (I bet telemarketers would love to get their hands on this). Newer revisions of E911 include the ability to provide GPS location data for wireless phones, and this data is also obtained via the ALI database. However, these capabilities are fairly new and not yet widely deployed.

While the 911 system is incredibly useful and has saved many lives since it was originally deployed in 1968 (in Haleyville, Alabama and Nome, Alaska of all the random places) it wasn’t originally designed to work with newer telecommunications services such as VoIP, wireless phones, and CLECs. These have exploded since the Telecommunications Act of 1996 largely deregulated telephone service, creating both challenges and security vulnerabilities in the 911 system.

VoIP services, in particular, have illustrated practical vulnerability in the E911 system. Recently, a group of highly unethical phreaks (one of whom was known years ago as “Magnate”) was arrested for engaging in an activity called “SWATting.” This exploited a little-known and multi-tiered loophole in the E911 system.

In case you haven’t heard what “SWATting” is, it involves spoofing someone else’s ANI when calling a 911 “backdoor” number. Every PSAP in the 911 system has a “backdoor” number by design. These are used by operators to connect you to emergency services if you dial “0” instead of “911” for help. They can also be announced as the emergency contact number via the Emergency Broadcast System (of “This Is A Test” fame) in the event of a failure in the 911 switch or trunks (this actually happened a few years ago in Seattle). The unethical caller can then describe a violent kidnapping or other situation likely to provoke a SWAT team dispatch by the 911 call taker, who has no idea that the apparent caller is actually the victim of a cruel (and very dangerous) hoax.

Back in the good old days of Ma Bell, nobody could touch the SS7 network except for loyal card carrying CWA union technicians. These days, any idiot with an Asterisk box and a sleazy VoIP provider based in Romania effectively has full SS7 control and the ability to impersonate any ANI they damned well please. This is because with certain VoIP providers, any TNI data that you configure in your VoIP PBX is accepted as gospel by the VoIP carrier, and is sent to the PSTN as both CLID and ANI data. Congress is worried about spoofing Caller ID, but that’s small potatoes in my mind—most of the shenanigans around spoofed CLID data are harmless pranks. ANI spoofing, on the other hand—especially when mixed with 911—is the real problem. If anything damned well ought to be more illegal than it already is, it’s this!

And that’s the end of my curmudgeoning here from the Central Office, at least for this ski season. Stay in bounds, stop in place if you experience a white-out, and always keep your mobile phone charged to call the ski patrol!


http://www.nena.org – National Emergency Number Association, the standard-setter for 911 systems.

http://www.qwest.com/wholesale/pcat/911.html – Qwest 911 interconnection and product offerings for filthy CLECs. This site contains links to many excellent diagrams of Basic 911 and E911 call routing topologies, which incompetent CLEC technicians could never understand.


Understanding PBXs (Fall, 2007)

Greetings from the Central Office! It’s autumn in Puget Sound country, although we had an unusually cold and wet summer. Still, fall means back to school, and that means that my “service monitoring” gets a lot more interesting. By the way, Amber, your mom found out that you cut classes today, and you’re going to be in big trouble! Next time you decide to hang out at the mall, don’t go to the one where Mrs. Pierce works. All the boys down at Fort Meade had a big laugh over that one, too.

But I digress. In this installment of Telecom Informer, we’re going outside of the central office, and into hotels, hospitals, and college campuses. In many of these places, the majority of calls never leave the building. Instead, they’re routed over Private Branch Exchanges or PBXs for short. While most PBXs are connected to the Public Switched Telephone Network (PSTN), they can operate as entirely self-contained systems, or connect to other telecommunications networks (such as the secure networks operated by various governments around the world).

Avaya Definity photo

The Avaya Definity, one of the longest-running PBX series

Nearly everyone reading this has probably made a phone call through a PBX at some point in their lives. Ever had to dial “9” first to make a call? Your call most likely traveled through a PBX. Ever called from one hotel room to another by dialing only the room number? Your call probably never left the building. I say “probably” and “most likely” because many local phone companies offer a service called Centrex. This offers calling features similar to PBXs, but everything (including “service monitoring” and government surveillance) is handled right here in my central office. We just charge you a hefty fee per month, per line.

Years ago, phreaks often thought of a PBX as a fun way to make free phone calls. They’d refer to “diverters” or “extenders” in conversations, and often used such terminology interchangeably with “PBX.” A phreak I knew named Phred, based out of Staten Island, spent his days collecting other phreaks’ phone numbers, and then calling them using PBXs he’d broken into. “I’ve got your number,” he’d threaten on conference bridges, which were common at the time. “I’ve got EVERYBODY’S number, and I’m gonna call you on my phone sex PBX.” I’m not sure what ever happened to Phred; he disappeared one day and nobody ever heard from him again. Rumor has it he went to prison, but who knows. At least we know that’s where TRON is.

And now, if you’ll indulge, it’s time for a trip down memory lane. Before Internet access was widely available (believe it or not, it’s only been about 15 years), hackers and phreaks largely communicated and shared information via text files and hacking programs (such as ToneLoc) circulated on dial-up BBSs. You can think of a dial-up BBS as similar to a Web message board, except that each one had to be dialed up separately using a modem. If someone else was connected to the BBS, you’d get a busy signal.

One of the more creative inventions of 2600 Magazine was their voice BBS, which gave people without computers another avenue to communicate. Messages left there were quite often interrupted by red box tones. I spent many long hours in the central office performing “service monitoring” of (516) 473-2626.

Hackers and phreaks also communicated using conference bridges, such as those provided by Alliance Teleconferencing. These were a favorite with phreaks because they both contained an incredible array of conference management features (many of which were used to harass DrHavoc’s mom), and were highly susceptible to , erm, “creative” billing arrangements. And, of course, there were 2600 meetings, where local hackers and phreaks could meet and share ideas face-to-face.

OK, back to the present day. Although a poorly configured PBX can still allow unauthorized people to make free phone calls, finding an open DISA port is rare these days. And with the low cost of long distance (I just called Emmanuel in Singapore, and it cost only 7.25 cents per minute), combined with the high risk of being caught, it’s hardly worth the bother anymore.

So, you may ask, what good is a PBX if you can’t make free phone calls using it? Fair question, but first, it’s good to understand why people install PBXs so you can think of creative ways to have fun with them. PBXs provide numerous advantages to the people who install them, but probably the biggest one is a lower phone bill. Instead of paying a monthly fee to the phone company for each individual telephone line in a facility, you only need to buy as many phone lines as you actually use for incoming and outgoing calls. This is calculated by the PBX installer based on averages, with some buffer for unusually busy periods. Making a call within the building ties up your phone, but it doesn’t tie up an actual phone line. If you make a call outside the building (generally by pressing 9), or if you receive a call from the PSTN, the PBX takes care of routing your call.

The second biggest advantage is control. With a PBX, you can control the calling features available to each telephone set individually. For example, you could configure some telephone sets to only receive incoming calls, others to only be able to make calls within the building, and still others to have unrestricted capability. You can even control the hours when calls ring through to office phones, for example, forwarding calls to an answering service after hours. Or maybe if you’re creative, forwarding calls to DrHavoc’s mom instead.

Another form of control is least cost call routing. Suppose that you have accounts with two different long distance carriers. One carrier provides attractive pricing for domestic calls, and the other provides attractive pricing for international calls. Based on the numbers dialed, the administrator can instruct the PBX to route the call over one long distance carrier versus another (using carrier access codes, a topic I have covered in previous issues).

PBXs provide numerous features other than just additional control over how and when calls are placed. You’re probably familiar with those “press 1 for sales, press 2 for service, or press 3 for a recording of our CEO farting” phone trees. With a PBX, you can make your very own. PBXs generally also include voicemail systems, and PBX administrators have as much flexibility around voicemail features as they do around calling features. For example, you can decide whether or not to let callers record their own outgoing messages, control the number of messages they can store in their mailbox, or grant the ability to return phone calls (to name just a few options).

There are dozens of different manufacturers of PBXs, but they are largely self-contained and proprietary systems. PBXs generally use digital inside wiring (often with proprietary encoding, meaning you have to use only telephone sets of the same brand and model as your PBX), and can connect to the PSTN using either digital (ISDN and/or T1) or analog lines. Note that not all PBXs support all types of PSTN connectivity. In general, despite a lot of noise about open standards, you pretty much have to buy both your PBX and your telephones (called station sets) from the same manufacturer. Manufacturers sometimes have multiple (and often incompatible) product lines; for example, Nortel has both the Norstar and Meridian product lines. These telephone systems have different features and hardware, and are not fully interoperable.

To make things even more exciting, telephones, computers, voicemail, email, and VoIP technologies have converged rapidly over the years. This leads to a confusing hodgepodge of acronyms, many of which mean different things to different manufacturers. For example, a “VoIP PBX” could actually be using any of over a dozen communications protocols, some public and some proprietary, with transport over IP being the only thing they have in common. And even then, which part of the call takes place over IP can vary. Some PBXs, for example, label themselves as VoIP, but in practice, they can only route long distance calls over the Internet (using services such as a SIP provider). Conversely, there are now software-only PBXs, such as Asterisk, which can be operated without connecting to a single physical telephone line.

One feature that my central office supports, which many PBXs don’t, is CALEA. If you’ve read my previous columns, I have described in detail this FBI-mandated surveillance infrastructure, which is built into the PSTN. However, in-building calls may not be safe for much longer. Many colleges and universities around the country have reportedly been contacted by the FBI requesting provisions for PBX surveillance infrastructure. They claim it’s to assist them in cracking down on “drug activity.” It’s probably only a matter of time before hospitals, businesses, and anywhere other than the Department of Justice receives similar requests.

And on that uplifting note, it’s time to bring another issue of The Telecom Informer to a close. Have a safe and happy Halloween, and Thanksgiving, press 4 to pull my finger, and I’ll see you all again this winter!



http://www.telephreak.org – A software-only Asterisk PBX offering free voicemail and conference bridges.

http://askcalea.fbi.gov/ – FBI-operated Web site describing CALEA nationwide surveillance program.


Phone Scams, Old And New (Summer, 2007)

Greetings from the Central Office! It’s hard to believe that summer is already here, but the solstice is just around the corner and the rain has already gotten a little warmer.

Although I rarely see the sun from my windowless workplace, we actually get a lot of it during the summer. Here in the Pacific Northwest, the sun rises just after 5 in the morning, and doesn’t set until after 9 at night. With only 3 months a year of semi-decent weather, people spend a lot more time outdoors, and mobile phone usage skyrockets. Capitalism being what it is, unscrupulous mobile service providers are lurking in the shadows with an interesting new way to make a quick buck. And like our indigenous (and revolting) banana slugs, they’re leaving a trail of slime wherever they go.

banana slug photo

The more that scams change in the telecommunications industry, the more they stay the same. During the 1980s, premium-rate “information services” such as 976, 540, and 900 numbers were introduced. Although there were a few exceptions (such as pay-per-call technical support lines), these services were mostly scams intended to bilk unsuspecting subscribers. They’d offer dial-a-joke, dial-a-moan, or other services of dubious value, adding eye-popping (and often undisclosed) charges to a subscriber’s monthly bill. When you received an outrageous phone bill, Ma Bell would claim that they were just a billing agent, but then threatened to shut off your phone if you didn’t pay the so-called “third party” charges. There were few (if any) regulations around disclosure of pay-per-call charges, or opportunities to opt out of them.

Eventually, both the FCC and numerous state public utility commissions intervened to stop the madness. They required Ma Bell to block “information service” pay-per-call numbers at no charge upon request, and prohibited disconnection of your line for failure to pay third-party charges (provided that you paid your local service charges on time). Additional requirements were placed on service providers, forcing them to both disclose pricing up front and allow subscribers to hang up without being charged if they didn’t agree. Predictably, the market for such “information services” effectively dried up—after all, it’s only profitable to run a scam if you can both fool a sucker and force them to pay without recourse.

Well, fast forward to 2007, and the same thing is happening all over again. Ever heard of Dada Mobile? Blinko? Jamster? Until recently, I hadn’t, but I prefer to spend my evenings in the central office performing “service monitoring” of my subscribers’ private conversations. Hey, if the NSA doesn’t need a warrant, I figure that I don’t either. However, if you watch MTV, American Idol, or any television show with a mainstream audience, you’ve probably encountered an ad for a “premium-rate text” service offered via a SMS short code. In other words, vote for your favorite celebrity, and get soaked on your cellular phone bill. Or, if you’re creative, maybe soak someone else’s cellular phone bill…

SMS short codes (referred to as Common Short Codes, or CSCs) are 5-digit and 6-digit codes issued by the CTIA, a cellular industry lobbying group. Anyone can lease one, at costs ranging from $500 per month (for a randomly issued CSC) to $1000 per month (for a vanity CSC). This gets you the number assignment, and maintenance in the CSC database (which is performed by NeuStar, a company that controls a shocking percentage of cellular network infrastructure; among other things, they also control system ID assignments). However, owners of CSCs must negotiate interconnection agreements with every wireless carrier individually. Alternatively, they can work with a service provider (such as VeriSign—another corporation with an incredible degree of influence in the wireless industry) who has existing interconnection agreements with most carriers.

Armed with a short code and an interconnection agreement, you’re in business! Just fool some sucker (often a child) into sending you a text message, and you can then tack absurd charges (which can recur as often as weekly) onto their phone bill with virtual impunity. Sure, there are some voluntary industry provisions and codes of conduct, which in practice are just so much horse manure. It’s just like the bad old days of the 1980s; charges are billed with scant (if any) disclosure and wireless phone companies threaten to shut their customers’ phones off if the third-party charges aren’t paid. The difference is the sheer audacity with which this is done, and the almost complete lack of recourse. Wireless telecommunications (by design) is a virtually unregulated industry. Don’t expect relief from the FCC or public utility commissions on this one. And with Congress in the pocket of lobbying groups such as the CTIA, this problem is unlikely to ever be solved.

(By the way, thanks, Erratic, for subscribing my cell phone to 8 separate ring tone download and celebrity update services this morning. I can’t wait to get my bill, and I hope you don’t mind that the USOC on your POTS line changed to 12B. Oops, my finger slipped.)

So, let’s rewind to the 1980s again. In 1984, the long distance market was deregulated. Most subscribers stayed with AT&T, but upstarts MCI and Sprint quickly grabbed the #2 and #3 shares in the market, respectively. By the late 1980s, there were over a dozen long distance companies, and by the early 1990s there were literally hundreds. The market became increasingly cutthroat, and providers came up with all sorts of interesting ways to gain your long distance business. For example, one long distance company did business as “The Phone Company,” so any (often elderly) subscriber that asked for “The Phone Company” as their long distance provider would get them—not surprisingly, at uncompetitive rates. Another company, LCI, sold its services via multi-level marketing, often alongside products like Amway and Mary Kay. Evidently, it paid off; today, LCI is Qwest, one of the few remaining Baby Bells. And everyone has probably heard the story of cigar-chomping Mississippi scam artist Bernie Ebbers, former CEO of WorldCom—and now Inmate #56022-054 at FCI Oakdale.

Bernie Ebbers photo

He’s wearing a different kind of suit now

With all of this competition, a practice known as “slamming” became a major problem. Long distance companies would use dubious (often bordering on unethical) methods to switch you to their long distance services. For example, AT&T mailed millions of $100 checks. These looked like rebate checks, perhaps from a legal settlement (of which there were many at the time). However, the fine print on the back indicated that your signature authorized switching your long distance service to AT&T. And for a few years, it seemed like no dinner in America would ever go uninterrupted by a sales pitch from a long distance company. Some companies didn’t even bother asking for authorization. They’d just switch you to their long distance service (often billed at outrageous rates). Many consumers didn’t even notice.

Eventually, enough politicians were personally affected by the problem, and the FCC cracked down again. Subscribers now have the right to initiate a “PIC Freeze,” which requires the subscriber to contact their local phone company to change long distance carriers. Unscrupulous carriers who engage in slamming are subject to fines and even criminal penalties. And for the most part, it doesn’t matter much anymore; most subscribers use their cell phones for long distance these days. Without much fanfare, AT&T exited the residential long distance market late last year.

These days, we’re beginning to see a different kind of slamming—cell phones! For the past few years, you’ve been able to take your phone number with you when changing carriers. Unscrupulous wireless phone companies have used this to their advantage. They call, introduce themselves as something like “Your Wireless Phone Company” (that’s their actual company name, just like the long distance carrier calling itself “The Phone Company”), and offer to send you a new, free phone. If you agree, they will indeed send you a free phone—along with a brand new service provider, a brand new rate plan (at unfavorable rates), and a brand new contract with a hefty early termination fee. Adding insult to injury, your previous wireless provider will also bill you an early termination fee if you were still in contract with them. And all of this is being done legally, under procedures outlined by the FCC. Speaking of the law of unintended consequences, your existing wireless provider is prohibited by law from even warning you that you might be the victim of a scam.

And on that note, an outside plant technician told me that we’re headed for a few sunbreaks, and the clock tells me that my shift is over. It’s time to get outside and enjoy the weather! Have a fun summer, watch out for phone scams, and I’ll see you again in the fall. Or perhaps, if you’re lucky enough to visit the spectacular Pacific Northwest, you’ll even see me at a 2600 meeting!