Call Forwarding Credit Card Scam

This is impressive:

A fraudster contacts an AT&T service rep and says he works at a pizza parlor and that the phone is having trouble. Until things get fixed, he requests that all incoming calls be forwarded to another number, which he provides.

Pizza orders are thus routed by AT&T to the fraudster's line. When a call comes in, the fraudster pretends to take the customer's order but says payment must be made in advance by credit card.

The unsuspecting customer gives his or her card number and expiration date, and before you can say "extra cheese," the fraudster is ready to go on an Internet shopping spree using someone else's money.

Those of us who know security have been telling people not to trust incoming phone calls -- that you should call the company if you are going to divulge personal information to them. Seems like that advice isn't foolproof.

The problem is the phone company, of course. They're forwarding calls based on an unauthenticated request. AT&T doesn't really want to talk about details:

He was reluctant to discuss the steps AT&T has taken to improve its call-forwarding system so this sort of thing doesn't happen again. What, for example, is to prevent someone from convincing AT&T to forward all calls to a local flower store or some other business that takes orders by phone?

"We had some guidelines in place that we believe were effective," Britton said. "Now we have extra precautions."

It seems to me that AT&T would solve this problem more quickly if it were liable. Shouldn't a pizza customer who has been scammed be allowed to sue AT&T? After all, the phone company didn't route the customer's calls properly. Does the credit card company have a basis for a suit? Certainly the pizza parlor does, but the effects of AT&T's sloppy authentication are much greater than a few missed pizza orders.

Posted on August 21, 2006 at 1:35 PM • 45 Comments

Comments

Chris SAugust 21, 2006 1:55 PM

Perhaps AT&T simply needs to be able to fix problems faster. Implicit in this scam is that even AT&T believes it can't fix a phone line quickly. If a call like that were instead forwarded to a repair group that had a reputation - both internal and external - of being able to promptly fix problems, then this scam would likely vanish.

Of course the easy way to do that is almost the same - make AT&T liable for the non-working line, such that they have incentives to fix it NOW.

ProhiasAugust 21, 2006 2:04 PM

Isn't the fraudster traceable? I believe identity verification happens when procuring a phone number (plus there is a trail with bill payments). As long as AT&T verifies that the number being forwarded to is a listed, private number, traceability is at least there.

Of course your point is 100% valid.

AnonymousAugust 21, 2006 2:17 PM

"Those of us who know security have been telling people not to trust incoming phone calls -- that you should call the company if you are going to divulge personal information to them."

I moved a couple a months back and because of the confusion of moving misplaced a bill for a credit card, and as a result I missed a monthly payment. It is not like I am a dead beat, my credit rating it absolutely brilliant. I never miss payments on anything. I received a call from the credit card company saying I had missed a payment. When they asked me for personal information to confirm my identity, I refused to give it to them because I had not initiated the call. I explained why I wouldn't give them any information, but the caller was incredulous that I didn't beleive that he in fact worked for the credit card company, because otherwise why would he be calling. I couple of weeks later I received a letter in the mail from the credit card company saying if I continued to refuse to divulge information to their credit people when they called they would cancel my card and pursue the matter through litigation. Nice. I paid off the balance on the card and canceled it immediately. How can I possibly trust them?

Bruce, that is good advice and I follow it, but it seems some (maybe all) credit card companies just don't care about protecting our identity. Until it costs them more money to care about our identity than not caring about it, we are screwed.

DamonAugust 21, 2006 2:47 PM

I also had an experience where I refused to give personal information when I didn't initiate the call. The funny thing was it was my credit card's fraud unit that called me!

They called to say there was suspicious activity on my card and could I confirm some information. I asked them to confirm some information first and they refused. This was only a few months after I had been a victim of credit fraud, so I very carefully explained my concerns and they were surprised that I questioned their authenticity.

I hung up and called the number on the back of my card. After navigating voicemenu hell, I got a person who had no idea about the suspicious activity.

I felt good that I may have avoided a trap, but this item goes to show that I could have still been caught if the number I had called had been rerouted.

Maybe the problem is with blind rerouting of calls. What if phone companies were required to play a message "This call is being rerouted to (xxx) xxx-xxxx" to make the customer aware? This probably won't work as there are many valid reasons to have such calls rerouted, but no solution is foolproof!

Damon

BrianAugust 21, 2006 2:53 PM

How about before we start hiring lawyers we see if AT&T does the right thing on their own?

It is a tad disconcerting that AT&T won't disclose what they've done to fix the problem.

Maybe they are asking for information from a previous phone bill? Let's see...

I call AT&T, claim I am from Pizza Palace.
AT&T asks me for the dollar amount on my last phone bill.
I tell them.
They know that I am really from Pizza Palace.

I suppose an attacker could try to get Pizza Palace to give out information about their last phone bill, but so long as the Pizza Palace manager is reasonably paranoid about accepting phone calls from someone claiming to be the phone company, that shouldn't be a huge issue.

What about the shifts where there isn't anybody senior enough to have access to the phone bill? They might be SOL as far as rerouting the phone in an emergency... but really, how often does that happen? And they could always go wake up the owner to get access to the bill.

Joe BuckAugust 21, 2006 2:53 PM

The fraudster could just place the call from the pay phone nearest to the pizza parlor, which is something that the pizza shop owner might do.

Matt DAugust 21, 2006 3:07 PM

One way in which systems such as this can be made somewhat more secure, albeit not foolproof, is to only allow redirections due to a line failure to be set up by the engineer/technician to whom the fault is allocated (I'm referring to the guy with the crimp tool, crank-megger and overalls here, not the call-centre droids, BTW).

Of course, this trades off customer convenience (no instant call redirect as soon as the fault is reported, but only when someone vaguely knowledgeable and in a position of trust within the telco has checked the alleged fault and requested a redirect from number X to number Y on behalf of customer Z) against increased security for the customer and his/her customers.

Michael AshAugust 21, 2006 3:31 PM

My understanding is that you can sue anybody for anything in the US, and it's up to the court to decide whether the case has merit.

Anybody who was defrauded because of AT&T's mistake can and should sue AT&T. It doesn't need to be expensive and, to my non-lawyer eyes, the case would seem to have merit.

Alan BragginsAugust 21, 2006 3:58 PM

> a few missed pizza orders.

The fraudster could even pass on the orders to the correct number. That way he has fewer calls saying "where's my pizza?" to handle, and the customers are less likely to realize something is wrong before they get their next statement.

masAugust 21, 2006 3:58 PM

Well, as annoying as such a stolen credit card info is, the money is stolen from the insurance company of the credit card bank.
All non-personally signed use of credit cards can be contested and will be more or less promptly refunded by the credit card company, as there is no proof the owner used the card and not any restaurant employee copying this tiny bit of info and misusing it.

Nevertheless the point stays. AT&T should not accept forwards for phone nrs unverified.

Please note that this scam is in a varied form also possible with mail forwarding and similar stuff. Noone checks such.

DavidAugust 21, 2006 4:04 PM

"Perhaps AT&T simply needs to be able to fix problems faster."

It could be the pizza place's internal phone system that isn't working, which is in no way AT&T's responsability.

"The fraudster could just place the call from the pay phone nearest to the pizza parlor, which is something that the pizza shop owner might do."

It was suggested that the number to be routed *to* be verified as a private (therefore traceable) number. I don't imagine a pizza place would have someone sitting at the payphone a block away taking calls.

An additional thing they could do is actually attempt to call the number. If they get through, they can verify with the people on the other end. In order to subvert that, the attacker would have to be able to break the pizza parlor's phone service, which is an attack which should be difficult to impossible to begin with.

JonAugust 21, 2006 4:10 PM

For mail forwarding however, USPS sends a note to the forwarded-from address that tells you (if you were still checking mail there) that your mail will be forwarded to such-and-such address. Seems like an ok solution, except that the new resident living in your old place could always deny the forwarding request and then get your mail.

Bruce SchneierAugust 21, 2006 4:33 PM

"The fraudster could even pass on the orders to the correct number. That way he has fewer calls saying 'where's my pizza?' to handle, and the customers are less likely to realize something is wrong before they get their next statement."

Nice finesse.

Bruce SchneierAugust 21, 2006 4:33 PM

"Bruce, that is good advice and I follow it, but it seems some (maybe all) credit card companies just don't care about protecting our identity. Until it costs them more money to care about our identity than not caring about it, we are screwed."

100% correct. It's all about the externalities.

Filias CupioAugust 21, 2006 4:36 PM

It should be possible to set up an automated man-in-the-middle attack. You redirect calls to your number, which is connected to a computer. When it detects an incoming call, it calls the true business on a second line. It then relays voice both ways, recording the conversation. If the business uses caller-ID, you'd need to spoof that also, but I understand this isn't too difficult.

The man-in-the-middle phone could be an anonymously purchased mobile phone.

RichAugust 21, 2006 6:57 PM

I once got a call from a Revenue Canada agent (Canadian version of the IRS) who asked for my SIN (SSN) and DOB to prove who I was. I refused, and we negotiated to a back and forth of he gave me 3 digits, I gave him 3 digits, etc.

Unfortunately, he didn't offer to cancel my service...

I also once had to prove myself at the bank after I had lost my wallet. They asked me a series of questions which all could have been answered by anyone with my wallet, then gave me a new ATM card and let me set the PIN. Not reset as in old PIN required, but set a new PIN.

AnonymousAugust 21, 2006 8:11 PM

"The fraudster could even pass on the orders to the correct number. That way he has fewer calls saying 'where's my pizza?' to handle, and the customers are less likely to realize something is wrong before they get their next statement."

Or until the pizza delivery person wants paid, though I suppose they could as for the credit card number only as guarantee of payment rather than payment itself.

RobertAugust 21, 2006 8:33 PM

Couldn't AT&T have verified the request by ringing the phone that is supposedly having trouble. If the pizza parlor was open and the phone was working, then the fraud would be stopped. But if it was closed?

"The fraudster could even pass on the orders to the correct number. That way he has fewer calls saying 'where's my pizza?' to handle, and the customers are less likely to realize something is wrong before they get their next statement."
- but hasn't this number been redirected, so even the fraudster cannot ring it.

dimitrisAugust 21, 2006 9:06 PM

On getting calls *from* credit card companies/banks:

How many of you have the (verfied) CC/bank contact number in your address book? I can remember several occasions when I've called banks using the numbers from their "Contact Us" pages. Prime phishing prey...

Sounds like these pages (and all that link to them) need to be accessible only over HTTPS. Good luck on that even happening...

sporkAugust 21, 2006 9:27 PM

@dmitris

HTTPS protects the bytes in transit. Technically it uses PKI to authenticate the web server, but the useability is so poor that you can't rely on that for security.

AntonioAugust 21, 2006 11:02 PM

@Prohias
If I was a malicous person wanting to do this I'd find someone who's not home, tap into their phone line (either via a contact outside their house or the local neighborhood phone box) and receive the calls there. If all I needed were a few CC numbers it wouldn't take very long.

Point being that someone (with half a brain) who'd actually go through with this would be able to get around that pesky 'tracing' problem in a variety of ways.

david harrisonAugust 21, 2006 11:15 PM

"Shouldn't a pizza customer who has been scammed be allowed to sue AT&T?"

Well, the pizza customer probably doesn't care, because they'll get their money back when they dispute their credit card bill. It's a pain in the ass, but they probably don't lose any money.

The bank probably won't care, because they'll probably get back the money on insurance.

The people who really lose and who should have the right to sue are the vendors who have sold the criminal goods with the stolen credit card number. They'll probably just lose the money when the credit card company decides it was a fraudulent payment (at least, that's my understanding).

RogerAugust 21, 2006 11:59 PM

It's interesting that so many actions which should be authenticated are so easy to do over the phone without authentication. A little while ago I closed an electricity account over the phone; the only information required was the account number. I can't see an easy way to directly obtain money that way, but you could certainly do some damage to a business rival who neglected to shred his trash.

In this particular case, though, the real monetary damage wasn't caused by the weak phone authentication; that was just (yet another) means to obtain credit card numbers. The real problem is that credit cards have such pathetically weak security measures for financial transactions. All the information required to perform a remote transaction is given out to complete strangers every time you perform a remote transaction. For remote transactions there is no actual security at all. It's a nineteenth century technology that should have died off at least a decade ago.

@mas:
> Well, as annoying as such a stolen credit card info is, the money is stolen from the insurance company of the credit card bank.

If I correctly understand the US system for card-holder-not-present transactions, the loser is actually the merchant who accepts the credit card order from the criminals. The card company contract makes those poor guys responsible for all such losses--whilst giving them no way to actually deal with the problem, except to pass the losses on to their other customers (yep, externalities again; the people who care can't do anything and the people who could fix it don't care).

However with this method of obtaining the numbers, there is also a much greater risk for the card owner. Unless AT&T is letting the "pizza shop" forward its calls to another neighbourhood (which surely would arouse some suspicions!), the thief must be physically close to the real card holder, and so the deliveries of stolen goods may be too. That makes it less likely that the credit card company will reverse the disputed charges.

rtyAugust 22, 2006 3:15 AM

I too received a phone call from ``my bank's fraud department" whilst out of the country. I refused to supply the bank with any information until they answered a simple question, what city was I in? They gave my home city. I asked the question again and they supplied the correct answer. For me, that was anough. The bank were slightly taken aback that I was questioning who they were, despite me explaining that they could be anyone. During the remainder of the phone call I was (apparently) refunded for a fraudulent transaction. Given that I did not reveal any information that I would not feel happy handing out I was happy.

Ian EiloartAugust 22, 2006 4:39 AM

"Those of us who know security have been telling people not to trust incoming phone calls -- that you should call the company if you are going to divulge personal information to them."

My bank called me, and asked me to verify my security details before going on to try to sell me a new credit card. They'd done this a few times before, and every time I was angry with them.

I got to talk to a supervisor in the call centre. He made two comments. (1) The bank advise customers to call back if they're not sure about the incoming call. (2) In an evening's work at the call centre, he'd typically get one or two customers refusing to give their details. (2) he himself uses his own birthday as a memorable date!

Now, the security details asked for aren't enough to guarantee getting into the bank. They ask for two of four PIN digits, and one of five pieces of personal information ("first school", "memorable place", that kind of thing).

So, without any of that data, you have to know something about the person to stand a chance of getting in. With one call, you have 1/100 * 1/5 = 0.2% chance of getting in. With two calls, that improves to about 2/5 chance.

RonKAugust 22, 2006 6:22 AM

@ Roger

> Unless AT&T is letting the "pizza shop" forward its calls to another neighbourhood
> (which surely would arouse some suspicions!), the thief must be physically
> close to the real card holder...

Uh, Roger, you have heard about cellular telephones, no?

sidelobeAugust 22, 2006 6:28 AM

Around here, the pizza places all take cash or check on delivery. You tender payment when the goods are delivered. The pizza guy arrives with some kind of ID -- a marked car, a uniform, and a box with the right logo on it. All identities verified, and you can even pay in untraceable cash and they're happy about it.

This is an old problem. People have been hacking telephone switches for decades, while Web redirection is barely a 10-year-old problem. Has anyone suggested holding the managers of the DNS root nodes responsible for Phishing? The myriad of ISPs? In this case, AT&T is only being considered responsible because unlike the Internet, we can identify the carrier.

The responsibility lies with the individual. I can do things to verify the identity of the pizza place: I can ask the name of the person taking the order, verify the address of the place, ask the name of the store owner (verified by a personal visit), etc. I could do the same with my credit card company, by asking the value of a recent charge I made, just as they ask me the same thing.

HulluAugust 22, 2006 7:10 AM

Wouldn't it also be easy to get a job as a pizza delivery boy with a fake name(can this really be hard? No employer has ever asked me for an id), deliver pizzas, and whenever one is paid by a credit card steal the numbers and pay your company with cash from your own wallet.

Resign after a one or two weeks, by this time none of the pizza buyers should have noticed a pizza missing on their bill, nor would they care if they noticed. Tadaa, you have a lot of credit card infos and no one knows what you did (and no one knows your name) until you use them. To conceal your looks change your haircut, beard and glasses-status for the duration of the employment.

Could this fail? :)

Dave AronsonAugust 22, 2006 7:41 AM

Doesn't anybody find it ironic that this problem is very similar to why automatic phone switches were invented in the first place? (Look it up.)

TimHAugust 22, 2006 9:21 AM

Various commenters have suggested that the CC issuers are safe because their insurance pays up for fraud. I am pretty sure that CC companies cover their own losses. There aren't that many CC issuers to aggregate the fraud risk, so insurance doesn't really work here. Car rental companies cover their own damage insurance risk too.

TechieAugust 22, 2006 10:31 AM

Interestingly enough, I can setup VOIP accounts cheaply and quickly from almost anywhere that utilize a "local" phone number near the pizza shop of my chosing. (Pizza parlor in New Hampshire, I'm in Los Angeles). Heck, I can set up two. One for taking orders and one for my buddy to forward the orders to the shop so that we can extend the "man in the middle" scam longer. This way the phone number being forwarded is local and looks legit to AT&T, and my calls to the pizza parlor are "local", no matter where I really am.

Oh, and if I setup the VOIP account using name and CC data I've already scammed from my local pizza parlor patron, the odds of finding me before I move to Cabo for the winter are really steep.

Hopefully AT&T will address this appropriately, and soon.

JohnAugust 22, 2006 10:42 AM

This will only get worse with VoIP, especially with insecure VoIP peering points. People have already hijacked phone numbers on a single VoIP company (like Vonage) just signing up for an account and saying they want to port their old number. A VoIP company might eventually find out, but meanwhile, you can bet that number will be active in their own internal routing, so all calls from their customers will route to the attacker.

XellosAugust 22, 2006 11:49 AM

--"No employer has ever asked me for an id"

Just out of curiosity, are you in the US? Every employer I've had here asks for, at a minimum, driver's license plus social security card. Not that these aren't easy to fake, but since the employer is responsible for witholding taxes, they tend to be picky about this...

As far as security of these transactions go, many (most?) credit cards these days have an option to create a one-time-use number to give out. It works online, never tried it for a phone transaction.
Of course, it is a seperate step, so most people aren't going to bother with it.

Pat CahalanAugust 22, 2006 12:04 PM

@ Dimitris

> How many of you have the (verfied) CC/bank contact number
> in your address book?

I always call the number on my card. On more than one occasion, in fact, I've gotten voicemail messages telling me that there is unusual activity on my card and asking me to call them back at an 888 number, which doesn't match the customer service number I have.

Needless to say, I've dealt with the extra call routing and called the original 800 number that is imprinted on the card. This has always turned out to be a false alarm (the unusual activity request did in fact originate from the bank), but I'm not about to trust a voice mail message.

The call forwarding gag isn't new (if you work in telecommunication switch configuration for any length of time you hear these stories), but what I'm really interested in is hearing that one of the 800/888 numbers has been hijacked -> now that's going to be a great story when it happens.

Brian MillerAugust 22, 2006 12:15 PM

I remember a while back there was a similar incident with a plumber and his competitor. The competitor had the plumber's line forwarded to his phone. The plumber phoned up the phone company a few days later and asked why he wasn't receiving any calls, and was told that the number had been forwarded. The competitor was prosecuted.

greygeekAugust 22, 2006 12:23 PM

I thought your flower shop example was particularly ironic.

The first automated telephone exchange was not designed by anyone at the phone company, or even an engineer. He was a business owner -- of a mortuary as I recall -- who believed that his competitor was paying telephone operators to divert his incoming calls...

ChrisAugust 22, 2006 1:01 PM

"The fraudster could even pass on the orders to the correct number. That way he has fewer calls saying "where's my pizza?" to handle, and the customers are less likely to realize something is wrong before they get their next statement."

Or he could forward the calls and listen in and gather any credit card information he happens to overhear. He has no burden to be familiar with the menu, advertised specials, and the pizza company won't recognize his voice placing orders for lots of different locations...

RichAugust 22, 2006 1:23 PM

@Hullu

The local pizzaria we use handles the issue of delivery scamming by doing credit card transactions at ordering time. At delivery you simply sign the receipt.

HulluAugust 23, 2006 5:50 AM

Well, the pizza-delivery-boy-example I made was weirdly complicated all around.

Simply get any job as a person who handles customer payments involving credit cards and you have pretty much an unlimited amount of credit card infos at your disposal... though, attempts to trace the fraud can be made if you work with your real id.

Guess the bottom line is that credit card frauds are pretty easy to commit, and the industry around them knows they will be fraudulently used and is prepared for that - and usually(always?) can deal with it.

whistlerAugust 27, 2006 6:16 PM

Today I had a verbal disagreement with a oil change technician at a franchised quick change oil center. He asked me for my street address and I refused to give it to hm telling him he didn't need it. He said it was required so that they could notify me of any recalls. I continued to refuse, not to elegantly. His next to final response was that he could not serve me without that information. That is until he found out the oil change had started.

I don't know maybe I am over sensitive. I don't even provide my zip code to stores that ask for it at checkout.

UKGuyAugust 29, 2006 2:59 AM

How about ... walk into branch of Halifax Bank of Scotland (not mine), hand over card, walk out with £1200 in used notes. No security questions at all, not even PIN; just sign a slip which the cashier doesn't even look at! Need to change bank - FAST !!

ploverSeptember 15, 2006 2:45 PM

This scam sounds suspiciously like the same scam that caused the advent of a revolutionary piece of technology.

The story is that Almon Strowger owned a funeral parlor in a town where his competitor's wife was the local telephone operator. When someone rang the operator and said "Please connect me to the funeral parlor" she'd connect them to her husband's line. He invented the "Strowger switch," an electro-mechanical switch that selects different wires based on pulses of electricty. Strowger's switch allowed the customer to use a rotary dial to automate the function of switching lines, eliminating the job of the operator.

Too bad the solution for AT&T isn't as simple.

briocheSeptember 18, 2006 1:02 PM

I wonder if it is because I check my credit with experian, (they tell you to check it once a year, suppose to be free, but I had to pay for it). Anyway, By the time I check my credit status (I was curious to see what they have on their files) a month later my 2 credit cards have been frozen, and I had to call them and answer a lot of questions, even if my I paid my credit cards every month in full, they were pretty nasty answering me and asking even the color of my car (naming the brand) and why I was purchasing in several states, we live in 2 states most of the time, and I travel a lot in the US for my business, do you know a bank who offer a credit card with no hassles and where you can go and buy what you want with nobody asking you question? By the way we are normal people, no terrorist or other. It is very aggravating.

richelleMJune 21, 2010 3:57 AM

there are lots of people like that nowadays, so we should be more vigilant and more cautious when giving out our credit card information.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..