The Association of U S West Retirees



Arrests Reveal Vulnerability Of Web Phone Service to Fraud
By Dionne Searcey and Shawn Young
The Wall Street Journal
Thursday, June 8, 2006

The rise of Internet calling, hailed for its ability to bring consumers inexpensive phone service, is providing an opportunity for hackers, mischief makers and scam artists.

Yesterday, federal authorities arrested the head of two small Miami telecom companies, as well as a Spokane, Wash., computer programmer, for hacking into the networks of as many as 15 other Internet phone providers to fraudulently route customers' calls, according to a federal complaint filed in New Jersey.

The telecom company's owner, Edwin Andres Pena, spearheaded a scheme that scanned the networks of unsuspecting companies, searching for weak spots to exploit and use to route his own customers' calls, the government alleges. He then billed a Newark, N.J., Internet telephone company for more than 500,000 unauthorized calls that he had sold to his customers at deeply discounted rates, the complaint said. Robert Moore, of Spokane, helped Mr. Pena hack into routers to disguise the calls' origins. Mr. Pena collected more than $1 million in connection fees and used the money to buy a motor boat, luxury cars and Miami real estate, according to the complaint.

"Emerging technologies and the Internet represent a sea of opportunity for business but also for sophisticated criminals," New Jersey's U.S. attorney, Christopher J. Christie, said in a prepared statement. "The to stay ahead of the cybercriminal and protect legitimate commerce."

Neither Mr. Pena nor Mr. Moore could be immediately reached to comment.

The Newark telecom company, Net2Phone Inc., a unit of IDT Corp., is a relatively small telecom provider with roughly 100,000 U.S. customers and hundreds of thousands more overseas, but large firms are also vulnerable to similar fraud, security experts say. They say the incident could open the floodgates for further mischief -- ranging from tapping in to calls and voice mail to theft of call records -- because it shows that hackers can crack the systems of Internet-based phone service, known as VOIP for voice over Internet protocol. Net2Phone didn't return calls to comment.

The case comes at an inopportune time for VOIP providers. Shares of Vonage Holdings Corp. have fallen 29% since its initial public offering of stock last week, and technology experts are raising more alarms than ever about the security of VOIP. (Read a related article on consumers' frustration with lack of regulation of Web-based phone services.)

Hackers are often drawn to big targets, and VOIP is getting huge. EBay Inc.'s Skype Technologies Inc., which is available around the world, has 75 million users. Vonage, which has a phone subscription service, has roughly 1.6 million paying users. Cable companies also are rolling out phone service that runs on Internet technology, as are several traditional phone companies, including AT&T Inc. In the U.S., analysts estimate that by 2009 about 20 million households will have at least one phone connected to a VOIP service.

While VOIP calls are free or cost a fraction of traditional phone service, there is a price: "You're creating a connection between your phone and the Internet," says Vincent Weafer, senior director of security response at Symantec Corp., a specialist in cybersecurity. That means the household phone can suddenly be vulnerable to the glitches and chicanery of the online world.

Vonage encrypts the beginnings and ends of calls, when calls are admitted onto the network, but it doesn't encode voice conversations, a company spokeswoman says.

Internet crises can be paralyzing enough without crashing phone systems. In 2003, the Slammer worm affected an emergency-dispatch system near Seattle that served two police departments and 14 fire departments. Because the conventional phone network wasn't harmed by the worm, operators were able to get calls, but the computerized system they used to dispatch help was linked to servers that were disrupted by the worm. For more than eight hours, operators resorted to pencil and paper to run their dispatch system. After the attack, local officials vowed to look for ways to further isolate their systems from the Internet.

But consumers and businesses are hurtling in the other direction, toward using the Internet for phone service. Many experts predict that within the year, there will be a widespread instance of SPIT, which stands for spam over Internet technology, or a use of Internet-based calling technology to produce floods of bogus calls and messages. Experts also fear phone connections could be used to steal identities, alter messages, crash computers or paralyze online phone services. Security experts at companies and universities are mobilizing to identify and address weaknesses before they affect users.

But the users themselves are part of the problem. "The user is the wild card. The carrier can do everything right, and if you leave your system vulnerable, it's all a waste," says Symantec's Mr. Weafer.

From his home in downtown Omaha, Mike Hrabik, chief technology officer of Soluntionary Inc., a cybersecurity company, usually has the option of tapping into the wireless home networks of at least 15 neighbors and using their Internet connections. It wouldn't be a stretch for an invader to hack in and help himself to a neighbor's VOIP service, he says.

The damage could go far beyond freeloading. Hackers could use their victims' phones to send SPIT to other victims or to commit crimes, as they already do with email. About two years ago, Mr. Hrabik's company worked on a case in which someone was sending threatening messages to police using an unwitting stranger's email. The villain, who was relaying messages through a string of remotely controlled puppet computers, was never caught.

Doug Graham, a consultant at BusinessEdge Solutions Inc. who has worked with large phone and cable companies on Internet phone security issues, said the industry is just now waking up to the importance of securing VOIP networks. "I think there's been an avoidance of the security issue because we haven't yet seen a major predator or a huge denial of service attack," he says. AT&T, Verizon Communications Inc., and Time Warner Inc.'s cable unit, all of which have VOIP offerings, are among Mr. Graham's clients.

"A lot of the infrastructure out there has not been properly secured," Mr. Graham says. "People are rushing to get VOIP solutions out there, and in many cases aren't taking the extra steps to get them secured."

In the most recent case, Mr. Pena and Mr. Moore were allegedly able to obtain the "prefixes," or proprietary codes that are established by telecom companies to accept calls for routing. Using a method called "brute force," they flooded VOIP telecom providers with test calls, each carrying a different prefix, until they found a match, according to the complaint.

Mr. Pena allegedly also hacked into the router of a hedge fund in Rye Brook, N.Y., so that customers' VOIP calls could be sent through it to disguise their origin, making it appear the hedge fund had initiated the calls. From the hedge fund's router, Mr. Pena sent the calls through the networks of VOIP providers, including the Newark VOIP company, authorities said.

Mr. Pena started soliciting customers for two of his telecom companies as early as November 2004, offering them wholesale purchase of VOIP minutes for as low as four-tenths of a cent per minute. He ended up selling more than 10 million minutes but didn't have to pay for calls because he routed them by hacking into Internet phone providers, the complaint alleges.

The VOIP providers couldn't identify where the calls were coming from, but they all racked up charges of about $300,000.

--Amol Sharma contributed to this article.

Write to Dionne Searcey at and Shawn Young at