ONLINE > RECOLLECTION issue 3 > Thank you for using AT&T
"Thank you for using AT&T"
By Peacemaker

Yes, I really have to thank you AT&T, MCI, LCI, SPRINT and all the other phone companies for such a fantastic, interesting, exciting and all in all; wonderful time. Please read this: If your morals are larger than Mount Everest, then maybe you should stop reading here. :)

I don't want to write down in which group I was back then in all the years because I want to concentrate more on the phreaking side of life. In short: what and how I, Vortex, Jihad and Lawnmower Man (Lawny) found ways to call the boards, party lines, setlines and friends and so on. ;) Also note that I won't go any deeper when it comes to Bluebox and calling cards. I think enough was written about this in the last years.

I think it was around 1990 when Jihad gave me the first calling card with some instructions on how to use it. Although I didn't have a modem (I was mainly cracking and coding), I was very interested in "free calls" and made some test calls with the provided CC. Some months later I obtained my first 300 baud modem for my C64 and I called some local "mailboxes". Those weren't scene related and didn't have much C64 stuff to leech. And back then, here in Germany, you had to pay for local calls which was rather expensive. A local friend, namely Vortex had the idea to get access to a neighbour's phone line to get ourselves some free calls. So we did use the neighbours phone line with our 300 baud modem, looked up some intros of cracking groups to get some board numbers and called out to Europe and the USA. I think one of the very first boards was "The Mystic Cavern" and we were very excited. Not because we, lets say, borrowed this other phone line, but also because of the fact that we were new in the "board scene". And lord, I can tell you, we were fascinated. It was nearly a drug. We skipped school to get the latest games and demos. Obviously gaining access to this neighbour's phone line was a risk and after some weeks the "Post" (back then our phone company) was notified and we had to stop this method of calling out. So we had to find other ways to call out. At this point, with a rather low amount of knowledge and experience in phreaking, we luckily got our hands on a "C64 Bluebox for MCI". We didn't have had any background, why and how BB worked, but we used it with our new modems (Discovery 2400c). It was a pleasure to have a faster modem and so we called boards like: Mystic Cavern, The Forum, Holiday Inn Cambodia, In Living Color and and and. MCI Bluebox worked for a long time. During this experience I was somewhat greedy to learn new phreaking related stuff. There were some boards in the USA with nice general info. So I learned about PBX, VMBs, BlueBox, Toll free numbers and so on. Toll free numbers was the key. I spent a huge time scanning the 0130 Numbers (German Toll free). I made a shortcut on my phone for "0130 81xxxx" and scanned, scanned and scanned some more. 10000 numbers to try with pen and paper at my side to write down what I found. So sheet of paper looked like this:

813234 VMB (?)
813267 Modem Carrier
813290 PBX (10 Digits?)
813344 Modem Carrier
813345 Modem Carrier
813421 Fax
813423 ??? VMB

I can tell you. It was like fishing. You never know what happens on the next number. And maybe you found a number with a system behind it, that you can not use, but then some years later, you might know how to hack this system. What I try to say is: it really needs a lot of time, trying and learning to get your skills. MCI Bluebox still worked at this time, but I was already concentrating on the toll free numbers to gain the skills because I knew it was only a matter of time before MCI Bluebox would die. And so it did. We, Vortex, Lawny and me, tried to BB other countries like Israel, Australia, Chile and it worked. Even global calls were possible. But BlueBox in general was a dying way to call out. And the success rate to break the line, was really terrible in some countries. Not to mention the bad lines with line noises you got when you called a board. :]

At the same time, while scanning toll free numbers, (yes I never concentrated on one thing at the same time. I was so hungry for knowledge... :) ) Lawny was in the USA, bringing back with him a telephone book from Ohio to Germany. That was our bible. Well sort of. Now we had access (please remember, internet was just starting and there were no online phonebooks) to names, addresses and numbers. We read about ways to hack calling and credit cards and also Jihad mentioned a way to call out using "3rd party billing".

Calling and Credit Cards

You know the usual way, where you call someone up in the USA, tell them they have a collect call. If they accept, you tell them you can't bill the call to their number for some reason and you would be to accept a Calling or Credit Card. What you need is, a way to call out for free (or should:)) to call those numbers to hack cards. But, Lawny and I found a way to hack cards without having any way to call out for free. How? Well, let me explain.

1) AT&T, "Yes I accept"
First I have to credit my old friend Lawny for this fantastic Three-way / conference phone. I called him up, he took me on conference and he called the AT&T Operator for a collect call. We took a number and name from the phonebook, told the AT&T operator the number and name and when he asked how to pay for the call Lawny said "Collect call". The operator called the person. And it was here we found the exploit. If you remember, while the Operator called the person you could listen to what the operator was saying to the called person. And you could listen to the person that was called. And that's what we did: When the Operator was saying: "Hello, this is your AT&T Operator. You have a call from Mr. Lee, do you wish to accept it?" I was immediately saying "YES, I ACCEPT" before the called person was able to answer. So I imitated the called person and the result was that the operator would connect the call: "Thank you for using AT&T". It worked nearly perfectly. Now we had a connection for free to our "victim". Lawny, now playing the (new) AT&T Operator, was telling our victim that he tried to connect the call, but it did not work. "You can use a calling or credit card" (to make it short now), he said. If our victim was paranoid, Lawny was offering to get the supervisor on the line. I played the supervisor and I explained why the call could not be billed to the number. Reasons like: "It seems you have a collect call block on your line." If the victim was still not satisfied, we offered a 1800 number with extension they may call back. A lot of people were calm now and gave us the card(s), if not even some minutes earlier. When I had to play the supervisor was really rare because it worked fine usually. But everything has its end. AT&T, maybe 1-2 years later, changed their call system. Now they put you on hold and I was not able any longer to scream into the phone "Yes, I accept". :]

2) MCI, "I am your housewife, accept me!"
Another way, that I found out some time later to hack cards without having any way to call out for free and you could do it alone, was to call up MCI. Take a name and number from the phone book and do a collect call to this number / person, while you used the same name you are going to call. If you were calling a MR. you said you are MISS (yes, it worked if you raised your voice :]), and if you called a female, you were of course the Mister. MCI had a different system when it came to collect calls. They put you on hold while they were talking to the called person. Some people, I never understood why, accepted my Collect call. Now I played the supervisor, explaining to the victim that the MCI operator tried to connect the call but was unable to do so. Reason: blocked number. Same tactic as before. So I won't repeat it :). A lot of people gave their cards, if you got connected to them by the MCI Operators. I tried this version of hacking cards some years later, for fun and to prove it to a friend to show it really works. And hell, I am saying the truth that it worked on the first person I called. I got a AT&T Card, which I deleted after I had received it.

3) LCI, "Here is my credit Card"
Now, with a lot of calling and credit cards, still scanning toll free numbers one day I found a calling card company called "LCI". It was an automated service, where you enter your 14 digit Card number and the destination number to call. I found it interesting and was curious if it would be possible to set up my own cards (at this point it was not possible to get calling cards set up using a credit card at MCI, Sprint and AT&T. They would send you the card via mail, which did not work for me, of course:]). So I pressed "0" and got connected to the Operator. Telling him/her what I wanted, a calling card, the OP connected me to the sales department. I introduced myself with info (name) we got from our previous hacked credit cards with the wish I need a calling card because I was going to Europe soon. LCI was happy to take me as a customer and I gave them all the info they need. Name, address and credit card number with the expiry date from our stolen card. The LCI Cards were working nice and were activated rather quickly and were given to me over the phone.

4) AT&T, "My House!"
As mentioned before, getting calling cards using credit cards from major phone companies was not possible. I guess because some people abused this way to create calling cards previously. But one day I had an idea and called the AT&T Operator. I did not want to believe that AT&T had great security. "There must be a hole", I was sure. :] The OP connected me to the sales department. And I was saying: "Hello this is MR. X (name taken from phone book, as well as the address) and I would like to change my long-distance carrier / provider. And the AT&T guy was pleased to get all my info to switch my long-distance carrier. After this was done, I was also asking for a calling card, if that was included in this "package". And it was, after the sales person was explaining to me the rates for long distance calls, overseas calls (jesus, how I hated this, a waste of time:]), I had the possibility to choose my own PIN for my card. So "my" phone number and the PIN was a newly born calling card. These cards worked for around 1 Week. Which was a long time back then. Now I was an AT&T "customer" (and should) receive my bill at "home" via mail, using "my own" card to call the boards.

5) MCI, "Connect me to the crazy People!"
It was the time when many sceners called the party line at +1-515-945-5600 (I think it was). It was a party line system with different rooms, where you could talk privately one to one and so on. It was a funny time talking to all these people all around the globe. We talked about scene related stuff or just made jokes. Fooled other non-sceners. One night, yes I remember it well, Lawny called me up. He was very excited. I asked him what's going on, and he explained me what was going on, or better: what he did. With a smile in his face, I was able to imagine it as he was saying to me: "Peacemaker, I was in a bored mood, I called up the MCI Operator to call the party line. I gave the OP the party line number, and when the OP asked me how I want to bill this call, I said: "calling card, with the number I am calling." Operator asked for a PIN and I gave him the very first 4 digits that came into my mind. "4711". And guess what? The operator connected me. But not enough, I called again the MCI Operator this time I gave him the card (party line number) but changed the PIN. And it still worked. And you know what? I found out that all created cards worked if you change the last 4 digits of the phone number (e.g. 515-945-1234) and include a PIN, no matter what PIN, it worked! That means, we now had 10000 calling cards. JESUS!" And yes, I was really impressed by this. And I can tell you, it really worked for a long time. Some of those cards died, but we had enough of them. But sadly one day all of them died on the same day. But, you know me a bit by now, I was not ready to give up those cards. I was more than sure there was more than those "10000 cards". My increased skills were more and more controlling my thinking. :] So I called up the MCI Operator several times and randomly tested calling cards. YES! After some time I found another one of these "10000 calling cards block". And not enough, I found at least 20 Blocks of this kind of card. I was.. "rich" in the name of calling cards. :] Of course I told Lawny about what I have found and he was lucky again. Also I supplied some other sceners with this very nice Cards. Deff/AVT, Tricket/DOM, Crossfire/M8, just to mention 3 of them. People I trusted. It was a very nice time back then. So many ways to call out. And even different ways. Not only just some cards. And this was just the beginning of my phreaking / hacking time.

6) MCI, "got Zeros?!"
Army time. I remember well, I was in Alpha Flight back then. Marc/AFL called me up and told me about a security hole in MCI's automated dial up (they change from operator to a system where you enter the phone number to call, the option how to bill, and if you want to pay with a calling card, the card number). Marc explained to me what was going wrong at MCI. You had to call up MCI, enter the number you want to call, select calling card for billing and enter: 00000000000000. You get a signal (or error), but that did not matter, you just had to enter: 9999999999. (I can't remember the exact numbers and times you had to enter those. But it was something like this. Just 2 numbers you entered a lot of times. I was thankful for this information and shared this with Vortex. And one day he called me up, told me that he found the new security hole at MCI dialup. This time it was 00000000000000 and 777777777 for the calling card. I tested it and it was working well. This way to call out worked for a long time too. But of course I don't want the credit for this method. :]

7) AT&T, "I just got 3 digits!"
More and more ways to call out. Some systems died, but many new ways to call out for free came along. I can't remember why I did this, what came into my mind to test the following method. Maybe it was the MCI bug that inspired me. I called up the AT&T automated dialup and entered the number I wish to call. Then I entered 673-673-673-673-6. Did not work. Ah well, I tried further combinations. Always three different numbers in a pattern. 874-874-874-8748-874 or 621-621-621-621-61. And one of those worked. Three different numbers for a card with the length of 9 to 13 digits. I coded, with the help of Jihad, a little scanner in basic on my C64 using my discovery modem. It was a scanner, calling the AT&T dial up, entering a number to call (board, which was rarely busy :] ) and scanned using the mentioned technique for a new calling card. When no working card was found, my program gave a command to the modem to disconnect. If a working card was found, the modem was connecting to a board and the program stopped with the new card on my screen. I have found around 30-40 cards with this method. First time I was using hardware (not including blueBox here) to brute force.

8) AT&T, "Hello Lawyer? Meridian Mail here."
A Voice Mail Box System called Meridian Mail I found one day while scanning the toll free numbers. Some MM System let you dial out. But this one did not. But Lawny and I found another way to use it. The system belonged to legal firm in the USA. We quickly found out the phone number to it (which was different of course to our German toll free number). And any extension on it was 4 digits long. You could reach an extension if you called: "617-322-extension (4 digits). Now we knew the number to each extension. Some time before I was already able to hack into this system, meaning I was able to access extensions, listen to msg, set up greetings and so on. What really was interesting was that we were now able to know the names behind each extension. Because if you wanted to call up an extension (internal calls were allowed) or want to send a message to another extension, the name of the person was played. We had all the info (name and phone number) and we made internal calls and again we were the famous AT&T Operators. Calling a male we told the victim a Miss is calling, and vice versa. And luckily the legal firm rarely blocked collect calls to the extensions. The success-rate therefore was rather high to get calling cards. Same method using as in 1) or 2). Calling call -> Can't Connect -> May use a card. What was interesting and somehow funny was the fact that we social engineered the US "elite": Lawyers. :]

Oh yes. A lot of ways to obtain calling cards. But CC was not the only method to call out for free. In the time I was active I also found several PBXs with a weak security (4 digits and even less) which give us the ability to call even internationally. Some allowed us to set up conferences. And of course we took this offer and made some funny conferences with people from the scene. If you don't know what a PBX is, just do a quick search. :] I won't go any deeper here because it's not so interesting to explain how to hack one. Just some words: you scan toll free numbers, if you get a dial tone, you just test some numbers and find out how long the PIN is. If after 2 digits you get an error, the PIN might be 2 digits long. And so on. I have to say, I never liked PBX that much. It was too much of brute force without much skill required. Some of the PBX lasted a long time once hacked though.

Voice Mail System [VMB]

9) VMB, "Hang up!" and other interesting stuff.
It was another day of scanning when I found a VMB system that was unknown to me. At this point I found a little trick to call out from some VMBs. It was a really weak thing and only good for setting up conferences but rarely worked. One way to abuse a VMB was: you called the VMB, pressed "0" (some VMBs let you connect to an operator then. Other systems used a different digit or way to let you connect to the operator). When the operator asked you what he could do for you, you said: "I am Peter Parker, Extension 767 (the person existed in that company. I found out the name by sending a MSG or internally calling people and writing down the names and ext.). I can't call out at the moment. Can you please dial: "234-456-7890". It sometimes worked. Another way to use a VMB and the operator was to act like a customer and ask the operator to connect to extension: "912". Sometime this worked too. Number 9 for most companies was the digit to make a call outside their system. So if the operator connected you to this extension (sometimes at some VMBs you were even able to call "90something" from the main VMB menu, this was another method) you got a local phone operator. You told the OP the number to dial (conference:] ) and to bill it to the number you are calling from. Which was of course the number of the company from the VMB. But back to the topic, the most interesting thing I have found was a bug in a certain VMB system. A company located in the USA. I dialled an extension and someone picked up the phone. I just didn't say anything and the person would hang up. I got a dial tone. I was like: "What the fuck?!". I was able to call overseas (Europe) the conference number (which I can't remember now. But not many dial outs would give you the option to use it). This system worked for a very long time and was always a good way to call out.

MCI, "The art of 3rd party billing"

10) MCI, "I am not at my desk"
Jihad told me about third party billing. In short: you call up the MCI operator and as a billing option you told the operator that a 3rd party is accepting the charges. So we have "me" as the caller, the destination number (board) and the party that takes the bill. The MCI Operator calls the third party number to verify. You were put on hold, so I was never able to listen what the MCI operator was saying to the third Party, but it must be something like this: "Hello, this is your MCI Operator. We have a third party call from Mr. X, do you accept?". Back then it was possible to use your answering machine or VMB extension with a message on it saying "Hello this is MR. X, I am accepting all of my 3rd party calls to my number". So a "real live person" was not needed. That made me and Lawny of course going to hack several answering machines and VMBs extensions and changing the greetings the previous mentioned text. A lot of answering machines had its default remote codes. "0000" "1234" "9999" and so on. It was rather easy to change the greetings text remotely on half of the answering machines we called.

11) MCI, "............... Yes.. I accept......."
But MCI was smart too, they found out that we were abusing this system (there were rumours going around in the scene that we abused this system too much ;] / we spread a lot of third party numbers around in the scene) and at some point they did not accept any verification from tape (answering machine) any longer. We didn't give up, because we were smarter. I think it was my idea. Simple but very efficiency when I said to Lawny: "We just fake a real live person on tape". What we were doing was: We hacked an answering machine as usual, but this time the recording sounded like this:

"Hello?......... Ah.. .................... Yes... I accept the 3rd party call........... bye bye................... ". So, with a well timed recording we were able to fool the MCI operators who really thought a live person would answer the phone and accept the third party billing. This way to call out really worked well for some weeks then MCI decided to forbid any third party calls from Europe to Europe. I have my thoughts why that happened. ;] But calling the US boards was still possible.

12) Sprint, "...... Enjoy the silence....."
Another fine story was the following: bluebox in general did not work well in the mid and late 90s, but the US phone company had a bug. Sometimes, when you called the Sprint number no operator picked up the phone. The line was silent. Out of every 20 calls you had this phenomena. Some people used a trunk (frequency) to break the line. Well, at least they thought they would do that.

Now around 15 years later let me tell you all, that you did not need any trunk. You just dialled the numbers you wanted to call using a bluebox program. This method worked for several weeks and was nice because of its quality lines.