Library phone system hacked
The $15,000 worth of fraudulent international phone calls made on the Duxbury Library phone system are the result of a widely practiced scam, according to long distance carrier
The calls - initially billed to the town of Duxbury - will be removed from the company's bill, according to a Verizon spokesman. "We felt it was the right thing to do to remove the charge," Verizon Boston office spokesman Phil Santoro said Monday. "The town of Duxbury has been a good customer."
With that settled, however, the mystery remains: Who has been calling far off places such as India, the Philippines, and Jordan through the town library's system?
Duxbury selectmen learned about the charges last week when they were asked to approve a funds transfer to pay for the calls. Board of Selectmen chairman Jon Witten said a "significant loophole" in the library's voice mail system allowed an outside party to use a phone system mailbox from which calls out could be made. The calls made by someone hacking into the system included a 24-hour long call made to the Philippines, costing over $7,000.
Town officials notified the federal Homeland Security office because of security concerns, Town Manager Richard MacDonald said Monday, and have also spoken to the FBI.
All phone customers who use the kind of voice mail system on which the fraudulent international phone calls were made should take the case as a warning, Santoro said. "Anybody who uses a PBX system should be paying attention to this."
A PBX box, or Private Branch Exchange device, is a common piece of equipment used by many businesses and government entities to manage phone systems. Hacking into PBX-based systems to make calls on someone else's line is "an all too common scam," Santoro said, because perpetrators know these voice mail systems can be manipulated by outside parties.
Hackers learn which systems have PBX boxes and which manufacturer's device they use, and employ the PBX manufacturer's default password to access the call-out function in order to make international calls on somebody else's bill, Santoro said. Legitimate users such as employees use a password to check messages left on their voice mailbox. The password also allows them to reach the point in the system from which outside calls can be made.
"We are going to attempt to go after the perpetrators," Santoro said. He said it is company policy to investigate fraudulent calls and try to find out who made them.
To protect against such incidents, he said, passwords should be changed frequently, and system owners can have their contractor block international phone calls, or ask Verizon to do so.
Santoro said some systems' employees may not have been trained to change passwords - or even create their own - and the system's owners may not have been told they can have international calls blocked.
A spokesman for the Taunton contractor that 10 years ago installed Duxbury's system - a company called CranCom - could not be reached for comment early this week.
Town officials said they discovered the first fraudulent calls last winter and notified Verizon, which wiped off the charges. But the calls continued, they said, eventually running up a $15,000 bill.
MacDonald said Monday that the town has now taken steps to block international calls from town phones.
Verizon decides on a case-by-case basis whether to grant requests for credits. "We work with customers on finding out what happened and what we need to do to correct it," Santoro said.
Witten, an attorney, said Verizon should have taken the fraudulent calls off the town's bill, investigated the circumstances, and done something to stop them from happening after the company was notified of the first problem calls.
"The town was not asleep at the wheel," he said.
Calls made by phone hackers are analogous to phony credit card charges, Witten said. "When the transaction is obviously fraudulent you have limited liability."
Robert Knox can be contacted at: rc.knox@gmail.com 
