, SecurityFocus 2003-06-25
AT&T said Wednesday that it would forgive all of the outstanding long distance charges that the company had been trying to collect from victims of the notorious "Yes-Yes" voicemail subversion fraud.The announcement follows months of fierce criticism of AT&T by consumer advocates, and the filing of two class-action lawsuits charging the company with unfair business practices. "It's good news for these consumers who have been scared blind by these charges and have developed health problems and stress problems dealing with these things," says Linda Sherry of Consumer Action, a non-profit group that championed the fraud victims. "AT&T dug in their heels for so long."
Last year fraudsters began cracking weak and default PINs on individual and small business voice mail boxes provided by local phone companies, then changing the outgoing messages to say "yes, yes, yes" over and over again. The newly-agreeable voice mail could then be used for third-party billings, with AT&T's voice recognition-based billing verification system -- and even live operators -- easily fooled by the virtual yes men.
The scam left scores of victims holding the bag for thousands of dollars of long distance calls they never made -- typical bills ran between $8,000 and $12,000. AT&T insisted that the victims pay up, arguing that it was the consumer's poor voice mail security that was at fault.
Telephone Turing Test
When pressed, the company sometimes offered to absorb 35% of a fraudulent billing, but pursued collection against consumers that didn't pay the rest. "We held the customer liable because it's the customer's voice mail service," says AT&T spokesman Jim Byrnes. "If they choose not to pay, we eat the expense."
The company announced Wednesday that it's will abandon those collection efforts against consumers who "resolve disputed charges with appropriate documents and agree to cooperate with AT&T in efforts to recover damages against any parties liable as a result of the fraudulent long-distance calling," according to a statement.
"It comes as fabulous news to me," says San Francisco travel agent Maureen Claridge. Claridge was billed for $8,000 for 36 hours of phone calls made from Saudi Arabia after her voice mail was cracked last November. Claridge refused to pay, and was served with legal notice from AT&T last week. "They served me last Tuesday... This is incredible," she says.
AT&T says the amnesty offer only applies to past victims of this particular type of fraud -- the company counts less than 250 among its own customers.
To combat the scam, the AT&T recently added a Turing test to its billing verification process: to accept a third-party billing now, a customer must prove to AT&T's computer that he or she is human by repeating a randomly-chosen number, the company says. AT&T claims the measure has all but eliminated the Yes-Yes fraud on their network. "We're confident that we have implemented these measure to handle this fraud adequately," says Byrnes, who nevertheless advises consumers to secure their voice mail. "We're urging customers to remain vigilant to safeguard their systems."