Index Home About Blog
From: David Lesher <>
Subject: Re: Detecting Blue Box Toll Fraud 
Date: Wed, 9 May 90 19:45:33 EDT
Reply-To: David Lesher <>

Larry Lippman mentioned:

>Only in comparatively few instances was it
>necessary to actually scan subscriber lines and/or interoffice trunks
>for the presence of subscribed-furnished SF and/or MF tones.  Tone
>detection apparatus was generally used to gather corroborating
>evidence for a prosecution when the identity of a suspect subscriber
>was already known.

I do have knowledge of one such device. A friend, who worked for
Mother in a mundane dept, once had a security type come to his
office/lab. He had a mini-box in hand.  {My asides in [] al_la PT.}

Security Type		It's broke, and Joe at the Main [CO]
			thought you could fix it.

EE Friend		What's it supposed to do?

ST			Can't tell you--it's classified [SURE]

EE			How do you expect me to...never mind,
			let's see it.

Looking inside, he saw three 88mh cores, caps, several transistors,
and a relay output. EE soon figures out the relay driver Q is dead and
replaces it. He thought for a minute, then turned on an audio
generator, and fed 2600 into the box. The relay closes.

ST			Hey, what are you doing, you can't use
			that note....

EE			It works, are you happy?

ST			This stuff is SECRET...You better not
			say anything...

EE			Tell Joe I said hello.....

A host is a host from coast to 
& no one will talk to a host that's close............(305) 255-RTFM
Unless the host (that isn't close)......................pob 570-335
is busy, hung or dead....................................33257-0335

Reply-To: John Higdon <>
Subject: Re: Detecting Blue Box Toll Fraud
Date: 7 May 90 11:48:05 PDT (Mon)
From: John Higdon <>

Larry Lippman <kitty!> writes:

>  	How was the identity of offending subscribers ascertained?  By
> looking for anomalies of the nature mentioned by the Moderator,
> including but by no means limited to: unusually long and frequent DA
> calls; unusually long toll call "attempts" where no answer supervision
> was ever returned; toll calls of a comparatively short distance where
> answer supervision was unusually delayed; 800 calls with anomalies in
> answer supervision; etc.

Quite right. This is why no phreak with any brains would ever use his
own phone, a phone served from an ESS office, DA as the dialed call,
or his blue box repeatedly from the same phone. Originally, DA did not
supervise and one of the "gotchas" was when a DA call showed up as
supervised on the AMA tapes. Also, it was suspected that a completed
call to a non-working 800 number would sound the alarm.

A favorite of blueboxers was a tandem on the east coast that, while
difficult to route through, would not pass supervision. This would
allow mean-spirited people to call a number (through this tandem) and
hold it up indefinately.

> 	What many Blue Box toll fraud perpetrators failed to realize
> was that in an ESS office the toll accounting software always knew
> that the subscriber was connected to a toll trunk, and only three
> conditions could exist: (1) answer supervision was returned and the
> subscriber was getting billed for the call, which was just fine and
> dandy; or (2) there was *no* answer supervision and the call was
> taking much longer than "normal"; (3) answer supervision occurred,
> dropped, and occurred *again* - which is real suspicious.

Many perpetrators did, indeed, know this, but there were other reasons
that ESS offices were generally avoided. One was the fact that ESS
recognizes supervision much faster than SXS or Crossbar. Some of the
distant tandems returned a somewhat protracted wink and that would be
enough to convince the originating office that a call had supervised.
The hapless toll cheat would "blow off" the 800 call, only to find
himself listening to dial tone twelve seconds later.

For a number of years, Los Gatos was the cheaters paradise. The
directorized SXS would send local calls outside of Los Gatos through
the San Jose local tandem. However, its release time was much greater
than the release time of the tandem, so it was only necessary to flash
the hookswitch after dialing a local call. You would hear a "ka-plunk
klunk" and then silence. At that point, standard MF signaling would
send you anywhere on the planet Earth. Since these were local trunks,
and were for "internal" telco use, there was no ticketing. No SF was
required to drop the call, which was a major plus for perpetrators who
were convinced at the time that a primary method for trapping
blueboxers was 2600 Hz detectors.

        John Higdon         |   P. O. Box 7648   |   +1 408 723 1395     | San Jose, CA 95150 |       M o o !

Index Home About Blog