There’s a fascinating story today on Wired News about a new phone-phreak hack. Basically, it works like this:

Hackers locate someone who uses SBC voice-mail, but who’s never changed his or her password from the basic default. Since default passwords are in a regularized format and easily guessed, the hackers can pretty easily break into their victim’s voice mail. Then they change the outgoing message to say something like “yes, yes, I accept all long distance charges, yes, yes”, with a few pauses in the middle.

Then the hackers place a long-distance call using AT&T’s long-distance service. AT&T offers you the option of billing a long-distance call to a third party — so long as that party answers the phone and agrees to accept the charges. And here’s the catch: The AT&T system runs automatically, using voice-recognition software. So if a hacker places a call to Khazakstan, and gives the victim’s number as the place to bill the call to, AT&T’s little A.I. ‘bot dutifully calls up the victim’s number to check to see if they’ll accept the charges. All it’s doing is listening to make sure whoever picks up the phone says “yes”. And bingo: Since the hackers have changed the voice mail to say “yes, yes, I accept all long-distance charges”, the A.I. ‘bot is fooled.

Wired found one woman who got dinged for a stratospheric $12,000 in long-distance. But AT&T won’t let her get off. They reduced it to $8,000, but no more. And dig this:

“In the process of fighting this, I spoke to numerous people at AT&T and SBC. Not one sounded surprised when I told them about this scam,” Runyon said. “I got the distinct impression that this scam is widespread and new victims are being exploited daily.”

So AT&T knows about this, but still hasn’t changed its incredibly dumb A.I. system. That’s pretty remarkable — because it wouldn’t be that hard to do.

This is, after all, merely a reversal of the Turing Test. The original Turing Test was about whether a human could detect that a machine was a machine. In this case, the machine ought to be trying to detect whether it’s talking to an actual, live human. Plenty of other companies have begun tackling this challenge. As I’ve written about in the past for Wired, Yahoo has implemented a very cool reverse Turing Test — a test to prove whether the human is really human. And when I posted a while back about mobile-phone design, Franco wrote a comment that suggested an incredibly elegant reverse Turing Test that could be implemented over the phone:

You get a recording that asks you to pass some simple test, like dial a specific 2 digit number. However, the test is read by a stuttering drunk.

AT&T could easily do the same thing. Their ‘bot could ask the question “do you accept these third-party long-distance charges” — and then could get the person on the line to prove they’re actually human, by asking a simple, random arithmetic question or something.

Not that anyone from AT&T is actually reading this blog, but if you are — people, wake up! This stuff isn’t hard to do. Thus, the fact that you’re not doing it makes people suspicious that you just don’t care about preventing fraud, so long as you can pass the buck.