Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Pay-phone hacking nostalgia

2,179 views
Skip to first unread message

com...@silver.bacs.indiana.edu

unread,
Jun 13, 1989, 11:17:00 AM6/13/89
to


In article <36...@tank.uchicago.edu>, ba...@arthur.uchicago.edu writes:
> A friend recently showed me a "technique" for making free phone
> calls from a payphone... <description of grounding the microphone>

} <excellent details from Larry Lippmann>

During my highschool days it was possible to get a dial tone on a pay
phone by peeling a spot of insulation from the handset cord and
touching the bared wire to the phone's keyhole. Handset cords weren't
armored then, nor were the handset caps screwed on by King Kong. I
hadn't heard of the method of grounding the microphone by piercing the
diaphragm, but even back then there were special pay-phone mikes which
had louvered hard-metal covers so that a sharp object stuck through a
hole in the mouthpiece grille would not damage the mike.

A kid who lived near a telephone exchange used to dive their dumpster
regularly. He recovered enough stuff to build his own neighborhood
phone system. His best find was a coin mechanism from an old-style
pay phone. Coins rolled down a ramp, then took different paths
according to size and velocity. A magnet trapped steel slugs.
Nickels and dimes hit cup-shaped bells, quarters hit a coiled-spring
gong similar to a Seth-Thomas clock chime. There were two contact-
microphones on the mechanism.

Long-distance operators listened to the sounds and counted the money.
My friend found that the coin/bell mechanism would make the desired
sound effects when held near the mouthpiece. (It still cost 10 cents
to activate the phone initially.)

I once worked at a YMCA camp where the only phone was a pay unit. We
discovered that a large pot from the kitchen made acceptable
"quarter" sounds when struck. One guy made a long-distance call and
"paid" for it by banging on the pot; after "depositing" the required
amount, he continued to strike the pot. When the operator told him
"That's enough money," he replied, "You've been such a good operator,
I'm giving you a tip."
"No! Stop! They don't give it to me!!" she said.

Depositing coins in modern pay-phones triggers electronic tones, which
supposedly can be faked with a simple device. "Phone Phreaking" was
popular in the '70s but seems to have become passe. TPC (The Phone
Company) prominently published claims of sophisticated countermeasures.

Another kid-type phone hack which a friend from Chicago says they used
do at O'Hare Airport: Put raw egg-white in the coin return, then
observe from a distance-- Along comes Mr. Spiff businessman and makes
a credit-card call, after which his coin is returned. He reaches for
the coin, contacts nasty goo, goes "YUCK!!" and _leaves the money_!
It doesn't work anymore, with electronic credit-card readers and
phones which require no initial coin.

--

Frank Reid W9MKV @ K9IU re...@gold.bacs.indiana.edu
{inuxc,rutgers,uunet!uiucdcs,pur-ee}!iuvax!silver!commgrp

Tim Kuehn

unread,
Jun 14, 1989, 12:00:00 AM6/14/89
to
In article <7200036@silver> com...@silver.bacs.indiana.edu writes:

....details over various phone-phreaking exploits and measures deleted...

>{inuxc,rutgers,uunet!uiucdcs,pur-ee}!iuvax!silver!commgrp

Then there's the recent news story - apparently a pay phone at a New York
airport wouldn't charge you for long distance calls out of the country
(Seems there was an error in the charging software or something.) A good
number of people were making using of this "free" facility to call their
parents, relatives, etc. back home and talk - often for hours at a time.
It was only discovered when someone was assaulted and on the way to the
hospital when the police asked him what he was doing there at that time
of the night (around 1 am) that it was found out.

Apparently this had been going on for a number of months!

+-----------------------------------------------------------------------------+
|Timothy D. Kuehn timk@egvideo |
|TDK Consulting Services !watmath!egvideo!timk |
|871 Victoria St. North, Suite 217A |
|Kitchener, Ontario, Canada N2B 3S4 (519)-741-3623 |
+-----------------------------------------------------------------------------+

Larry Lippman

unread,
Jun 14, 1989, 10:15:35 PM6/14/89
to
In article <7200036@silver>, com...@silver.bacs.indiana.edu writes:
> Depositing coins in modern pay-phones triggers electronic tones, which
> supposedly can be faked with a simple device.

In a single-slot coin telephone such as a 1C-type, when coins
are deposited, contacts from the "totalizer" cause the coin signal
oscillator to generate dual-tone signals corresponding to the value of
the deposited coins. A nickel is one beep, a dime is two beeps at a
rate between 5 and 8 pps, and a quarter is five beeps at a rate of
between 12 and 17 pps.

These coin signal tones may be detected by an appropriate receiver
in the central office coin control trunk apparatus. The tones are also
designed for aural identification by an operator.

However, during the interval that the coin signal tones are
generated, the speech network of the coin telephone is effectively
shorted out by a relay contact from the totalizer. What this means
is that an _experienced_ operator can ascertain if there is background
station noise (from the handset transmitter) during the totalizer
coin signal readout. While it may be possible to perpetrate fraud
using a hand-held coin signal tone simulator held close to the handset
transmitter, this act is not without risk of detection since it may
still sound _different_ to an operator.

> Another kid-type phone hack which a friend from Chicago says they used
> do at O'Hare Airport: Put raw egg-white in the coin return, then
> observe from a distance-- Along comes Mr. Spiff businessman and makes
> a credit-card call, after which his coin is returned. He reaches for
> the coin, contacts nasty goo, goes "YUCK!!" and _leaves the money_!
> It doesn't work anymore, with electronic credit-card readers and
> phones which require no initial coin.

A lot of things don't work any more. In the older multi-slot
coin telephones, using a special "tool" inserted from the coin return
holder, it was possible to "stuff" the coin chute with cloth such that
all returned coins were blocked. The perpetrator would stuff a coin
telephone early in the morning, and then return at night to remove the
stuffing and reap the fruits of his labor. :-)

To sweeten the pot, the perpetrator might also cut a wire in the
handset such that a victim making a call would NEVER have a chance to
actually dial a call that would complete and collect the coin. During the
day, the coin chute would fill with coins ready to be returned since the
central office apparatus would consider all of the call attempts as being
abandoned.

There was even a more sophisticated scam which could easily be
perpetrated in larger cities, such as New York, and which carried little
risk of detection since the time spent in the target telephone booth
was only a matter of seconds.

In order to understand how this scam worked, it is necessary that
I explain a few things about a coin telephone. First, the coin release
lever ONLY works for rejected coins which get stuck in the coin chute
mechanism; i.e., a "valid" nickel, dime or quarter passes through the
coin chute, is identified, operates the totalizer contacts, and comes
to rest in the coin "hopper", which is above the coin collect/refund
relay. Once a coin passes to the hopper, it is held in limbo pending
operation of the central office apparatus to either refund the coin,
in which case it will come to rest in the coin return holder, or to
collect the coin, in which case it will drop into the "bank" secured
by the lower housing.

What this means is that a valid coin deposit in a coin telephone
whose central office pair is disconnected canNOT be returned to the
user, no matter what. Operating the coin return lever in this case has
no effect. The only way to return that coin(s) is to place -130 volts
DC between the tip side of the telephone line and ground, which will
operate the coin relay to a refund position.

So, what a somewhat sophisticated perpetrator would do is target
a coin telephone, identify the location of its pair at a cross-connect
box some distance away (not that difficult, especially for an ex-telco
employee), and lift the pair from the terminals. This effectively
disconnects the coin telephone. So, all during the day, victims will
go to the target coin telephone, deposit a dime, get no dial tone,
hang up in disgust, and then get pissed off when they don't get their
dime back. However, human nature being what it is, for a dime, almost
no one will ever report the target telephone as being out of service.

So, during the day, the coin hopper will fill with dimes, possibly
accumulating several dollars worth at a "good" location.

At night, the perpetrator will return to the cross box and restore
the central office pair connection. As soon as this is done, the central
office apparatus will detect ground on the line as caused by coins operating
the hopper "trigger" switch, and assume that it is an abandoned call. The
connected coin control trunk will then send the -130 volts across tip and
ground to refund all of the coins in the coin hopper - which the perpetrator
can scoop up in a matter of seconds. The central office coin control trunk
has no idea that it is refunding more than one dime, and frankly could care
less - it is doing the same job it would do if someone deposited one dime
and hung up without ever dialing.

The advantage of the above scam is that no damage is caused to the
coin telephone, and that discovery is unlikely since even if trouble were
reported, it is extremely improbable that a craftsperson would visit the
subject telephone that same day. A prudent perpetrator will "rotate"
their telephones so that the same telephone may only be hit one or two days
per month. When a craftsperson does visit the offending telephone, they
will find nothing wrong and will label the trouble ticket with the most
common of all dispositions: NTF (No Trouble Found), and no one will be
the wiser.

Of course, the above only works on pre-pay coin telephones, which
are virtually non-existant today except in some rural areas and in a few
areas served by smaller independent telephone companies. I have freely
posted the above information on the assumption that it can no longer be
used to perpetrate any crime; I sure will be embarassed if someone proves
my assumption wrong. :-)

<> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp.
<> UUCP {allegra|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry
<> TEL 716/688-1231 | 716/773-1700 {hplabs|utzoo|uunet}!/ \uniquex!larry
<> FAX 716/741-9635 | 716/773-2488 "Have you hugged your cat today?"

0 new messages