The LOD/H Technical Journal, Issue #3: File 03 of 11 $LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ L L O AUTOMATIC MESSAGE ACCOUNTING O D D $ (AMA) $ L L O An overview O D D $ Written by Phantom Phreaker $ L L O Legion Of Doom! O D D $LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ The standard AT&T Toll office switch, the No. 4 ESS, is also equipped to handle CAMA if necessary. The CAMA procedure is as follows: Call data for the CAMA call is kept in a buffer (technically called an Accounting Block (AB)) which then stores the entry upon a nine track 800-bpi (bits per inch) AMA tape (note: the information used in research for this part of the article was rather old, so the bits per inch has probably increased). The data that are kept in this buffer and put on the tape are as follows: the calling DN, the called DN, answer and disconnect times accurate to 0.1 second, and other misc. information. The callers DN can be entered into the 4ESS in two ways, ANI or ONI. ANI is of course the normal method for identifying a callers DN for billing purposes. ONI is used when there is an ANIF, or when it is needed (the other equipment cannot get the DN with ANI). When the 4E gets an ANIF or an ONI needed, it sends the call to a TSPS operator, who should ask the caller for their number. When an operator gets an ONI situation 'from' a 4E, she uses two types of trunks, a talking trunk, and a keying trunk. The talking trunk is what the subscriber comes in upon and is the line over which the operator asks for the callers DN. The keying trunk originates at the 4E and terminatates at TSPS, and is what is used to send the callers DN (in MF) to the 4ESS office. The operator has access to both trunks at the same time, thus she can enter the number in a quick and orderly fashion. When a line classification does not fit into the 'one information digit' (KP+I+NNX+XXXX+ST) category, two information digits are used. When two are used, they are called screening codes. Screening codes are outpulsed along with the ANI for certain types of telephone lines, and when ANI is being sent to an alternate carrier via 'Equal Access' (Feature Group D, 1+ dialing). These screening codes are two digits and precede the subscribers DN. An example of screening code outpulsing is as follows: KP+II+NNX+XXXX+ST The II represents two information digits that precede the callers number. Some of the more common screening codes are as follows: KP+00+NXX+XXXX+ST Normal telephone call, identified POTS line; KP+01+NXX+XXXX+ST ONI needed on a multiparty line; KP+02+NXX+XXXX+ST ONI needed due to ANI Failure; KP+07+NXX+XXXX+ST Hospital, inmate type telephone; KP+08+NXX+XXXX+ST Line restricted from dialing inter-LATA; KP+10+NNX+XXXX+ST Telco test call; KP+20+NNX+XXXX+ST Automatic Identified Outward Dialing centrex call; KP+27+NNX+XXXX+ST Coin telephone call. These double digit outpulsing formats are used in Equal Access areas, and a similar method of outpulsing is used when customers deal with TSPS operators. For more information, see the July, 1987 issue of 2600 Magazine, an article entitled 'How phreaks are caught'. AMARC ----- The AMARC, or Automatic Message Accounting Recording Center, is a fairly modern development toward recording billing information. It offers the telco several advantages to the older electromechanical setups, such as increased revenue (always a plus in their eyes), reduced RAO processing costs, a new computerized format that stores data on 1600 bpi, industry compatible magnetic tape, elimination of loss due to paper tapes being destroyed, and elimination of per-office paper tape pickup and delivery. THE NO. 1 AMARC --------------- The first version of the AMARC was the No. 1 AMARC, which received billing data on a real-time basis over dedicated data links. It was based on two DEC PDP-11/40 minicomputers. The No. 1 AMARC controls and recieves data from a maximum of thirty dedicated channels. A channel consisted of a dedicated line (probably a Private Line service) equipped with a 202T data set, operating asynchronously at 1.2 kbps. The No. 1 AMARC had a feature which allowed it to call, over the DDD network, a backup channel in case one of the normal channels experienced a failure. This backup channel could be reached by anyone who had the phone number. It has not been determined by the author if there was/is any security on these backup channels. THE NO. 1A AMARC ---------------- Eventually, it was decided that more data channels were needed, and that the AMARC computer could be centralized, and not clustered in administrative centers, as was the procedure. The No. 1A AMARC fulfilled the telco's needs. The No. 1A AMARC uses a higher capacity minicomputer, the DEC PDP-11/70, and Western Electric peripheral equipment to provide ninety input channels, improved maintenance capabilities, and room for growth in several areas. The first No. 1A AMARC began operation in 1981 in the Chicago area. An important feature common to both the No. 1 and No. 1A AMARC was the ability to recieve billing information electronically over dedicated lines from central office switches. Equipment located in central offices called sensors send this data. There are different types of sensors for different types of switching equipment, but the most common AMARC sensors shall be listed here. The Call Data Transmitter (CDT). The newest AMARC sensor. The CDT is a microprocessor based system which is used to collect data from No. 5 crossbar offices. It is designed to be used in systems that do not have LAMA-A and do not have enough traffic to warrant the expense of installing the No. 5 ETS. It can be used with other sensors, and is not the only kind used in No. 5 crossbars. The first one was cut over in Illinois in 1980. The Call Data Accumulator (CDA). Similar to the CDT, but uses wired logic control. The CDA, which collects AMA information from SxS switches, was the first sensor to be made for use with the AMARC. This sensor is connected to the ring, tip, and sleeve leads in a SxS switch, probably at the MDF. The first CDA was cut over into service in New York in 1975. The Billing Data Transmitter (BDT). Used in electromechanical offices, such as the Nos. 1, 5, 4, and 4A Crossbar, SxS CAMA, and the Crossbar Tandem (XBT). The BDT replaced up to 10 paper tape perforators that were previously used. Provides a newer alternative to LAMA-A. The BDT recieves billing data from the older LAMA-A paper tape recorder circuits and sends them to the AMARC. The first BDT was cut over in New York in 1976. The No. 5 Electronic Translator System (ETS). The No. 5 ETS was added to No. 5 Crossbar systems to provide some electronic switching functions that were not present before. These functions are things such as line, trunk, and routing translations provided by software methods rather than wired cross connections. The No. 5 ETS consists of duplicated Western Electric 3A auxillary processors with associated scanners and distributors. The first No. 5 ETS was installed in Ohio in 1977. VIDAR, a special sensor used in Crossbar No. 1 offices. VIDAR does not interface with the AMARC but instead sends data to it's own tape. This tape is then sent to the RAO on a regular basis. These various sensors are specially designed electronic units which are part of or connected to class 5 offices. These sensors collect and generate billing data from the office they are used with. The billing data consist of answer and disconect times, call type, and the amount of measured local and toll calls made. Some offices have added sensors, but exceptions include several ESS systems which use SPC (Stored Program Control) to send data to the AMARC. SPC means that the sensor is built into the switch software and that no other equipment is needed. An example of this is the NTI DMS-100 switch. Nos. 2, 2B, 3, 3B, and No. 5 ESS also do not have special AMARC sensors, but send data to the AMARC over a synchronous connection via a SPUC/DL (Serial Peripheral Unit Controller /Data Link) at speeds of 2.4 and 4.8 kbps. There is another part in the 2B ESS AMARC data link, called the AMARC Protocol Converter (APC). The APC is a medium between the SPUC/DL and the AMARC. The No. 4 ESS, TSPS, 1ESS, 1AESS, and 2ESS switches don't have AMARC sensors, and aren't even connected to the AMARC. These switches all have their own AMA systems, from which the data is sent to the RAO regularly. Another exception is the DMS-10 Remote Switch, which is connected to a device at the RAO called a collector. There are other options possible when dealing with AMA collection, such as the Distributed Call Measurement System (DCMS) made by a telco equipment vendor, which acts like a mini-AMARC, and Northern Telecom's Distributed Processing Peripheral system, which is used to collect billing data from NTI's DMS switches. These systems can be used where applicable. RECENT DEVELOPMENTS ------------------- In places where magnetic tape has been phased out, a new method of storing the AMA data called AMA TeleProcessing Systems (AMATPS) has been implemented. AMATPS overcomes the disadvantages of magnetic tape (such as the sequential way the data is recorded, the high-density data losses that may happen, and the sometimes unseen problems with the tape unit) by using random access disk drives. AMATPS also adds some new system parts which can make the job easier. Still, some AMATPS are not used to their full capability and can still present problems to the telco. One of the parts that AMATPS adds to the overall AMACS is the use of AMA Transmitters (AMAT's). These transmitters are added to the sensors, and increase the power of the overall setup by providing things such as temporary storage areas and programming applications. AMAT's are generally PC-sized machines with two disk drives, and 50-150 megabyte hard disks. The second important addition is the collector. The collector acts like the AMARC by polling the AMAT over data links. The collector, like AMARC, is a centrally located computer system, usuallly running on an IBM Series 1, an HP-1000, or an AT&T 3B5. Teleprocessing systems are made to understand a common AMA language format made by Bellcore, the Bellcore AMA Format and Extended Bellcore AMA Format. These were mentioned in part A of this article. BOC/AT&T INTERACTION -------------------- Since the majority of people are served by AT&T, one may wonder how inter- LATA call data gets to the given Inter-LATA Carrier (IC), in this case, AT&T. AT&T has its own AMA collection system, which is called BILDATS (BILling DATa System), and this is what collects the AT&T data. I would guess that each AT&T toll office has some sort of interface with this computer system, but I have no solid proof of this. It has also been suggested to me from a reliable source that AT&T sends each BOC their own magnetic tapes, which the BOC's then fill with AT&T's billing information. I am not sure which of these methods is used. The BOC billing information takes a different route, however. On a regular basis (I believe each day), AMARC tapes are sent to the Regional Accounting Office (RAO) or billing office, where each customers intra-LATA traffic is calculated and their telephone bill printed and mailed. The customer then recieves the bill and goes about whatever method of payment he chooses. Telephone bills can usually be paid in person in many different places in large cities, or they can be mailed in directly if the customer wishes. In my area, the customer pays once, which is a total of his AT&T and BOC bill. This is payable to the BOC, and AT&T then gets their payment from the BOC. In the case of independent carriers such as US Sprint, MCI, ALC Communications, and the like, I cannot say for sure what they all do as there seems to be no standard procedure for this interaction, but in two instances, two specific RBOC's (US West and BellSouth) handle FG-D Equal Access style billing for MCI throughout their serving areas. There is a computer system involved in this alternate carrier billing cycle, called the Carrier Access Billing System (CABS). This system calculates the prices bases on tariffs in use, and bills the carriers on a monthly basis accordingly. I am not sure how widespread the use of this sytem is, though. When the customer receives his MCI bill along with his BOC bill he can pay them both at once. I would imagine that the larger long distance services would be able to afford getting this service from the RBOC's, while the smaller ones with less money would do it by themselves, which would probably be a slow, drawn out process. In some cases, dialing via an alternate carrier (other then your primary one) will cause the billing cycle to take anywhere up to three months to complete, or even more. Another interesting note about alternate carrier dialing, some carriers do not start billing until a specific amount of time has elapsed. This is known as buffer-zone billing. I know of one company that uses a 45 second buffer zone, but I am not sure what the other companies use. You can find this information out by talking to a customer service department, however some companies CS departments either don't know, or they do not wish to tell the customer (or 'potential' customer). With buffer zone billing (assume 45 seconds in this case), you will be billed for the call if you let the phone ring, listen to a busy signal, etc. if the duration of the call is greater than or equal to 45 seconds. Many of the ICs that use this type of billing do not have the equipment to detect answer supervision, so if you can keep a conversation very short, you may get away with a free call, without breaking any laws. CALL CREDITING -------------- When you receive credit for improperly placed long distance calls from an operator or a telco business office (after you receive your phone bill) certain things happen. Operator crediting involves the operator entering a special flag on an AMA tape to deduct the specific amount of given charge from the subscriber's telephone number. I believe that this process involves (with AT&T TSPS) the KP TRBL key, and (with NTI's TOPS) the KP TRBL and the CHG ADJ (charge adjust) keys. Business office crediting happens when you call the business office and talk to a BOC 'service representative'. This person will then enter your telephone number into a terminal, using the DOE (Direct Order Entry) system, which is in use in my area. The billing record information comes from a computer called CRIS (Customer Record Information System), which is accessed by BOSS (Billing and Order Support System). BOSS has a link to computer systems at the RAO, as this is how the customer's toll data gets to the business office. A service representative can then pull up your toll charges and correct them with appropriate credit entries. SECURITY (EVERYONE READ THIS PART) ----------------------------------- There have been several rumors going around about AMA and it's relation to people who commit toll fraud, and I will attempt to clarify these rumors. It is possible that a billing tape could be used to try to find out who called a certain number at a given time. Another way AMA tapes/disks could be used as a record of someone committing toll fraud would be if this person would happen to be under a newer switch, such as the DMS-100, and they attempted to use a blue box without knowing the dangers of it (I will speak only on the DMS-100 because when a older switching system is replaced with a new one, the most common replacements are the AT&T No. 5 ESS and the Northern Telecom DMS-100 Family of switching systems). DMS-100 does indeed have the capability to record a blue boxer's MF tones in an AMA record if the boxer doesn't know what he is doing. 1AESS also has blue box detection features. I am not sure about other switching systems, but I would guess that most of the newer switches have some sort of blue box fraud detection features, of course the end user of these switches (the telco) does not have to use them. However it is difficult to find out if your CO uses anything of this nature unless you are a good social engineer or have access in some way to the switch or switch output messages and know what to look for. For instance on the Northern Telecom DMS-100 switching system, there are a series of reports known as BLUEBOX reports which (if in use) will inform the telco of blue boxing activity. The DMS-100 also has AMA options that can detect certain forms of electronic toll fraud, such as black and blue boxing. These options can be set any way the telco wants. These AMA options can be printed on a DMS-100 switching system,onto hardcopy terminals, or onto a data channel which may send the Output Messages (OMs) to a telco computer system such as the Switching Control Center System (SCCS). These options are printed in an AMA118 OM at midnight. If an AMA option is in use by that particular switching system, after the name of the option will be a data field that says ACTIVE. If the option is not in use, the field will say INACTIVE. An example of an AMA118 OM is reproduced here. AMA118 JUL23 12:00:00 2234 INFO AMA-OPTIONS AUDIT: ACTIVE CALL-FWD: ACTIVE CDAR: INACTIVE CHG411: ACTIVE CHG555: ACTIVE COIN: INACTIVE DA411: ACTIVE ENFIA-B-C: INACTIVE FREECALL: INACTIVE HIGHREV: INACTIVE INWATS: ACTIVE LNID: INACTIVE LOGAMA: INACTIVE LOGOPT: ACTIVE LONGCALL: ACTIVE LUSORIG: INACTIVE LUSTERM: INACTIVE OBSERVED: INACTIVE OCCOVFL: ACTIVE OCCTERM: ACTIVE OUTWATS: ACTIVE OVERFLOW: ACTIVE SST: ACTIVE TIMECHANGE: ACTIVE TRACER: ACTIVE TRKID: INACTIVE TWC: INACTIVE UNANS-LOCAL: INACTIVE UNANS-TOLL: ACTIVE The most important ones for phreaks to know about are INWATS, LONGCALL, SST, UNANS-LOCAL, and UNANS-TOLL. INWATS means that calls to 800 numbers are noted in an AMA record. As far as I know, this option is a required one, at least since Bulk Change Supplement 23 (BCS23). LONGCALL will flag long calls in an AMA record. So if it seems to the switch that someone has been on the phone for a long time, this will be logged. A possible use for this would be to detect trouble conditions. This option, used in past switching systems, may have been the cause of many blue box busts. Someone would box for several hours using the same number (for instance, Directory Assistance) and this may have been noted by the switch. Another way I think old time boxers may have been nailed is from boxing off of DA. As you can see in the above listing, there are several options that probably make AMA entries for calls to DA. If the length of a call to DA lasts longer than a certain amount of time, the telco could possibly detect this and attach a monitoring device upon the suspected persons telephone line. The AMA option 'SST' may also be responsible for blue box busts in the recent past. SST stands for Short Supervisory Transition, and an SST is known to the phreak world as a wink. SSTs are generated when a blue boxer seizes a trunk. The switch can detect these and log them in an AMA record if the option is set to ACTIVE. SSTs are not solely caused by boxers, though, as equal access offices can generate a lot of SSTs in normal operation. I believe that trunking arrangements with ICs (InterLATA Carriers) are often responsible for triggering these. One toll office I knew of had thousands of SSTs on a plant measurement report, so if this option is ACTIVE, it may not be EXTREMELY dangerous, but it can't hurt to know about this. One possible way around the SST detect is to make your 2600Hz tone last several seconds. I do not remember the exact figure, but after a certain number of seconds an SST ceases to be an SST ceases to be an SST. I am not sure if these longer transitions are logged or not, or if there is even an option for this. However I believe that the BLUEBOX feature could not be fooled by doing this. BLUEBOX, if activated, will detect any foreign winks after a necessary one (necessary for call completion) occurs. Of course you can always avoid having your DN associated with anything like this by re-directing your call flow, which can be accomplished easily. Another AMA option that could be used to catch black boxers is the UNANS-TOLL option. When this option is ACTIVE, toll calls ringing longer than a specific period of time can be logged in an AMA record. Someone calling toll from a DMS-100 to a person using a black box (does anyone still use devices like the black box anyway?) in a no. 5 crossbar may trigger this option to be logged. I say 'may' because I am not positive about this, the option could also be used in other ways, I imagine. The ENFIA-B-C option is one that could possibly present a problem to a telecom enthusiast. I have seen the term ENFIA (Exchange Network Features for Interstate Access) associated with a Feature Group A (POTS dialup) long distance service. ENFIA-B and C mean FG-B and FG-C service. FG-A and B (POTS and 950+1/0xxx respectively) could possibly be used to record information concerning toll fraud. For instance, I know of one service (FG-D and FG-B) that has the ability to check a telcos' magnetic tape to see what numbers have been accessing their service. If a large amount of fraud became a problem, the carrier could get the AMA information to try and determine who is committing toll fraud. I'm not sure if other companies have this option, I would guess that almost all of the major companies (MCI, Sprint, Allnet, etc.) have the ability to use something of this nature to track down security problems. Have you ever wondered why many of the old blue boxers were caught? It is due to the use of AMA. AMA records can reveal boxing patterns, and this info can be used by the telco to track down blue/red/black box users. So if you are a person who practices any of these methods, be aware of what you are up against. Boxing has been around for a very long time and the telco knows all about what goes on and the different methods that people use. So use care. An informed phreak is a free phreak. SUMMARY ------- Hopefully this article has helped clear up any misconceptions about AMA that anyone might have had, as well as provide a reference to be looked back on. The information contained in this article can also be used for social engineering purposes, if you so desire. However, I do not intend for any of this information to go into harmful purposes, such as billing calls to other people, or causing confusion and disorder at any internal points in the telco. Such actions do not make a person a phone phreak. However, if you find out anything interesting concerning AMA that isn't included here, or anything about independent telcos billing systems, feel free to let me know. If you wish to contact me concerning this article, you can find me on a few BBS's. I will attempt to answer any questions anyone might have, and would like to hear from anyone who has a valid interest in the workings of the phone systems. =============================================================================== Thanks go out to all the people (too many to mention) who have contributed any information (no matter how small or large) to this article. Other information for this article has been taken from switching system messages, Bell System Technical Journals, Bell Labs RECORDs, Bellcore documents, and various other technical literature and information. I hope someone likes this article because it took a very long time to complete. ===============================================================================  Downloaded From P-80 International Information Systems 304-744-2253 12yrs+