TELECOM Digest     Sat, 28 Apr 90 21:58:30 CDT    Special: Coin Station Fraud

Inside This Issue:                              Moderator: Patrick A. Townson

    Yet Even More on Coin Station Fraud [Larry Lippman]
----------------------------------------------------------------------

Subject: Yet Even More on Coin Station Fraud
Date: 23 Apr 90 20:58:08 EST (Mon)
From: Larry Lippman <kitty!larry@uunet.uu.net>


In article <6603@accuvax.nwu.edu> karl@ddsw1.mcs.com (Karl Denninger) 
writes:

> Not to argue with Larry, but his description is in conflict with that
> I have experienced around the country; including Michigan, Illinois,
> Florida, and elsewhere.

	I will get to the specific issues raised by Karl Denninger in
a few moments.  Please bear with me while I provide some introductory
material.  This discussion is also starting to get complex, and it is
becoming increasingly difficult for me to explain in a succinct
fashion all that is necessary to effect an understanding of the
specific issues at hand.  If you are hopelessly confused after reading
this article, I am sorry - I tried. :-)

	I suppose a bit of qualification is in order.  During the
1970's a group within my organization at that time provided
consulting, R&D and contract engineering services to various
manufacturers of CO apparatus and accessories.  Almost all of this
effort was focused on conversion of electromechanical CO apparatus so
that it could provide "new-fangled" :-) features not possible in its
native design.  One of our specialties was coin control applique
circuits to permit SxS and XY CO's to offer DTF (Dial Tone First)
service, LCOT (Local Coin Overtime) charging, and TSPS compatibility
for independent operating telephone companies whose DSA and toll
operator functions are provided by a [then] Bell System facility.

	As an example, in the case of the SxS CO, we developed various
microprocessor-based (the first used an 8080 - how time flies! :-) )
circuits which connected between the linefinder and first selector in
a coin station linefinder shelf.  An installation consisted of a card
cage containing one card per equipped linefinder, appliques to permit
inband coin control signaling on existing recording-completing trunks,
plus common DC-DC converter apparatus.  Some of the resultant products
were sold by others to the Bell System, although much of the marketing
was aimed at independent operating telephone companies.

	During the course of these projects my organization amassed
considerable engineering documentation from WECO, AE, SC, North
Electric and Northern Telecom, not to mention a formidable collection
of coin stations and CO apparatus.

	The point I am trying to make is that the information I have
provided is based upon *explicit* knowledge of actual CO apparatus,
and is not inferred from empirical observations or "less-than-lawful"
means.

	The basic principles behind the operation of "ordinary" DTF
coin stations *are* as I have represented them, and they *cannot*
change for many years so as to ensure compatibility with the 1C-type
and 1D-type coin stations remaining in service (at least in BOC
areas).  By the use of the term "ordinary" I exclude COCOT's and any
coin stations with special features such as digital displays, credit
card readers, toll carrier selection keys, etc.

	For the sake of simplicity, I have in recent articles
described DTF operation as it applies to a 1C-type coin station.  15
years ago the 1C-type coin station comprised the vast majority of DTF
coin stations in service, since the 1D-type coin station was still in
an introductory phase.  Today, the 1D-type coin station or its
equivalent probably constitutes the most commonly found DTF coin
station in BOC areas, but I have no current knowledge as to the
percentage distribution of DTF coin stations by coin station type.

	From an interface and functional standpoints, the 1C-type and
1D-type coin stations are virtually identical.  From an internal design
standpoint, the 1C-type and 1D-type coin stations are vastly different.
 From a user standpoint, the 1C-type and 1D-type coin station should
be indistinguishable.

	The 1C-type coin station has an electromechanical totalizer
providing two major functions: (1) a "readout" of the value for each
deposited coin in the form of dual-frequency tone pulses; and (2) the
totalization of deposited coins until an "initial rate" amount is
reached, at which time a contact operates that permits the CO
apparatus to conduct a ground test to ascertain if this initial rate
has been deposited.  The 1D-type performs the same functions as above,
except that the totalizer is completely solid-state, being replaced by
coin proximity sensors for nickels, dimes and quarters, with the
required logic contained in one 40-pin hybrid integrated circuit.  A
second integrated circuit functions as the coin signal oscillator.
Other new circuit functions arbitrate dialing and coin tone signaling,
provide improved CO loop signaling performance, and create an
automatic circuit reset each time the station goes on-hook.

	Everything I have stated in previous articles should apply to
both of the above types of coin stations.

	With respect to the above coin stations, here are the functions
which pertain to this discussion:

1.	Provide dual-frequency tone pulses to indicate denomination of
	deposited coin (one pulse per five cents).  The speech network
	is disabled (NOT just muted) during coin tone readout.

2.	Permit the CO apparatus to conduct an Initial Rate Ground Test
	(IRGT) to ascertain if the initial rate has been deposited.

3.	Permit the CO apparatus to reset the totalizer so that the
	IRGT can *again* be performed on a new coin(s) on the same
	call.  The collect/return function has nothing to do with
	IRGT.

4.	Permit the CO apparatus to conduct a Stuck Coin Ground Test
	(SCGT) to ascertain if *any* coin is in the coin hopper.

5.	Permit the CO apparatus to collect all coins in the coin hopper
	at any time during or after a call.

6.	Permit the CO apparatus to refund all coins in the coin hopper
	at any time during or after a call.

	The differences in coin station characteristics as reported by
Karl Denninger are no doubt the result of different coin control
trunks in different CO's, and in different TSPS generic versions
and/or hardware with respect to the TSPS ACTS Station Signaling and
Announcement Subsystem.

	It is important to understand that while 1C-type and 1D-type
coin stations provide certain capabilities which may be used as a
defense against fraud, such capabilities may not always be utilized by
the associated coin control apparatus in the CO.  Many variations
exist throughout the continental U. S. in CO apparatus, associated
TSPS facilities, and coin station "policy" which result in minor, but
nevertheless different operating characteristics.

	Here is an example of what I mean.  The coin control apparatus
associated with ACTS counts the number of dual-frequency tone pulses
to ascertain the amount of money deposited.  The CO apparatus,
depending upon type and options, could elect to perform ANY of the
following:

1.	Just count tone pulses until it *believes* enough money has
	been deposited.

2.	Count tone pulses until it believes enough money has been
	deposited, followed by a SCGT to verify that at least ONE
	coin has been deposited.

3.	Count tone pulses for coins until an initial rate amount is
	deposited (fairly simple if a quarter is involved), perform
	an IRGT, then continue counting tone pulses until it
	believes enough money has been deposited.

4.	Count tone pulses for coins until an initial rate amount is
	deposited (fairly simple if a quarter is involved), perform
	an IRGT, then continue counting tone pulses until it
	believes enough money has been deposited, followed by a SCGT
	to further verify that at least ONE coin has been deposited.

5.	Count tone pulses for coins until an initial rate amount is
	deposited (fairly simple if a quarter is involved), perform
	an IRGT, reset the totalizer, then continue counting tone
	pulses *and* perform successive IRGT's until it believes enough
	money has been deposited.

6.	Count tone pulses for coins until an initial rate amount is
	deposited (fairly simple if a quarter is involved), perform
	an IRGT, reset the totalizer, then continue counting tone
	pulses *and* perform successive IRGT's until it believes enough
	money has been deposited, followed by a SCGT to further verify
	that at least ONE coin has been deposited.

	Scenario #6 may seem complex, but it is *exactly* this
scenario that is performed in most Local Coin Overtime applications.
Not only that, but the coin is usually collected right on the spot.

	In my travels, I have seen implemented *all* of the above
scenarios - and more!

> >	After ACTS makes the announcement as to the amount of the coin
> >deposit, the coin control trunk places +48 V (*positive* battery) on
> >the ring side of the line, while connecting ground to the tip.  This
> >action enables the totalizer for readout, and also operates the "B"
> >relay in the totalizer which *disables* the speech network.  The coin
> >control trunk then counts dual-tone pulses from one or more deposited
> >coins until the proper amount is entered.
 
> This is not in line with my experience.  Try it in your area of the
> country; after the announcement, blow into the mouthpiece.  I've
> always been able to hear sidetone (the echo of your noise), which
> tells you the voice circuit is quite open!  If it wasn't, how would
> you hear the recorded announcement?

	I may have been unclear in my original article; the speech
network is disabled *only* during the actual coin tone signaling
interval.

	If the CO apparatus performs the IRGT with totalizer reset for
each deposited coin, then fraud through coin tone spoofing is
virtually impossible because the proper value of coins *must* be
*physically* present to satisfy the IRGT.

> The only exceptions, in the last five to seven years, have been in
> GTE-served places that don't complete the "mic" circuit until you
> deposit coins.  Those are real annoying, as your called party often
> hangs up before you can finish depositing the local-call money
> ("Hello.... hello?  Click!") and leaves you with a call you paid for
> but didn't get any utility from.

	Well, GTE/AE apparatus operates on similar principles, but
there are differences.  Especially because GTE/AE has their own method
of providing a TSPS equivalent.

> >If a preset time is exceeded before the required amount is deposited,
> >the coin control trunk aborts the collection effort and the call,
> >places a recorded announcement on the line, and refunds the coins
> >deposited so far.  
 
> This is also not in line with my experience.  In my experience (which
> occurs when I'm short of change!) after a short delay I'll get a
> recording which says something to the effect of "deposit thirty more
> cents for the first three minutes please", followed about fifteen
> seconds later by a (live) operator who will repeat the request.

	What you state is not the case in some areas.  There is a
growing trend to reduce TSPS operator staffing requirements, and in
some areas a decision has been made that if the user cannot deal with
ACTS in making the initial deposit, then the user will not deal with
ACTS at all, and will have to start over with a O+ call.  I have not
seen such a rigid attitude with overtime arising out of ACTS
origination, though.

> >At this point, while the money is in the coin hopper, it has not been
> >collected.  If answer supervision on the call is detected, the money
> >is collected immediately after the call is completed.  If no answer
> >supervision on the call is detected, the money is refunded when the
> >handset is replaced.  Usually the collect or return function is
> >delayed until the handset is replaced, but it *can* occur with the
> >handset off-hook, and may do so in some CO's.
 
> It usually is delayed.  The only exception I've seen is if you go
> "overtime", in which case the CO will collect the funds you have
> already deposited just prior to the (computer) voice coming on the
> line to ask for more money.

	One of the reasons why overtime is collected on a
pay-as-you-go basis is to eliminate a large buildup of coins in the
coin hopper, a condition which can result in malfunction if it got out
of hand.

> >	The defense against fraud in the above scenario is that the
> >speech network is disabled by the CO during the coin deposit interval,
> >which precludes use of a tone generator held to the handset
> >transmitter.  
 
> Again, not in my experience.  The speech circuit is muted DURING the
> deposit of coins, presumably to prevent you from taping the coin
> sounds locally.  But that muting doesn't occur until you actually
> deposit the coin into the slot, and un-mutes immediately after the
> tones are sent over the line.

	You are partially correct, and I was also unclear in what I
had stated.  The speech network is muted for two reasons: (1) to
prevent ambient sounds (not necessarily fraud) from interfering with
coin signal detection; and (2) to prevent coin signal sounds from
annoying the user (the local tones are loud).  What I had really meant
to say was that if the IRGT is made by the CO apparatus following the
deposit of each coin, then spoofing coin tones will *not* facilitate
fraud, because only real coins of the proper denomination (or slugs
:-) ) can satisfy the IRGT.

	A point to remember is that if the coin control trunk detects
coin tones, but the IRGT fails, this *could* be used as an indication
that a fraudulent call is in progress.

	There is another type of coin station fraud that no one has
yet mentioned - spoofing coin tones using the touch-tone dial.  This
was a problem with 1A2 and 2A2 pre-pay coin stations.  The initial
solution to the problem in the 1C2 and 2C2 coin stations was to use
+48 V positive battery when connected to TSPS, with such positive
battery having the effect of disabling the touch-tone dial.  1A2, 2A2,
early 1C2 and early 2C2 coin stations used single-frequency coin
signal oscillators.  When ACTS was implemented, coin stations in the
serving area were required to upgrade to 1C2 and 2C2 coin stations
which utilized dual-frequency coin signal oscillators to work with
improved CO apparatus which would not false on DTMF signal tones.
Also, many coin stations no longer disable the touch-tone dial, with
this requirement having occurred to facilitate continued DTMF digit
entry on calls to alternate toll carriers.  The 1D-type coin station
was always equipped with the dual-frequency coin signal oscillator,
and I believe its touch-tone dial was always enabled.

	I suspect that I have now beat this topic to death. :-)


Larry Lippman @ Recognition Research Corp.  "Have you hugged your cat today?"
UUCP:    {boulder|decvax|rutgers|watmath}!acsu.buffalo.edu!kitty!larry
TEL: 716/688-1231 || FAX: 716/741-9635      {utzoo|uunet}!/     \aerion!larry

------------------------------

End of TELECOM Digest Special: Coin Station Fraud
******************************