93

AgeUK (and others) warn about making phone calls directly after receiving a scam call and advise you to "wait for the line to clear":

Use a different phone if you can, or wait 5 to 10 minutes after the cold call if using the same phone - just in case they waited on the line.

How does this work? Why can't the telephone network fix this?

Does the scammer require specialized equipment or does this work from any landline phone?

Matt Zeunert
  • 953
  • 1
  • 6
  • 8
  • 37
    UK landlines terminate the call when the person who initiated the call hangs up. If the recipient hangs up, that does not end the call. I'm sure the phone network could change this, but it's worked this way for decades, so the change would probably break something. – paj28 Sep 14 '15 at 15:42
  • 1
    I remember someone posting some info about this issue [here](http://security.stackexchange.com/questions/91681/how-to-distinguish-between-a-scam-and-a-genuine-call) – Ulkoma Sep 14 '15 at 15:56
  • 4
    I'm pretty sure because of this very scam (vishing: voice fishing) BT have set (or are going to set) the timeout threshold for connections to be way lower than they used to be. The feature is called call clearing and the timeout can be as low as a few milliseconds on the BT 21CN. This is from memory of a POTS uni module I did. – TheJulyPlot Sep 14 '15 at 17:50
  • 5
    ^ A quick search would find a proper source. https://www.openreach.co.uk/orpg/home/updates/briefings/wholesalelinerentalbriefings/wholesalelinerentalbriefingsarticles/wlr00314.do BT proposed to take the clearing timeout down to 10 seconds to avoid fraud/'espionage', with exceptions for certain types of receiving line. This proposal was to be rolled out in April of 2014 - and _presumably_ was. – underscore_d Sep 14 '15 at 18:42
  • 4
    Similar: [Why do people repeatedly hit the phone hook switch when disconnected?](http://movies.stackexchange.com/q/39394/1799) at Movies SE – kenorb Sep 14 '15 at 19:27
  • Would be interested to know if this affects FTTx networks in the UK (e.g. BT Infinity). AFAIK, voice is carried over SIP and then terminated on to copper wires going into users' homes. So do the termination equipments usually disconnects the SIP session when user's go on-hook? – billc.cn Sep 16 '15 at 09:52
  • The story goes in my family that when I was born, my father called his mother in law to tell her the good news. When she hung up, he was too tired or too enthused to notice and kept on talking. She picked up the phone again to call her sister, but heard my dad talking instead. This was in The Netherlands in the '70s, so I can't say if this will still work, but at the time, apparently, it did. – SQB Sep 16 '15 at 12:03
  • @paj28 What would it break if they introduced a sequence of buttons that the callee can press to terminate the call immediately? Incidentally, this was implemented on CampusLink, a phone service used in student halls. – Stewart Apr 23 '18 at 22:11
  • @Stewart - With a specific sequence of buttons, probably nothing would break. Is there a story about why this was done on CampusLink? – paj28 Apr 24 '18 at 12:39
  • @paj28 Presumably so that people can terminate nuisance calls. I don't know if there's a story behind it - in my mind, it's just common sense. For the record, the sequence was RECALL # 5. – Stewart May 05 '18 at 22:24

3 Answers3

70

This is because of Called Subscriber Held (CSH). This is not specific to telephony in the UK but rather a line state applicable on PSTNs caused by the person who made the call not hanging up.

The person from which the call originates must hang up for the call to disconnect as it is the person from which the call originates that is paying for the bill. The person receiving the call may hang up, but this will not disconnect the call unless the originating caller also hangs up. Usually once a CSH condition is detected, a timer will start which will clear the call after a specified period of time (for example 3 minutes).

Back in ye olden days when people had phone handsets connected to base stations with a wire(!) this feature meant they could put the phone down and move to another room without it dropping the call. :)

Using the recall (R) button on most phones will put any current call into an on hold state and give you a dial tone.

kalina
  • 3,354
  • 5
  • 20
  • 36
  • 6
    I remember those good old days! – MattP Sep 14 '15 at 17:53
  • 1
    Does that mean that I can "hijack" all your phone lines by just calling you a few times and never hanging up? – David says Reinstate Monica Sep 14 '15 at 17:55
  • 6
    @DavidGrinberg: there was an episode of "Lovejoy" I remember in which they did this to stop some seller receiving a call from an interested buyer. With modern exchanges the timeout means it requires a more active attack, caller has to do more than just leave the phone off the hook and go about their business. But even if the timeout is milliseconds then basically yes you can DDOS a phone. If you call someone from enough different lines simultaneously, then neither the exchange nor their phone knows which call is the person they actually want to talk to. – Steve Jessop Sep 14 '15 at 18:13
  • @SteveJessop notice that this also happens with digital lines: they can receive only one call at the time. The only difference is that usually the operator notifies you of missed calls meanwhile. – o0'. Sep 14 '15 at 21:10
  • Note this only applies to POTS lines. ISDN (for instance) does not perform this way (or more precisely whether the called party clears down the line when the phone goes on-hook is a feature of the ISDN exchange / TE). It will also not apply to VoIP lines, and I believe it does not apply to some cable company lines. Modern digital exchanges have a mechanism to disable this, but most telcos do not offer this option. – abligh Sep 14 '15 at 21:45
  • 10
    This seems to be pretty much UK specific. Every page about CSH or this kind of phone scam is talking about the UK. At least in Germany a POTS line connection could always be terminated by both ends as long as I can remember. – AndreKR Sep 15 '15 at 01:51
  • 4
    This was true in the US where I grew up (midwest in the 80s) but the duration was only about 6 seconds. There was a clear difference between how long a caller vs a callee had to hang up in order to end the call. – Ben Jackson Sep 15 '15 at 02:07
  • @AndreKR - The UK specific appearance (and execution vector) may be down to a combination of anomalies in reporting and the consistency of our dial tone (where all providers use the exact same tone, even when they're not using a BT provisioned line.) – James Snell Sep 15 '15 at 15:43
  • @abligh - ISDN is pretty rare for residential customers in the UK, I've only ever seen it in commercial premises. The ISDN lines that were around got dropped in favour of analogue once ADSL was rolled out. – James Snell Sep 15 '15 at 15:47
  • @JamesSnell Correct. ISDN2 is comparatively rare in homes (though I have it), but not in all residential premises (e.g. care homes) where vulnerable people are often found. It can also be switched off on POTS lines (and was when people had a POTS connected PABX), and has been able to be switched off since System X or previous. Unless things have changed recently, BT only makes the option to switch it off to available to customers selecting exchange line options. I believe various cable companies do not have this option switched on. – abligh Sep 15 '15 at 16:36
33

To add to the original answers (and consolidate some comments):

Analog exchanges (certainly (*1) Strowger exchanges in the UK, probably others elsewhere) did not permit the called party to clear the line (hang up). My understanding of the original reason for this is that the calling party was paying the bill, and there was no effective signalling (pre digital exchanges) up the line (from called party to calling party) to terminate the billing. Remember on long distance calls these calls were patched through manually. This could be used (and relied on) by those receiving calls, e.g. to hang up and pick up the phone elsewhere. I believe this to be the case universally in original analog exchanges (i.e. in every country). This feature is called Called Subscriber Held (CSH).

When digital exchanges came in in the UK, some people had come to rely on being able to hang up and pick up the phone elsewhere, and BT (well, the GPO as it was then) maintained this feature. All modern exchanges have a configuration knob or two ("Called Party Clear" and "Called Party Clear Timeout") which determines whether, and after how long, the called party can clear the call. BT have in recent times set this knob to 3 minutes. This knob has been a feature of System X, System Y (aka Eriksson AXE10) and 21CN phone exchanges. BT use a much shorter timeout on POTS lines configured for analog PABXs. The called party can clear automatically on ISDN2 and ISDN30, and also on mobile and VoIP.

This is described in full in BT SIN 351 ("Technical Characteristics Of The Single Analogue Line Interface") under section 7.1.2:

7.1.2. [Call Clearing] By The Called Terminal

When a call is ended by the called terminal, the BT network interface will detect an off-line condition (see section 3.1 Off-line d.c. Condition) and initiate a time-out process lasting between two seconds and three minutes. After the time-out period has expired, network initiated clearing (see section 7.2 Network Initiated Clearing) is provided to the calling terminal.

Calls that are made to certain services (e.g. Number translation services and Premium rate services) are subject to first party clearing. In these circumstances, when the called terminal ends the call there is no time-out process and the calling terminal is provided with network initiated clearing (see section 7.2 Network Initiated Clearing) immediately.

In other countries, the same knobs are available. The removal of this 'feature' (or introduction of such a safeguard) would have been up to the operator. Eire has a similar telephone network to the UK, as do various current or former British dependencies (another answerer says this is/was the case in Canada), so I would guess their incumbent operators may share the same configuration. However, various cable operators in the UK do not share this configuration. Historically, I believe this configuration has been used in the US (as this patent) would suggest, and was present on Strowger exchanges (see here (PDF) and here).

In March 2014 BT announced it was drastically reducing the time for Called Party Clear. You can find the announcement here (and the text quoted above is post this announcement):

Here are some extracts:

There are potential problems and the risk of fraud when the called party replaces their handset to end a call but the calling party does not. Currently, in this situation, the network will wait between 2 and 3 minutes before initiating call clearing. During this time, the calling party is still connected to the called party. If the called party picks up their handset within the timeout period, they will still be connected to the calling party. Such a feature has always been available on analogue lines to allow the called party to hang up and subsequently re-answer the call for instance when moving from one extension to another. However, this feature has of late been exploited by fraudsters who hold the line open.

...

It is planned to roll out the proposed changes using a phased approach across the BT network, starting with the AXE10 exchanges which equate to around one third of the local exchanges currently in service or approximately 6 million exchange lines. It is intended to commence the rollout early April to change the AXE10 configuration for call clearing to 10 seconds with a target completion date of 10 April 2014. Further information regarding the timeline for implementing the same changes to System X and UXD5 exchanges will be made available in due course.

Note AXE10 is for this purpose a synonym to System Y. Also note AXE10 exchanges are deployed throughout Europe; the setting of this feature is (as previously indicated) a matter for the service provider.

So, the answers to the questions are:

How does this work?

The caller waits for the called party to hang up, plays a dummy dial tone that disappears when DTMF is received, hopes the called party does not hang up for more than the relevant timeout, and after a few digits have been dialled plays a ringing tone. I imagine Asterisk is eminently suitable for this task.

Why can't the telephone network fix this?

They can, and in the case of BT are fixing it. Other operators may not need to fix it as they may not offer this 'back compatible' feature.

Does the scammer require specialized equipment or does this work from any landline phone?

You do not need specialised equipment. However, you do need to dial someone who is on a landline configured for it, and hope they hang up for less than the relevant delay. May people may hang up for less than 10 seconds (which is the new standard it would appear).

Note this technique is not only much loved by fraudsters, but (when the delay was longer) was often used by journalists who, having contacted someone for a 'scoop', would leave the phone off the hook to prevent their competitors phoning the same person whilst they raced around to do an interview.

*1 = it has been suggested that even Strowger exchanges supported this, evidence of which I would be interested in. My research (see here) suggests that in the original Strowger configuration, it merely lit an alarm lamp. Even if this is correct, this is not to detract from the fact that at least some earlier exchanges did not disconnect for a considerable time after the called party hang up.

Community
  • 1
abligh
  • 2,026
  • 11
  • 12
  • Re Strowger - I'm fairly confident that on Strowger exchanges, CSH would be held until two further meter pulses had been received; the call would then be dropped. – peterG Sep 15 '15 at 21:35
  • @peterG if I'm guessing who you are correctly, I'm guessing you might well be right. However, you merely have to skip one exchange generation back and the point still holds. – abligh Sep 15 '15 at 21:57
  • @peterG I know, however, that I have made (and received) such calls on 0442, 0295 and 0865 (as were then) and they performed as described for >30 mins. – abligh Sep 15 '15 at 22:04
  • 2
    Since you say it is all about the billing, it makes sense that we never had this in germany in the old days, because a long time you payed per call on landline calls within the same area. I can remember a lot of people just leaving the phone connected to their best friends for an hour or so while doing something and then continuing to talk... – PlasmaHH Sep 16 '15 at 07:49
  • @peterG I've added a couple of links. Looks like on the original Strowger exchange, CSH merely lit an alarm lamp. I'd be interested if you can find documentation of CSH timeout on Strowger. – abligh Sep 16 '15 at 11:12
  • @peterG this link http://www.abrsm.org/forum/index.php?showtopic=38810 suggests (without evidence) that the two meter pulse thing was brought in with the advent of STD dialling, which I think is correct. – abligh Sep 16 '15 at 11:30
  • @abligh I wouldn't argue either way about the pre-STD era - that was before my time - but otherwise everything gedall40 says in his long post on your link gels with what I remember from those days. (I worked for BT as a Technical Officer in an exchange in the 70's) – peterG Sep 16 '15 at 18:20
15

It used to be a thing, at least in Canada, that the caller could hold on to the line and the callee would be locked into that circuit with the caller. One could prank a callee by staying on the line, waiting for the callee to attempt another call, and carry on a new conversation with the callee pretending to be who the callee intended to speak with.

This was fixed a very long time ago when the telco lines and equipment changed to digital communications.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    This remains the standard configuration for POTS lines in the UK and I believe much of Europe. – abligh Sep 14 '15 at 21:46
  • 1
    Actually this remained true in Canada long after equipment changed from analog to digital, at least with Bell Canada. I've confirmed it myself much more recently than that (but now it's been many years since I've had a POTS line so I can't confirm anymore). However, the call clearing timer was only 13 seconds. So if you waited 14 seconds after hanging up, you were fine. – Celada Sep 14 '15 at 21:58
  • 6
    @abligh: At least in germany we never had such a "feature", and I can not remember anything similar from the countries around me – PlasmaHH Sep 15 '15 at 08:28
  • 1
    @PlasmaHH it was a feature of the original Strowger exchanges that was inherited by System X then System Y (aka Erikkson AXE-10), then BT's 21CN switches. AXE-10s are/were widely deployed across Europe but whether that feature is switched on depends on operator configuration (as I said it's switched off on various cable networks). I would bet it's switched on in Eire, channel islands, Gibraltar. I'd also be unsurprised by it having been on by default in Scandinavia. I think I should turn this into an answer. – abligh Sep 15 '15 at 16:40