September 26, 2006 12:01 PM PDT
Out of the shadows, a pretexter's tale
- Related Stories
HP chairman resigns, CEO confirms knowledge of probeSeptember 22, 2006
HP probe dug deep on CNET reporter, familySeptember 21, 2006
Bring back the HP Way, Mr. HurdSeptember 21, 2006
(continued from previous page)
The manual, which was entered into the record at the subcommittee's hearing in June, includes a chapter called "Non-published address and phone number investigation." In it, Rapp discusses the many sources that may be plundered for data, such as a person's video store, grocery store, newspaper provider or cable company. Another heading reads: "Acquiring the statement without the card number."
"Some of these people are very successful at obtaining information through these means," said Rep. Bart Stupak, a member of the House committee. "We should be very concerned when someone can find the most sensitive information about us. People have to feel secure when they fill out financial and medical records that their information is going to remain private."
Rob Douglas is a security consultant who once hired data collectors like Rapp--that is, until he discovered that they relied on pretexting. Douglas, who has testified numerous times before Congress on data security, said corporations are some of the most voracious consumers of data that can be obtained only via pretexting.
"They wanted the information so badly that they stopped using me when I fired my information broker," Douglas said. "But there were plenty of others who would provide it. I lost half my business."
This raises the question about whether HP's investigation is all that rare in corporate America. Consider that even in the case of HP, the public might never have learned about the company's investigation had former board member Tom Perkins not pressured executives to disclose the truth.
Rapp offers an even more troubling revelation. Pretexting may be impossible to stop.
When it comes to phone companies, he recommends that they issue passwords to customers, which some already do. He also believes that they should refrain from providing information to anyone unless the customer is calling from the phone line or cell phone in question.
When it comes to medical and financial records, Rapp has no suggestions.
Hospitals must provide records in medical emergencies, and that leaves them vulnerable, Rapp said. As for banks, they may safeguard money behind locked vaults, but the information they store is poorly protected.
"Banks have to help their customers," Rapp said. "They have to be open enough to work with you. Say, for example, I called the bank and told them I was waiting for a deposit and needed to check whether it arrived. I'll give them the (routing number found on the bottom of every check, which is public information). They will tell me 'No,' we need your account number.'
"I'll tell them that my accountant handles that, and that's the number he gave me. I'll also tell them I need to know whether that deposit has come in, and it's urgent. Then I'll give them the person's social security number. More times than not, they'll give me the account number. You can't stop that."
3 commentsJoin the conversation! Add your comment