September 26, 2006 12:01 PM PDT

Out of the shadows, a pretexter's tale

(continued from previous page)

The manual, which was entered into the record at the subcommittee's hearing in June, includes a chapter called "Non-published address and phone number investigation." In it, Rapp discusses the many sources that may be plundered for data, such as a person's video store, grocery store, newspaper provider or cable company. Another heading reads: "Acquiring the statement without the card number."

"Some of these people are very successful at obtaining information through these means," said Rep. Bart Stupak, a member of the House committee. "We should be very concerned when someone can find the most sensitive information about us. People have to feel secure when they fill out financial and medical records that their information is going to remain private."

Business demand
Rob Douglas is a security consultant who once hired data collectors like Rapp--that is, until he discovered that they relied on pretexting. Douglas, who has testified numerous times before Congress on data security, said corporations are some of the most voracious consumers of data that can be obtained only via pretexting.

"They wanted the information so badly that they stopped using me when I fired my information broker," Douglas said. "But there were plenty of others who would provide it. I lost half my business."

This raises the question about whether HP's investigation is all that rare in corporate America. Consider that even in the case of HP, the public might never have learned about the company's investigation had former board member Tom Perkins not pressured executives to disclose the truth.

Rapp offers an even more troubling revelation. Pretexting may be impossible to stop.

When it comes to phone companies, he recommends that they issue passwords to customers, which some already do. He also believes that they should refrain from providing information to anyone unless the customer is calling from the phone line or cell phone in question.

When it comes to medical and financial records, Rapp has no suggestions.

Hospitals must provide records in medical emergencies, and that leaves them vulnerable, Rapp said. As for banks, they may safeguard money behind locked vaults, but the information they store is poorly protected.

"Banks have to help their customers," Rapp said. "They have to be open enough to work with you. Say, for example, I called the bank and told them I was waiting for a deposit and needed to check whether it arrived. I'll give them the (routing number found on the bottom of every check, which is public information). They will tell me 'No,' we need your account number.'

"I'll tell them that my accountant handles that, and that's the number he gave me. I'll also tell them I need to know whether that deposit has come in, and it's urgent. Then I'll give them the person's social security number. More times than not, they'll give me the account number. You can't stop that."

Previous page
Page 1 | 2

See more CNET content tagged:
pretexting, HP, bank

3 comments

Join the conversation!
Add your comment
Keyworth Spying: Sweet Irony
It is ironic that George Keyworth was a victim of the very policies that his "neutral" think tank The Progress & Freedom Foundation (www.pff.org) advocates. PFF never met a government regulation it liked, and would surely not support more "burdensome" government regulation against pretexting. Indeed, it advocates for even more personal information consolidation by corporations who collect, consolidate, and datamine and then sell off YOUR personal info to the highest bidder. Read some of their studies in the Areas of Study Section. Yeah, they are really unbiased. PFF a think tank, that it rich. It is nothing more than a right-wing lobbyist group.
Posted by CancerMan2 (74 comments )
Reply Link Flag
Pretexting?
Ask "Susan Thunder" about "social engineering."
Posted by blw1540 (1 comment )
Reply Link Flag
Rapp aided destruction of suspect computer
According to today's WSJ, Rapp tipped off his nephew , a pretexter in the HP case. The nephew says he has destroyed the computer used.
Posted by J.G. (837 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.