September 8, 2006 4:17 PM PDT
Security breaches are wake-up calls to phone companies
(continued from previous page)
Douglas, an expert who advises companies on how to protect themselves from pretexting scams, said these were among the easiest authentication methods to crack.
"Honestly, using a Social Security number is pretexting 101," he said. "It's one of the most rudimentary methods of authentication."
He suggests companies use at least a two-tiered approach for authenticating customers that does not include passwords using biographical data, such as home addresses, Social Security numbers, birth dates and mothers' maiden names. Instead, companies can use more obscure personal data that is not found as easily through a Google search.
Verizon Communications uses multiple methods for authenticating customers before it will release records or account information, company spokesman Mark Marchand said. Not only does the company encourage customers to create passwords to access their accounts online, it also uses information that is printed on a customer's bill to authenticate users. And if the customer bill is not available, it requires people trying to access records to answer questions specific to that particular account.
"We are continually changing our methods," Marchand said. "We have folks dedicated to security who stay on top of new methods for securing our customers' data."
But pretexters aren't always pretending to be customers themselves. Often they impersonate phone company employees or law enforcement officials, claiming that they have authorized access for the information they're trying to obtain.Preying on employees
Often the weakest links in the security chain are employees in call centers who have access to the information, because scammers can prey upon these workers' best intentions to help customers. In one of the lawsuits, filed by Verizon Wireless, the company said the scammer posed as someone calling on behalf of a customer who was voice-impaired.
Since the media storm first erupted over this issue in January, several phone companies say they have improved training for call center operators. Sprint, which recently settled its case against a pretexting broker, said part of its $1 million settlement with LocateCell.com is that the company is required to share some of its pretexting techniques with Sprint.
But despite these efforts there are still big security holes, Douglas said.
"Even with all the retraining, the best way to defeat the phone companies is to go through the Spanish-language operators, who are bilingual," he said. "At this point, the training of these operators is not the same level as some of the other call centers."
In addition to lapses in training, phone companies don't seem to be employing even basic methods for ensuring customers are who they say they are. For example, phone companies could simply call back phone numbers of customers who claim to be accessing information, or they could immediately notify customers with automated e-mails or text messages when their accounts have been accessed.
Some experts believe that the recent pretexting scandals and scandals involving federal government officials accessing phone records have made consumers more aware of these security problems. Ultimately, this could lead to people putting more pressure on their service providers to better secure their data.
Still, Sherwin Siy, staff counsel for the Electronic Privacy Information Center in Washington, D.C., admits that the phone companies are in a difficult situation.
"Phone companies are between a rock and a hard place," he said. "They want to make it easy for you to get your phone records, but they don't want to make it too easy, so that criminals can get the information as well."