September 26, 2006 4:00 AM PDT
Telecoms feel the pretexting heat
- Related Stories
HP's boardroom dramaMay 8, 2007
HP chairman resigns, CEO confirms knowledge of probeSeptember 22, 2006
What Congress isn't doing to stop pretextingSeptember 15, 2006
HP leak probe extended to employeesSeptember 13, 2006
Photos: The major players in the HP dramaSeptember 12, 2006
Leak scandal costs HP's Dunn her chairman's jobSeptember 12, 2006
Lawmakers, U.S. attorney join HP leak probeSeptember 11, 2006
HP chairman: Use of pretexting 'embarrassing'September 8, 2006
Reporters' records accessed in HP probeSeptember 7, 2006
(continued from previous page)
Cingular: Would not answer survey; offered the following response instead.
Thanks for giving us a chance to provide input to your story. Protecting customer information against data brokers (or, as we often call them, "data burglars") is of the utmost importance to Cingular.
We have a variety of safeguards in place--both technical and human--and we continue to evaluate and enhance these measures. We don't want to publicize our procedures, however, since this information can prove helpful to bad actors. That is why we would prefer not to discuss the specifics you requested in your questions.
We can give you a few general examples, though. For instance, our customer service representatives are not allowed to provide call detail records over the phone, by fax or by e-mail--even once the caller is verified as the account holder. We adopted this policy in light of the data broker issue. And we do allow customers to add passcodes to their accounts.
Another way in which we're fighting data brokers is through the courts. We've filed six lawsuits and already obtained injunctions in most of these cases. The litigation is ongoing.
We are also working closely with policymakers as they examine the data broker issue. Along those lines, a Cingular representative will appear at a congressional hearing this Friday to discuss this topic.
In short, our goal is to make customer accounts as secure as possible against data burglars, while at the same time enabling legitimate customers to get information about their own service. This is an ongoing process and of the highest priority to Cingular.
Qwest: Answered survey
Q: Is a Social Security number, mother's maiden name, customer's name and customer's address and phone number sufficient for account verification over the phone?
A: Yes, we believe the methods that we employ to protect account information are effective--including the use of customer-generated password protection. However, the moving threat of identity fraud against providers and customers forces us to evaluate and periodically adjust the security controls and procedures for the purpose of protecting customers' information.
Customers can add a password to their account, and Qwest supports customers establishing a password on their account if they choose to do so. All online accounts are password-protected.
Q: If not, what alternate types of personal information do you require?
A: Customers can add a password to their account, and Qwest recommends customers establishing a password on their account if they choose to do so. All online accounts are password-protected.
Q: Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?
Q: Have you fired any customer service representatives in the last year for not following proper verification procedures?
A: We maintain compliance controls, monitoring programs and ongoing training as elements in our overall data protection program.
Q: Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?
A: Only account holders or those pre-authorized by the account holder are permitted to access account information. Those pre-authorized are required to present the same information as the account holder.
Q: Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?
A: We do keep Web-based account access login records, though we do not disclose the retention window. We periodically review our retention policies and adjust as necessary.
Q: How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)
Q: The requirements of our business, including billing and fraud detection, require us to maintain, as business records, certain transactional data. Because this data is necessary to our ongoing operations, we take very seriously and devote significant resources to ensuring that third parties do not have the potential to violate Qwest's or its customers' privacy.
Q: Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?
A: The requirements of our business, including billing and fraud detection, require us to maintain, as business records, certain transactional data. Because this data is necessary to our ongoing operations, we take very seriously and devote significant resources to ensuring that third parties do not have the potential to violate Qwest's or its customers' privacy. Editor's note: Qwest responded to two questions with the same answer.
Q: Do you permit customers to "flag" their accounts to require a higher degree of identity verification?
Q: Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?
A: Upon account establishment, we require the user to follow specific password creation rules. Passwords can be changed by customers at any time.
Q: Are there any other security measures you'd like to mention?
A: We share customers' concern regarding security issues like pretexting--an invasion of privacy that leaves, at minimum, two victims --the customer and the telecommunications provider. As a result, we devote significant resources to monitoring, evaluating and adjusting our security measures to meet an evolving threat.
9 commentsJoin the conversation! Add your comment