September 26, 2006 4:00 AM PDT

Telecoms feel the pretexting heat

(continued from previous page)

Cingular: Would not answer survey; offered the following response instead.

Thanks for giving us a chance to provide input to your story. Protecting customer information against data brokers (or, as we often call them, "data burglars") is of the utmost importance to Cingular.

We have a variety of safeguards in place--both technical and human--and we continue to evaluate and enhance these measures. We don't want to publicize our procedures, however, since this information can prove helpful to bad actors. That is why we would prefer not to discuss the specifics you requested in your questions.

We can give you a few general examples, though. For instance, our customer service representatives are not allowed to provide call detail records over the phone, by fax or by e-mail--even once the caller is verified as the account holder. We adopted this policy in light of the data broker issue. And we do allow customers to add passcodes to their accounts.

Another way in which we're fighting data brokers is through the courts. We've filed six lawsuits and already obtained injunctions in most of these cases. The litigation is ongoing.

We are also working closely with policymakers as they examine the data broker issue. Along those lines, a Cingular representative will appear at a congressional hearing this Friday to discuss this topic.

In short, our goal is to make customer accounts as secure as possible against data burglars, while at the same time enabling legitimate customers to get information about their own service. This is an ongoing process and of the highest priority to Cingular.


Qwest: Answered survey

Q: Is a Social Security number, mother's maiden name, customer's name and customer's address and phone number sufficient for account verification over the phone?

A: Yes, we believe the methods that we employ to protect account information are effective--including the use of customer-generated password protection. However, the moving threat of identity fraud against providers and customers forces us to evaluate and periodically adjust the security controls and procedures for the purpose of protecting customers' information.

Customers can add a password to their account, and Qwest supports customers establishing a password on their account if they choose to do so. All online accounts are password-protected.

Q: If not, what alternate types of personal information do you require?

A: Customers can add a password to their account, and Qwest recommends customers establishing a password on their account if they choose to do so. All online accounts are password-protected.

Q: Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?

A: Yes.

Q: Have you fired any customer service representatives in the last year for not following proper verification procedures?

A: We maintain compliance controls, monitoring programs and ongoing training as elements in our overall data protection program.

Q: Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?

A: Only account holders or those pre-authorized by the account holder are permitted to access account information. Those pre-authorized are required to present the same information as the account holder.

Q: Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?

A: We do keep Web-based account access login records, though we do not disclose the retention window. We periodically review our retention policies and adjust as necessary.

Q: How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)

Q: The requirements of our business, including billing and fraud detection, require us to maintain, as business records, certain transactional data. Because this data is necessary to our ongoing operations, we take very seriously and devote significant resources to ensuring that third parties do not have the potential to violate Qwest's or its customers' privacy.

Q: Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?

A: The requirements of our business, including billing and fraud detection, require us to maintain, as business records, certain transactional data. Because this data is necessary to our ongoing operations, we take very seriously and devote significant resources to ensuring that third parties do not have the potential to violate Qwest's or its customers' privacy. Editor's note: Qwest responded to two questions with the same answer.

Q: Do you permit customers to "flag" their accounts to require a higher degree of identity verification?

A: Yes.

Q: Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?

A: Upon account establishment, we require the user to follow specific password creation rules. Passwords can be changed by customers at any time.

Q: Are there any other security measures you'd like to mention?

A: We share customers' concern regarding security issues like pretexting--an invasion of privacy that leaves, at minimum, two victims --the customer and the telecommunications provider. As a result, we devote significant resources to monitoring, evaluating and adjusting our security measures to meet an evolving threat.

See more CNET content tagged:
pretexting, social security number, telecommunications, margin, Social Security

9 comments

Join the conversation!
Add your comment
This is exactly what happens
This is exactly what happens when your frontline customer service people are the cheapest available; unable to adhere to even the simplest standards for security, and are lead by CxO's who are not qualified to pour rainwater out of a boot with instructions written on the sole.
Congress needs to make pretexting a felony, and not exempt government agencies or their sock-puppet contractors. Further, the penalty has to make the practice not worthwhile. Perhaps, if convicted, one should have to register with the local authorities as a privacy predator, a security-oriented offender or some such.
Posted by Too Old For IT (351 comments )
Reply Link Flag
You got it....for the most part
I think you have hit the nail on the head, in stating that pretexting should be made a felony. Take the profit out of it, and you just might be able to drive the right behaviour.

With regards to the frontline reps being the cheapest available, you may be right to a point. Just remember "you get what you pay for". Everybody wants cheaper rates and expect premium service, it doesn't work that way.
Posted by patruga (11 comments )
Link Flag
Nothing so remarkable at all
While the acts outlined do fall within the context of "social Engineering" the public would be best advised that there is nothing so "ingenious" about the methodologies applied at all!

The successes are merely due to the money hungry, overly competitive service providers bending common sense, and in some cases their own rules and the laws, to please everyone/anyone.

The businesses that are customers of the comm services, paying for employee accounts, expect to be able to do whatever they want, whenever they want. Of course personal and private rights are heedlessly trampled to appease any request, whether they appear to putting safeguards or security proceedures in place or making that big generalized statement about all that they do (lol), they do nothing serious or carefully. This is knowing where the almighty buck comes from and nothing more. Ingenious social engineering is creating the expectaions that you have no rights or alternatives. Who are you to be asking about their policies, processes and standards?

While for the sake of the common good and security there should be unfettered access to say an employees desk drawers, in so much as in the case of a dangerous substance or article, known or unbeknownst to the desk's resident, so that we may all be protected. Rifling through a desk drawer to ascertain if an employee has money problems for the sake of an "investigation" in to some fraud, is definitely not!

Our businesses are unable to make reasonable quality distinctions and what should be obvious is that they absolutely need to be controlled, regulated and monitored. They have shown remarkable vindictive, malicious and dictorial proclavities in the past, the present and, even if regulations are imposed some years hence [after years of debate and readings in the House, etc etc etc,] the future.

No there is nothing so "ingenious" in all this at all and any good investigator will tell you as much. Ingenious is how, year after year, nothing is really done to get a handle on business practices, while the rest of the world laughs at the antics of politicians and businesses a like. We think we are the international trade and commerce powerhouses but are more likened to school yard bullies globally.

There are far more realistically Social Engineering techniques - one of them is deluding employees into imagining that businesses have their best interests at heart.

The only reason there is security and the pretense to privacy is that it is just another marketing ploy, a bullet on their brocher.

All businesses, whether it be the vast, nefariously gleaned informational 'tanks' in level 3c at HP, their chattle's personal information, or the the private customer accounts at a comm service, manage their informational holdings in a set of self serving "policies" skipping the philosophies in a 'duty of care'.

Best be aware what ingenious is.
Posted by Dragon Forge (96 comments )
Reply Link Flag
We already have an easy solution......
Force companies not to keep customer data longer than 3 days. That way, even if the account is accessed, not much damage can be done. And it can provide a benefit to the company, by optimizing server and storage space. I know that law enforcement agencies will howl, but if they are able to obtain a warrant, then the company could store informaiton on that person to satisfy the warrant. Otherwise, everone's information gets deleted!
Posted by itango (80 comments )
Reply Link Flag
We already have an easy solution......
Force companies not to keep customer data longer than 3 days. That way, even if the account is accessed, not much damage can be done. And it can provide a benefit to the company, by optimizing server and storage space. I know that law enforcement agencies will howl, but if they are able to obtain a warrant, then the company could store information on that person to satisfy the warrant. Otherwise, everone's information gets deleted!
Posted by itango (80 comments )
Reply Link Flag
Congress "Investigates" pretexting???
Is this congressional Investigation good or is it a case of kettle calling pot black; how about the tactics of opposition research investigators; how about the tctics of investigative reportors, which always involvle some of lying, or pretending or pretextng??? Perhaps the telecoms should only mail out "reqests for records" replies to an accounts billing address, not just hand them out willy-nillly.
Posted by Zeno77 (12 comments )
Reply Link Flag
Congresional Investigation a Waste of Money
Handing out one's personal phone call records to somebody else is a definate breach of privacy. No investigation required.

Walt
Posted by wbenton (522 comments )
Link Flag
Call Back confirmation
Or is that beyond comprehension?

Walt
Posted by wbenton (522 comments )
Reply Link Flag
It's just wire fraud, nothing new
Why all this noise over "pretexting"? It's just run of the mill wire fraud. Charge them, prosecute them and penalize them. The laws and infrastructure for this already exist. This shouldn't be an issue. It's the same old story, the government won't enforce the laws they have, so they need to pass more?
Posted by DaClyde (96 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.