September 26, 2006 4:00 AM PDT

Telecoms feel the pretexting heat

(continued from previous page)

Sprint Nextel: Answered survey

Q: Is a Social Security number, mother's maiden name, customer's name, and customer's address and phone number sufficient for account verification over the phone?

A: No.

Q: If not, what alternate types of personal information do you require?

A: We strongly recommend that customers create passwords to replace the use of their Social Security number for verification.

Q: Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?

Q: Yes. We strongly recommend that customers create passwords to replace the use of their Social Security number for verification.

Q: Have you fired any customer service representatives in the last year for not following proper verification procedures?

A: If we were to discover that an agent engaged in conduct that violates our corporate code of conduct or any of our internal policies including those that apply to our customer service practices and protecting customer privacy, we would absolutely take appropriate remedial action.

Q: Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?

A: Sprint Nextel has processes in place to safeguard against illegitimate requests. The amount of access depends upon the information being requested--it is not possible for anyone other than the account holder or a legal guardian to change an address or activate or cancel an account, for example. And, as a matter of policy, call detail record information is not provided over the phone to account holders or others; instead, an account holder could request that call detail be sent to his or her address on the account.

Q: Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?

A: As a matter of policy we do not do this today.

Q: How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)

A: Sprint Nextel fully complies with the law and keeps records according to state and federal law.

Q: Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?

A: We offer customers the option not to have access to individual calls on their printed bills.

Q: Do you permit customers to "flag" their accounts to require a higher degree of identity verification?

A: Yes.

Q: Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?

A: We advise our customers to choose passwords that are not easily guessed and to change passwords often.

Q: Are there any other security measures you'd like to mention?

A: Sprint Nextel is continually making improvements to our processes for authenticating customers before providing information. The improvements are in our technology and authentication processes and in the processes we follow with our care reps.

Through our Office of Privacy we are uncovering data brokers' methods and have settled two of three lawsuits against companies that provide call detail records; we also have sent scores of cease-and-desist letters to data brokers. We are continuing this campaign against data brokers. Sprint Nextel is committed to protecting privacy of our customers.

Sprint Nextel fully complies with all applicable privacy laws and regulations. Our corporate security, legal and customer care teams regularly evaluate existing safeguards to protect confidential customer information.


Verizon: Would not answer survey; offered the following response instead.

For customer service interactions with a Verizon representative over the telephone, we require our representative to check to see if the customer has established a password on the account--before disclosing call detail or other customer proprietary network information.

If there is no password established on the account, before we disclose call detail or other (identifying information), we require the rep to ask the customer to supply certain information that appears on the bill and that no one else would likely know if they didn't have the bill--specifically the customer account number or customer code. This is a multi-digit alpha-numeric number.

Our service rep may also ask the customer for additional information to assure that he or she's talking to the real customer.

Prior to creating online access to their account, a customer must first have their phone bill in front of them because they will be asked to supply the customer code or account number from the bill. Obviously, these accounts are protected by passwords set up by the customer.


Verizon Wireless: Would not answer survey; offered the following response instead.

Verizon Wireless takes the issue of customer privacy seriously, and we will continue to do all we can to protect our customer's information. However, it's tough to provide answers to your questions--as we said last week, we don't want to provide a "road map" or make it easier in any way for the bad guys to do what they do. We do constantly review our systems and processes, and our customers can be assured that we are always looking at ways to make information more secure and to stay one step ahead of those aforementioned bad guys.

As you probably know, Verizon Wireless filed what's believed to be the first lawsuit against so-called pretexters (against Source Resources of Tennessee in July of 2005), and we've continued both to file lawsuits, and to work with and provide information to state governments as they investigate these companies.

Previous page
Page 1 | 2 | 3

See more CNET content tagged:
pretexting, social security number, telecommunications, margin, Social Security

9 comments

Join the conversation!
Add your comment
This is exactly what happens
This is exactly what happens when your frontline customer service people are the cheapest available; unable to adhere to even the simplest standards for security, and are lead by CxO's who are not qualified to pour rainwater out of a boot with instructions written on the sole.
Congress needs to make pretexting a felony, and not exempt government agencies or their sock-puppet contractors. Further, the penalty has to make the practice not worthwhile. Perhaps, if convicted, one should have to register with the local authorities as a privacy predator, a security-oriented offender or some such.
Posted by Too Old For IT (351 comments )
Reply Link Flag
You got it....for the most part
I think you have hit the nail on the head, in stating that pretexting should be made a felony. Take the profit out of it, and you just might be able to drive the right behaviour.

With regards to the frontline reps being the cheapest available, you may be right to a point. Just remember "you get what you pay for". Everybody wants cheaper rates and expect premium service, it doesn't work that way.
Posted by patruga (11 comments )
Link Flag
Nothing so remarkable at all
While the acts outlined do fall within the context of "social Engineering" the public would be best advised that there is nothing so "ingenious" about the methodologies applied at all!

The successes are merely due to the money hungry, overly competitive service providers bending common sense, and in some cases their own rules and the laws, to please everyone/anyone.

The businesses that are customers of the comm services, paying for employee accounts, expect to be able to do whatever they want, whenever they want. Of course personal and private rights are heedlessly trampled to appease any request, whether they appear to putting safeguards or security proceedures in place or making that big generalized statement about all that they do (lol), they do nothing serious or carefully. This is knowing where the almighty buck comes from and nothing more. Ingenious social engineering is creating the expectaions that you have no rights or alternatives. Who are you to be asking about their policies, processes and standards?

While for the sake of the common good and security there should be unfettered access to say an employees desk drawers, in so much as in the case of a dangerous substance or article, known or unbeknownst to the desk's resident, so that we may all be protected. Rifling through a desk drawer to ascertain if an employee has money problems for the sake of an "investigation" in to some fraud, is definitely not!

Our businesses are unable to make reasonable quality distinctions and what should be obvious is that they absolutely need to be controlled, regulated and monitored. They have shown remarkable vindictive, malicious and dictorial proclavities in the past, the present and, even if regulations are imposed some years hence [after years of debate and readings in the House, etc etc etc,] the future.

No there is nothing so "ingenious" in all this at all and any good investigator will tell you as much. Ingenious is how, year after year, nothing is really done to get a handle on business practices, while the rest of the world laughs at the antics of politicians and businesses a like. We think we are the international trade and commerce powerhouses but are more likened to school yard bullies globally.

There are far more realistically Social Engineering techniques - one of them is deluding employees into imagining that businesses have their best interests at heart.

The only reason there is security and the pretense to privacy is that it is just another marketing ploy, a bullet on their brocher.

All businesses, whether it be the vast, nefariously gleaned informational 'tanks' in level 3c at HP, their chattle's personal information, or the the private customer accounts at a comm service, manage their informational holdings in a set of self serving "policies" skipping the philosophies in a 'duty of care'.

Best be aware what ingenious is.
Posted by Dragon Forge (96 comments )
Reply Link Flag
We already have an easy solution......
Force companies not to keep customer data longer than 3 days. That way, even if the account is accessed, not much damage can be done. And it can provide a benefit to the company, by optimizing server and storage space. I know that law enforcement agencies will howl, but if they are able to obtain a warrant, then the company could store informaiton on that person to satisfy the warrant. Otherwise, everone's information gets deleted!
Posted by itango (80 comments )
Reply Link Flag
We already have an easy solution......
Force companies not to keep customer data longer than 3 days. That way, even if the account is accessed, not much damage can be done. And it can provide a benefit to the company, by optimizing server and storage space. I know that law enforcement agencies will howl, but if they are able to obtain a warrant, then the company could store information on that person to satisfy the warrant. Otherwise, everone's information gets deleted!
Posted by itango (80 comments )
Reply Link Flag
Congress "Investigates" pretexting???
Is this congressional Investigation good or is it a case of kettle calling pot black; how about the tactics of opposition research investigators; how about the tctics of investigative reportors, which always involvle some of lying, or pretending or pretextng??? Perhaps the telecoms should only mail out "reqests for records" replies to an accounts billing address, not just hand them out willy-nillly.
Posted by Zeno77 (12 comments )
Reply Link Flag
Congresional Investigation a Waste of Money
Handing out one's personal phone call records to somebody else is a definate breach of privacy. No investigation required.

Walt
Posted by wbenton (522 comments )
Link Flag
Call Back confirmation
Or is that beyond comprehension?

Walt
Posted by wbenton (522 comments )
Reply Link Flag
It's just wire fraud, nothing new
Why all this noise over "pretexting"? It's just run of the mill wire fraud. Charge them, prosecute them and penalize them. The laws and infrastructure for this already exist. This shouldn't be an issue. It's the same old story, the government won't enforce the laws they have, so they need to pass more?
Posted by DaClyde (96 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.