September 26, 2006 4:00 AM PDT
Telecoms feel the pretexting heat
- Related Stories
HP's boardroom dramaMay 8, 2007
HP chairman resigns, CEO confirms knowledge of probeSeptember 22, 2006
What Congress isn't doing to stop pretextingSeptember 15, 2006
HP leak probe extended to employeesSeptember 13, 2006
Photos: The major players in the HP dramaSeptember 12, 2006
Leak scandal costs HP's Dunn her chairman's jobSeptember 12, 2006
Lawmakers, U.S. attorney join HP leak probeSeptember 11, 2006
HP chairman: Use of pretexting 'embarrassing'September 8, 2006
Reporters' records accessed in HP probeSeptember 7, 2006
(continued from previous page)
Sprint Nextel: Answered survey
Q: Is a Social Security number, mother's maiden name, customer's name, and customer's address and phone number sufficient for account verification over the phone?
Q: If not, what alternate types of personal information do you require?
A: We strongly recommend that customers create passwords to replace the use of their Social Security number for verification.
Q: Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?
Q: Yes. We strongly recommend that customers create passwords to replace the use of their Social Security number for verification.
Q: Have you fired any customer service representatives in the last year for not following proper verification procedures?
A: If we were to discover that an agent engaged in conduct that violates our corporate code of conduct or any of our internal policies including those that apply to our customer service practices and protecting customer privacy, we would absolutely take appropriate remedial action.
Q: Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?
A: Sprint Nextel has processes in place to safeguard against illegitimate requests. The amount of access depends upon the information being requested--it is not possible for anyone other than the account holder or a legal guardian to change an address or activate or cancel an account, for example. And, as a matter of policy, call detail record information is not provided over the phone to account holders or others; instead, an account holder could request that call detail be sent to his or her address on the account.
Q: Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?
A: As a matter of policy we do not do this today.
Q: How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)
A: Sprint Nextel fully complies with the law and keeps records according to state and federal law.
Q: Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?
A: We offer customers the option not to have access to individual calls on their printed bills.
Q: Do you permit customers to "flag" their accounts to require a higher degree of identity verification?
Q: Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?
A: We advise our customers to choose passwords that are not easily guessed and to change passwords often.
Q: Are there any other security measures you'd like to mention?
A: Sprint Nextel is continually making improvements to our processes for authenticating customers before providing information. The improvements are in our technology and authentication processes and in the processes we follow with our care reps.
Through our Office of Privacy we are uncovering data brokers' methods and have settled two of three lawsuits against companies that provide call detail records; we also have sent scores of cease-and-desist letters to data brokers. We are continuing this campaign against data brokers. Sprint Nextel is committed to protecting privacy of our customers.
Sprint Nextel fully complies with all applicable privacy laws and regulations. Our corporate security, legal and customer care teams regularly evaluate existing safeguards to protect confidential customer information.
Verizon: Would not answer survey; offered the following response instead.
For customer service interactions with a Verizon representative over the telephone, we require our representative to check to see if the customer has established a password on the account--before disclosing call detail or other customer proprietary network information.
If there is no password established on the account, before we disclose call detail or other (identifying information), we require the rep to ask the customer to supply certain information that appears on the bill and that no one else would likely know if they didn't have the bill--specifically the customer account number or customer code. This is a multi-digit alpha-numeric number.
Our service rep may also ask the customer for additional information to assure that he or she's talking to the real customer.
Prior to creating online access to their account, a customer must first have their phone bill in front of them because they will be asked to supply the customer code or account number from the bill. Obviously, these accounts are protected by passwords set up by the customer.
Verizon Wireless: Would not answer survey; offered the following response instead.
Verizon Wireless takes the issue of customer privacy seriously, and we will continue to do all we can to protect our customer's information. However, it's tough to provide answers to your questions--as we said last week, we don't want to provide a "road map" or make it easier in any way for the bad guys to do what they do. We do constantly review our systems and processes, and our customers can be assured that we are always looking at ways to make information more secure and to stay one step ahead of those aforementioned bad guys.
As you probably know, Verizon Wireless filed what's believed to be the first lawsuit against so-called pretexters (against Source Resources of Tennessee in July of 2005), and we've continued both to file lawsuits, and to work with and provide information to state governments as they investigate these companies.
9 commentsJoin the conversation! Add your comment