Telecoms feel the pretexting heat

It's not only Hewlett-Packard's employees, directors and consultants who are likely to face a barrage of unpleasant questions from politicians this week.

A U.S. House of Representatives panel said Monday that it has asked the chief executives of six major telecommunications companies to testify in its probe of the legally questionable practice of "pretexting," which involves tricking a business into disclosing information by posing as someone else.

The move--coupled with recent revelations that HP employed private investigators to obtain the phone records of journalists and board members--puts more pressure on mobile and landline phone companies to demonstrate that they have sufficiently stringent security mechanisms in place.

HP was able to penetrate many companies' private databases with apparent ease: AT&T, Cingular, T-Mobile and Sprint Nextel all leaked information about their customers, government investigators or the companies themselves have confirmed.

A CNET News.com e-mail survey of nine major mobile and landline providers showed that only two, Qwest and Sprint Nextel, would answer a list of questions in order to let customers evaluate the effectiveness of the security measures they had in place. Another four companies said they take customer privacy seriously and have reasonable mechanisms in place. T-Mobile, Boost Mobile and TDS Metrocom did not reply at all.

Sprint Nextel said its customer service representatives would not divulge information to a caller who had provided a Social Security number, the maiden name of the customer's mother, the customer's name and the customer's address and phone number. Qwest, on the other hand, said such information would be sufficient to access a customer account.

How safe is your phone bill?

Hewlett-Packard's investigation of boardroom leaks revealed how easy it is for your phone records to be obtained through "pretexting." We surveyed major telecommunications firms to find what consumer safeguards they have in place; following is an excerpt from our questions:

• Is a Social Security number, mother's maiden name, customer's name and customer's address and phone number sufficient for account verification over the phone?

• Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?

• Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?

• Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?

•  How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)

• Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?

• Do you permit customers to "flag" their accounts to require a higher degree of identity verification?

• Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?

Both Sprint Nextel and Qwest said they encourage customers to add passwords to their account that customer representatives would require in subsequent calls. Verizon and Cingular also said passwords were permitted, while AT&T, BellSouth and Verizon Wireless refused to comment on whether passwords were permitted for greater security.

Not one company said it offered what some privacy advocates have suggested (click for PDF) as a solution: keeping no records of individual phone calls. In other words, phone access would be treated as a flat-rate utility, probably in exchange for a higher monthly fee. (Depending on the jurisdiction, limited data retention may be required by law.)

Some telecom providers appear to have bolstered their security earlier this year after pretexting became the subject of congressional hearings and private lawsuits unrelated to HP's current woes. AT&T said last week that in a memo to its call centers it put in place additional verification requirements, though the company would not detail those measures. Cingular said it no longer permitted its representatives to divulge records of phone calls over the phone to customers.

The HP investigators who placed pretext calls used remarkable ingenuity in extracting information from the telecommunications companies--this technique of getting people to divulge confidential information is broadly known as "social engineering."

Dawn Kawamoto, one of three News.com reporters who have learned in recent weeks that they were pretexted, has been told by government investigators that HP obtained her mobile calling records from Cingular and her landline records from AT&T.

Because Kawamoto had placed a password on her Cingular account, HP had to resort to a ruse that some would call ingenious, according to a government investigator.

A woman pretending to be a Cingular sales representative, Kawamoto said, called Cingular and falsely claimed that, "I came into the Cingular store and had lost my phone. 'I' showed her my photo ID and gave her my SSN and said that 'I' needed to have my password deleted. As soon as (Cingular) deleted it, they went onto the Cingular.com Web site and set a new password."

In addition to Friday's hearing, the House subcommittee has asked HP's outside investigators--Joe Depante, owner of Action Research Group in Melbourne, Fla., and Ron DeLia, operator of Security Outsourcing Solutions in Boston--to appear on Thursday. DeLia was sent a subpoena on Monday.

---

Survey responses
AT&T: Would not answer survey; offered the following response instead.

AT&T is committed to customer privacy--including the security of our records that contain customer information such as calling records. We are pursuing pretexters in civil courts and through cooperation with law enforcement officials on potential criminal charges.

We are continuing to review our internal practices and are always looking at ways to improve the security of these records, even as wrongdoers are always looking for ways to get around our safeguards. We operate in an evolving environment and we face a need to strike the appropriate balance between sufficient security measures and the desire of our customers for fast and ready access to information about the products and services they purchase.

As part of this process, we have recently implemented additional practices designed to strike that balance. For example, we have increased security requirements for obtaining call details and we now require that the customer provide very detailed information from their bill before we will provide any calling information to the customer over the phone.

Additional processes and practices are under review or in the implementation process. For obvious reasons, however, we believe it inappropriate to publicly identify those procedures--that would simply play into the hands of those who seek to get around them.

---

BellSouth: Would not answer survey; offered the following response instead.

In response to your questions, I can only provide you with the statement below. Thanks for your interest, and best of luck.

BellSouth has always maintained a strong policy that ensures that our customer service representatives are speaking to legitimate customers. In light of recent security issues in the industry and beyond, BellSouth has reinforced this policy with our customer service departments. Due to issues of customer privacy, we are not at liberty to disclose further information regarding our customer security processes.

[Too Old For IT]

This is exactly what happens

This is exactly what happens when your frontline customer service people are the cheapest available; unable to adhere to even the simplest standards for security, and are lead by CxO's who are not qualified to pour rainwater out of a boot with instructions written on the sole.
Congress needs to make pretexting a felony, and not exempt government agencies or their sock-puppet contractors. Further, the penalty has to make the practice not worthwhile. Perhaps, if convicted, one should have to register with the local authorities as a privacy predator, a security-oriented offender or some such.

[patruga]

You got it....for the most part

I think you have hit the nail on the head, in stating that pretexting should be made a felony. Take the profit out of it, and you just might be able to drive the right behaviour.

With regards to the frontline reps being the cheapest available, you may be right to a point. Just remember "you get what you pay for". Everybody wants cheaper rates and expect premium service, it doesn't work that way.

[Dragon Forge]

Nothing so remarkable at all

While the acts outlined do fall within the context of "social Engineering" the public would be best advised that there is nothing so "ingenious" about the methodologies applied at all!

The successes are merely due to the money hungry, overly competitive service providers bending common sense, and in some cases their own rules and the laws, to please everyone/anyone.

The businesses that are customers of the comm services, paying for employee accounts, expect to be able to do whatever they want, whenever they want. Of course personal and private rights are heedlessly trampled to appease any request, whether they appear to putting safeguards or security proceedures in place or making that big generalized statement about all that they do (lol), they do nothing serious or carefully. This is knowing where the almighty buck comes from and nothing more. Ingenious social engineering is creating the expectaions that you have no rights or alternatives. Who are you to be asking about their policies, processes and standards?

While for the sake of the common good and security there should be unfettered access to say an employees desk drawers, in so much as in the case of a dangerous substance or article, known or unbeknownst to the desk's resident, so that we may all be protected. Rifling through a desk drawer to ascertain if an employee has money problems for the sake of an "investigation" in to some fraud, is definitely not!

Our businesses are unable to make reasonable quality distinctions and what should be obvious is that they absolutely need to be controlled, regulated and monitored. They have shown remarkable vindictive, malicious and dictorial proclavities in the past, the present and, even if regulations are imposed some years hence [after years of debate and readings in the House, etc etc etc,] the future.

No there is nothing so "ingenious" in all this at all and any good investigator will tell you as much. Ingenious is how, year after year, nothing is really done to get a handle on business practices, while the rest of the world laughs at the antics of politicians and businesses a like. We think we are the international trade and commerce powerhouses but are more likened to school yard bullies globally.

There are far more realistically Social Engineering techniques - one of them is deluding employees into imagining that businesses have their best interests at heart.

The only reason there is security and the pretense to privacy is that it is just another marketing ploy, a bullet on their brocher.

All businesses, whether it be the vast, nefariously gleaned informational 'tanks' in level 3c at HP, their chattle's personal information, or the the private customer accounts at a comm service, manage their informational holdings in a set of self serving "policies" skipping the philosophies in a 'duty of care'.

Best be aware what ingenious is.

[itango]

We already have an easy solution......

Force companies not to keep customer data longer than 3 days. That way, even if the account is accessed, not much damage can be done. And it can provide a benefit to the company, by optimizing server and storage space. I know that law enforcement agencies will howl, but if they are able to obtain a warrant, then the company could store informaiton on that person to satisfy the warrant. Otherwise, everone's information gets deleted!

[itango]

We already have an easy solution......

Force companies not to keep customer data longer than 3 days. That way, even if the account is accessed, not much damage can be done. And it can provide a benefit to the company, by optimizing server and storage space. I know that law enforcement agencies will howl, but if they are able to obtain a warrant, then the company could store information on that person to satisfy the warrant. Otherwise, everone's information gets deleted!

[Zeno77]

Congress "Investigates" pretexting???

Is this congressional Investigation good or is it a case of kettle calling pot black; how about the tactics of opposition research investigators; how about the tctics of investigative reportors, which always involvle some of lying, or pretending or pretextng??? Perhaps the telecoms should only mail out "reqests for records" replies to an accounts billing address, not just hand them out willy-nillly.

[wbenton]

Congresional Investigation a Waste of Money

Handing out one's personal phone call records to somebody else is a definate breach of privacy. No investigation required.

Walt

[wbenton]

Call Back confirmation

Or is that beyond comprehension?

Walt

[DaClyde]

It's just wire fraud, nothing new

Why all this noise over "pretexting"? It's just run of the mill wire fraud. Charge them, prosecute them and penalize them. The laws and infrastructure for this already exist. This shouldn't be an issue. It's the same old story, the government won't enforce the laws they have, so they need to pass more?