Security breaches are wake-up calls to phone companies

Earlier this week, Hewlett-Packard acknowledged that it launched an investigation into a boardroom leak that resulted in the hiring of a private investigator to gather information on telephone calls made and received by board members and nine journalists, including News.com's Tom Krazit, Dawn Kawamoto and Stephen Shankland.

The news has once again highlighted a growing problem plaguing the telecommunications industry called "pretexting," a scam where unauthorized individuals pretend to be someone they're not to obtain personal information. Private investigators and con artists have been using this technique for years not just to obtain phone records, but also to get access to bank records, credit card information and other sensitive information.

The telecommunications industry came under fire nine months ago when news reports pointed to Web sites where customer records could be openly purchased. The news prompted several phone companies, including Cingular Wireless, Sprint, T-Mobile and Verizon Wireless, to sue brokers selling customers' phone records. And lawmakers in Congress have also drafted legislation criminalizing the act of pretending to be someone else to get telephone records.

Other industries are also vulnerable to pretexting scams, but experts say the telecommunications industry lags behind them in protecting customer information.

"There's no doubt that the telecommunications industry has been extremely lax in authenticating customers," said Robert Douglas, an information security consultant and former private investigator with a company called PrivacyToday.com. "There's an institutional perception of 'What's the big deal. It's just phone records.' And that has to change."

While all the phone companies claim that customer privacy is very important to them, statements from at least one carrier embroiled in the recent scandal suggest that the release of phone records ranks below that of other personal information.

AT&T, which provided the phone records of at least one HP board member and one reporter in this week's evolving flap, filed a lawsuit last month in San Antonio to find out the identities of unnamed defendants who had supposedly accessed some 2,500 customer records without permission from those customers. The company filed a similar lawsuit Wednesday in San Francisco. Despite its pending legal action, the company has tried to downplay the issue.

"We've identified 2,500 customers who could have been victimized," said Walt Sharp, a spokesman for AT&T. "That's a tiny fraction of our 48 million landline customers. What we're dealing with here is not access to financial information. This is not credit card or driver license number records. It's nothing of that nature."

Carriers are wary about discussing specifics of how they secure customer data. Sharp, for example would not elaborate on how AT&T authenticates access to customer records. But e-mails sent to subjects of the pretexting scam suggest that all that is needed is an e-mail address and the last four digits of a Social Security number.

A spokeswoman for Sprint Nextel said the company suggests customers create a password, but it also allows users to access accounts online using only their phone number and the last four digits of their Social Security number.

Douglas, an expert who advises companies on how to protect themselves from pretexting scams, said these were among the easiest authentication methods to crack.

"Honestly, using a Social Security number is pretexting 101," he said. "It's one of the most rudimentary methods of authentication."

He suggests companies use at least a two-tiered approach for authenticating customers that does not include passwords using biographical data, such as home addresses, Social Security numbers, birth dates and mothers' maiden names. Instead, companies can use more obscure personal data that is not found as easily through a Google search.

Verizon Communications uses multiple methods for authenticating customers before it will release records or account information, company spokesman Mark Marchand said. Not only does the company encourage customers to create passwords to access their accounts online, it also uses information that is printed on a customer's bill to authenticate users. And if the customer bill is not available, it requires people trying to access records to answer questions specific to that particular account.

"We are continually changing our methods," Marchand said. "We have folks dedicated to security who stay on top of new methods for securing our customers' data."

But pretexters aren't always pretending to be customers themselves. Often they impersonate phone company employees or law enforcement officials, claiming that they have authorized access for the information they're trying to obtain.

Often the weakest links in the security chain are employees in call centers who have access to the information, because scammers can prey upon these workers' best intentions to help customers. In one of the lawsuits, filed by Verizon Wireless, the company said the scammer posed as someone calling on behalf of a customer who was voice-impaired.

Since the media storm first erupted over this issue in January, several phone companies say they have improved training for call center operators. Sprint, which recently settled its case against a pretexting broker, said part of its $1 million settlement with LocateCell.com is that the company is required to share some of its pretexting techniques with Sprint.

But despite these efforts there are still big security holes, Douglas said.

"Even with all the retraining, the best way to defeat the phone companies is to go through the Spanish-language operators, who are bilingual," he said. "At this point, the training of these operators is not the same level as some of the other call centers."

In addition to lapses in training, phone companies don't seem to be employing even basic methods for ensuring customers are who they say they are. For example, phone companies could simply call back phone numbers of customers who claim to be accessing information, or they could immediately notify customers with automated e-mails or text messages when their accounts have been accessed.

Some experts believe that the recent pretexting scandals and scandals involving federal government officials accessing phone records have made consumers more aware of these security problems. Ultimately, this could lead to people putting more pressure on their service providers to better secure their data.

Still, Sherwin Siy, staff counsel for the Electronic Privacy Information Center in Washington, D.C., admits that the phone companies are in a difficult situation.

"Phone companies are between a rock and a hard place," he said. "They want to make it easy for you to get your phone records, but they don't want to make it too easy, so that criminals can get the information as well."