Telecoms feel the pretexting heat

As Congress calls telecom CEOs on the carpet, CNET takes a look at how well the phone companies protect your privacy.

It's not only Hewlett-Packard's employees, directors and consultants who are likely to face a barrage of unpleasant questions from politicians this week.

A U.S. House of Representatives panel said Monday that it in its probe of the legally questionable practice of "pretexting," which involves tricking a business into disclosing information by posing as someone else.

The move--coupled with recent revelations that HP employed private investigators to obtain the phone records of journalists and board members--puts more pressure on mobile and landline phone companies to demonstrate that they have sufficiently stringent security mechanisms in place.

HP was able to penetrate many companies' private databases with apparent ease: AT&T, Cingular, T-Mobile and Sprint Nextel all leaked information about their customers, government investigators or the companies themselves have confirmed.

A CNET e-mail survey of nine major mobile and landline providers showed that only two, Qwest and Sprint Nextel, would answer a list of questions in order to let customers evaluate the effectiveness of the security measures they had in place. Another four companies said they take customer privacy seriously and have reasonable mechanisms in place. T-Mobile, Boost Mobile and TDS Metrocom did not reply at all.

Sprint Nextel said its customer service representatives would not divulge information to a caller who had provided a Social Security number, the maiden name of the customer's mother, the customer's name and the customer's address and phone number. Qwest, on the other hand, said such information would be sufficient to access a customer account.

How safe is your phone bill?

Hewlett-Packard's investigation of boardroom leaks revealed how easy it is for your phone records to be obtained through "pretexting." We surveyed major telecommunications firms to find what consumer safeguards they have in place; following is an excerpt from our questions:

• Is a Social Security number, mother's maiden name, customer's name and customer's address and phone number sufficient for account verification over the phone?

• Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?

• Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?

• Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?

•  How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)

• Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?

• Do you permit customers to "flag" their accounts to require a higher degree of identity verification?

• Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?

Both Sprint Nextel and Qwest said they encourage customers to add passwords to their account that customer representatives would require in subsequent calls. Verizon and Cingular also said passwords were permitted, while AT&T, BellSouth and Verizon Wireless refused to comment on whether passwords were permitted for greater security.

Not one company said it offered what some privacy advocates have suggested (click for PDF) as a solution: keeping no records of individual phone calls. In other words, phone access would be treated as a flat-rate utility, probably in exchange for a higher monthly fee. (Depending on the jurisdiction, limited data retention may be required by law.)

Some telecom providers appear to have bolstered their security earlier this year after pretexting became the subject of congressional hearings and private lawsuits unrelated to HP's current woes. AT&T said last week that in a memo to its call centers it put in place additional verification requirements, though the company would not detail those measures. Cingular said it no longer permitted its representatives to divulge records of phone calls over the phone to customers.

The HP investigators who placed pretext calls used remarkable ingenuity in extracting information from the telecommunications companies--this technique of getting people to divulge confidential information is broadly known as "social engineering."

Dawn Kawamoto, one of three reporters who have learned in recent weeks that they were pretexted, has been told by government investigators that HP obtained her mobile calling records from Cingular and her landline records from AT&T.

Because Kawamoto had placed a password on her Cingular account, HP had to resort to a ruse that some would call ingenious, according to a government investigator.

A woman pretending to be a Cingular sales representative, Kawamoto said, called Cingular and falsely claimed that, "I came into the Cingular store and had lost my phone. 'I' showed her my photo ID and gave her my SSN and said that 'I' needed to have my password deleted. As soon as (Cingular) deleted it, they went onto the Web site and set a new password."

In addition to Friday's hearing, the House subcommittee has asked HP's outside investigators--Joe Depante, owner of Action Research Group in Melbourne, Fla., and Ron DeLia, operator of Security Outsourcing Solutions in Boston--to appear on Thursday. DeLia was sent a subpoena on Monday.

Survey responses
AT&T:Would not answer survey; offered the following response instead.

AT&T is committed to customer privacy--including the security of our records that contain customer information such as calling records. We are pursuing pretexters in civil courts and through cooperation with law enforcement officials on potential criminal charges.

We are continuing to review our internal practices and are always looking at ways to improve the security of these records, even as wrongdoers are always looking for ways to get around our safeguards. We operate in an evolving environment and we face a need to strike the appropriate balance between sufficient security measures and the desire of our customers for fast and ready access to information about the products and services they purchase.

As part of this process, we have recently implemented additional practices designed to strike that balance. For example, we have increased security requirements for obtaining call details and we now require that the customer provide very detailed information from their bill before we will provide any calling information to the customer over the phone.

Additional processes and practices are under review or in the implementation process. For obvious reasons, however, we believe it inappropriate to publicly identify those procedures--that would simply play into the hands of those who seek to get around them.

BellSouth:Would not answer survey; offered the following response instead.

In response to your questions, I can only provide you with the statement below. Thanks for your interest, and best of luck.

BellSouth has always maintained a strong policy that ensures that our customer service representatives are speaking to legitimate customers. In light of recent security issues in the industry and beyond, BellSouth has reinforced this policy with our customer service departments. Due to issues of customer privacy, we are not at liberty to disclose further information regarding our customer security processes.

Featured Video