Telecoms feel the pretexting heat

A U.S. House of Representatives panel said Monday that it has asked the chief executives of six major telecommunications companies to testify in its probe of the legally questionable practice of "pretexting," which involves tricking a business into disclosing information by posing as someone else.

The move--coupled with recent revelations that HP employed private investigators to obtain the phone records of journalists and board members--puts more pressure on mobile and landline phone companies to demonstrate that they have sufficiently stringent security mechanisms in place.

HP was able to penetrate many companies' private databases with apparent ease: AT&T, Cingular, T-Mobile and Sprint Nextel all leaked information about their customers, government investigators or the companies themselves have confirmed.

A CNET News.com e-mail survey of nine major mobile and landline providers showed that only two, Qwest and Sprint Nextel, would answer a list of questions in order to let customers evaluate the effectiveness of the security measures they had in place. Another four companies said they take customer privacy seriously and have reasonable mechanisms in place. T-Mobile, Boost Mobile and TDS Metrocom did not reply at all.

Sprint Nextel said its customer service representatives would not divulge information to a caller who had provided a Social Security number, the maiden name of the customer's mother, the customer's name and the customer's address and phone number. Qwest, on the other hand, said such information would be sufficient to access a customer account.

Both Sprint Nextel and Qwest said they encourage customers to add passwords to their account that customer representatives would require in subsequent calls. Verizon and Cingular also said passwords were permitted, while AT&T, BellSouth and Verizon Wireless refused to comment on whether passwords were permitted for greater security.

Not one company said it offered what some privacy advocates have suggested (click for PDF) as a solution: keeping no records of individual phone calls. In other words, phone access would be treated as a flat-rate utility, probably in exchange for a higher monthly fee. (Depending on the jurisdiction, limited data retention may be required by law.)

Some telecom providers appear to have bolstered their security earlier this year after pretexting became the subject of congressional hearings and private lawsuits unrelated to HP's current woes. AT&T said last week that in a memo to its call centers it put in place additional verification requirements, though the company would not detail those measures. Cingular said it no longer permitted its representatives to divulge records of phone calls over the phone to customers.

The HP investigators who placed pretext calls used remarkable ingenuity in extracting information from the telecommunications companies--this technique of getting people to divulge confidential information is broadly known as "social engineering."

Dawn Kawamoto, one of three News.com reporters who have learned in recent weeks that they were pretexted, has been told by government investigators that HP obtained her mobile calling records from Cingular and her landline records from AT&T.

Because Kawamoto had placed a password on her Cingular account, HP had to resort to a ruse that some would call ingenious, according to a government investigator.

A woman pretending to be a Cingular sales representative, Kawamoto said, called Cingular and falsely claimed that, "I came into the Cingular store and had lost my phone. 'I' showed her my photo ID and gave her my SSN and said that 'I' needed to have my password deleted. As soon as (Cingular) deleted it, they went onto the Cingular.com Web site and set a new password."

In addition to Friday's hearing, the House subcommittee has asked HP's outside investigators--Joe Depante, owner of Action Research Group in Melbourne, Fla., and Ron DeLia, operator of Security Outsourcing Solutions in Boston--to appear on Thursday. DeLia was sent a subpoena on Monday.

Survey responses
AT&T: Would not answer survey; offered the following response instead.

AT&T is committed to customer privacy--including the security of our records that contain customer information such as calling records. We are pursuing pretexters in civil courts and through cooperation with law enforcement officials on potential criminal charges.

We are continuing to review our internal practices and are always looking at ways to improve the security of these records, even as wrongdoers are always looking for ways to get around our safeguards. We operate in an evolving environment and we face a need to strike the appropriate balance between sufficient security measures and the desire of our customers for fast and ready access to information about the products and services they purchase.

As part of this process, we have recently implemented additional practices designed to strike that balance. For example, we have increased security requirements for obtaining call details and we now require that the customer provide very detailed information from their bill before we will provide any calling information to the customer over the phone.

Additional processes and practices are under review or in the implementation process. For obvious reasons, however, we believe it inappropriate to publicly identify those procedures--that would simply play into the hands of those who seek to get around them.

BellSouth: Would not answer survey; offered the following response instead.

In response to your questions, I can only provide you with the statement below. Thanks for your interest, and best of luck.

BellSouth has always maintained a strong policy that ensures that our customer service representatives are speaking to legitimate customers. In light of recent security issues in the industry and beyond, BellSouth has reinforced this policy with our customer service departments. Due to issues of customer privacy, we are not at liberty to disclose further information regarding our customer security processes.

Cingular: Would not answer survey; offered the following response instead.

Thanks for giving us a chance to provide input to your story. Protecting customer information against data brokers (or, as we often call them, "data burglars") is of the utmost importance to Cingular.

We have a variety of safeguards in place--both technical and human--and we continue to evaluate and enhance these measures. We don't want to publicize our procedures, however, since this information can prove helpful to bad actors. That is why we would prefer not to discuss the specifics you requested in your questions.

We can give you a few general examples, though. For instance, our customer service representatives are not allowed to provide call detail records over the phone, by fax or by e-mail--even once the caller is verified as the account holder. We adopted this policy in light of the data broker issue. And we do allow customers to add passcodes to their accounts.

Another way in which we're fighting data brokers is through the courts. We've filed six lawsuits and already obtained injunctions in most of these cases. The litigation is ongoing.

We are also working closely with policymakers as they examine the data broker issue. Along those lines, a Cingular representative will appear at a congressional hearing this Friday to discuss this topic.

In short, our goal is to make customer accounts as secure as possible against data burglars, while at the same time enabling legitimate customers to get information about their own service. This is an ongoing process and of the highest priority to Cingular.

Qwest: Answered survey

Q: Is a Social Security number, mother's maiden name, customer's name and customer's address and phone number sufficient for account verification over the phone?

A: Yes, we believe the methods that we employ to protect account information are effective--including the use of customer-generated password protection. However, the moving threat of identity fraud against providers and customers forces us to evaluate and periodically adjust the security controls and procedures for the purpose of protecting customers' information.

Customers can add a password to their account, and Qwest supports customers establishing a password on their account if they choose to do so. All online accounts are password-protected.

Q: If not, what alternate types of personal information do you require?

A: Customers can add a password to their account, and Qwest recommends customers establishing a password on their account if they choose to do so. All online accounts are password-protected.

Q: Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?

A: Yes.

Q: Have you fired any customer service representatives in the last year for not following proper verification procedures?

A: We maintain compliance controls, monitoring programs and ongoing training as elements in our overall data protection program.

Q: Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?

A: Only account holders or those pre-authorized by the account holder are permitted to access account information. Those pre-authorized are required to present the same information as the account holder.

Q: Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?

A: We do keep Web-based account access login records, though we do not disclose the retention window. We periodically review our retention policies and adjust as necessary.

Q: How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)

Q: The requirements of our business, including billing and fraud detection, require us to maintain, as business records, certain transactional data. Because this data is necessary to our ongoing operations, we take very seriously and devote significant resources to ensuring that third parties do not have the potential to violate Qwest's or its customers' privacy.

Q: Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?

A: The requirements of our business, including billing and fraud detection, require us to maintain, as business records, certain transactional data. Because this data is necessary to our ongoing operations, we take very seriously and devote significant resources to ensuring that third parties do not have the potential to violate Qwest's or its customers' privacy. Editor's note: Qwest responded to two questions with the same answer.

Q: Do you permit customers to "flag" their accounts to require a higher degree of identity verification?

A: Yes.

Q: Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?

A: Upon account establishment, we require the user to follow specific password creation rules. Passwords can be changed by customers at any time.

Q: Are there any other security measures you'd like to mention?

A: We share customers' concern regarding security issues like pretexting--an invasion of privacy that leaves, at minimum, two victims --the customer and the telecommunications provider. As a result, we devote significant resources to monitoring, evaluating and adjusting our security measures to meet an evolving threat.

Sprint Nextel: Answered survey

Q: Is a Social Security number, mother's maiden name, customer's name, and customer's address and phone number sufficient for account verification over the phone?

A: No.

Q: If not, what alternate types of personal information do you require?

A: We strongly recommend that customers create passwords to replace the use of their Social Security number for verification.

Q: Do you permit customers to create passwords to replace the use of Social Security numbers and mother's maiden name for verification?

Q: Yes. We strongly recommend that customers create passwords to replace the use of their Social Security number for verification.

Q: Have you fired any customer service representatives in the last year for not following proper verification procedures?

A: If we were to discover that an agent engaged in conduct that violates our corporate code of conduct or any of our internal policies including those that apply to our customer service practices and protecting customer privacy, we would absolutely take appropriate remedial action.

Q: Under what circumstances do you allow someone claiming to be a spouse or family member or employer of the account holder to access account information?

A: Sprint Nextel has processes in place to safeguard against illegitimate requests. The amount of access depends upon the information being requested--it is not possible for anyone other than the account holder or a legal guardian to change an address or activate or cancel an account, for example. And, as a matter of policy, call detail record information is not provided over the phone to account holders or others; instead, an account holder could request that call detail be sent to his or her address on the account.

Q: Do you keep records of logins on your Web site so that you can go back six months later and identify potentially fraudulent access?

A: As a matter of policy we do not do this today.

Q: How long do you keep records of individual calls made by customers? (That is, after they're no longer needed for billing or dispute purposes.)

A: Sprint Nextel fully complies with the law and keeps records according to state and federal law.

Q: Do you offer customers the option to not keep records of individual calls, even if that means they'll no longer be able to dispute individual charges?

A: We offer customers the option not to have access to individual calls on their printed bills.

Q: Do you permit customers to "flag" their accounts to require a higher degree of identity verification?

A: Yes.

Q: Do you have a system in place to flag "weak" passwords (like the customer's first name) and prohibit them from being used on your Web site?

A: We advise our customers to choose passwords that are not easily guessed and to change passwords often.

Q: Are there any other security measures you'd like to mention?

A: Sprint Nextel is continually making improvements to our processes for authenticating customers before providing information. The improvements are in our technology and authentication processes and in the processes we follow with our care reps.

Through our Office of Privacy we are uncovering data brokers' methods and have settled two of three lawsuits against companies that provide call detail records; we also have sent scores of cease-and-desist letters to data brokers. We are continuing this campaign against data brokers. Sprint Nextel is committed to protecting privacy of our customers.

Sprint Nextel fully complies with all applicable privacy laws and regulations. Our corporate security, legal and customer care teams regularly evaluate existing safeguards to protect confidential customer information.

Verizon: Would not answer survey; offered the following response instead.

For customer service interactions with a Verizon representative over the telephone, we require our representative to check to see if the customer has established a password on the account--before disclosing call detail or other customer proprietary network information.

If there is no password established on the account, before we disclose call detail or other (identifying information), we require the rep to ask the customer to supply certain information that appears on the bill and that no one else would likely know if they didn't have the bill--specifically the customer account number or customer code. This is a multi-digit alpha-numeric number.

Our service rep may also ask the customer for additional information to assure that he or she's talking to the real customer.

Prior to creating online access to their account, a customer must first have their phone bill in front of them because they will be asked to supply the customer code or account number from the bill. Obviously, these accounts are protected by passwords set up by the customer.

Verizon Wireless: Would not answer survey; offered the following response instead.

Verizon Wireless takes the issue of customer privacy seriously, and we will continue to do all we can to protect our customer's information. However, it's tough to provide answers to your questions--as we said last week, we don't want to provide a "road map" or make it easier in any way for the bad guys to do what they do. We do constantly review our systems and processes, and our customers can be assured that we are always looking at ways to make information more secure and to stay one step ahead of those aforementioned bad guys.

As you probably know, Verizon Wireless filed what's believed to be the first lawsuit against so-called pretexters (against Source Resources of Tennessee in July of 2005), and we've continued both to file lawsuits, and to work with and provide information to state governments as they investigate these companies.