overview
USA
Australia
related
Guides:
Privacy
Secrecy &
Confidentiality
Security
& Infocrime
related
Profiles:
Identity
Crime
Stalking
Australian
privacy
regimes
Aust & NZ
telecoms |
overview
This page considers pretexting: illicitly obtaining personal/confidential
information by claiming authority to access that information,
typically by masquerading as a customer who is entitled
to view his/her account details.
It covers -
It
supplements discussion elsewhere on this site regarding
identity theft, privacy, data losses and information security.
introduction
Pretexting is not new. Over at least the past century
people have been using 'social engineering' to improperly
obtain information from data custodians such as banks,
insurance companies, real estate agencies, medical practitioners,
education institutions and government agencies.
Sometimes that information has been sought as building
blocks for identify theft.
It has also been sought by stalkers,
terrorists and journalists, whether to harass an individual,
breach commercial security or fuel a scandal in the popular
press.
Pretexting is one form of social engineering. It is distinguishable
from phishing
(eliciting a consumer's password and other details through
email and websites that purport to be those of the consumer's
financial institution). It involves a private investigator,
law enforcement officer or data broker obtaining customer
information from a data custodian - such as telephone
company or airline - by masquerading as the particular
customer.
It is not necessarily aimed at looting the customer's
account or creating a new account (or financial obligations)
in the guise of that customer. It may instead be used
to identify -
- the
source of leaks to
a journalist
- whistleblowing
to a regulator
- whether
a competitor is engaged in particular negotiations
- whether
a spouse is being unfaithful
- the
location of a debtor.
Most people would agree that assuming another's identity/authority
to improperly access information is unethical. However,
in some jurisdictions it is not a criminal offence and
civil penalties for those obtaining the information, trafficking
in it (notably operating as 'data brokers') and purchasing
it may be weak.
Just as importantly, government agencies may not give
a high priority to enforcement of that legislation and
it may be difficult for individuals to gain satisfaction,
consistent with uneven perceptions of privacy
rights and the challenge of proving economic damage in
regimes where privacy has little recognition as a tort.
caller records
In the US attention has centred on pretexting as a mechanism
for access to caller records, ie to identify an individual's
telephone calls. That identification concerns numbers
rather than what was said (or transmitted) during a call.
In 2006 for example it was revealed that private investigators
working for Hewlett-Packard used pretexting to obtain
call records of that company's board members and journalists
as part of an effort to stop leaks. The investigators
contacted the telephone companies used by the HP directors
and journalists, using information about those individuals
(including credit card numbers, addresses, birth dates
and social security numbers) to support the pretence that
they were the customer and could thus legitimately query
a particular call or receive a full report.
EPIC had earlier noted
that pretexting was widespread, providing the US Senate
with a list of 40 websites that offered to sell phone
records to anyone online. One car repossession specialist
explained that obtaining mobile phone records is "easy"
-
All
you need is the last four digits of a Social Security
number and a correct ZIP code. You go to the wireless
company's Web site, you sign up like you are that person,
you can view the bill.
other data
Pretexting is not restricted to identification of calls.
The US Federal Trade Commission for example notes
that
Pretexters use a variety of tactics to get your personal
information. For example, a pretexter may call, claim
he's from a survey firm, and ask you a few questions.
When the pretexter has the information he wants, he
uses it to call your financial institution. He pretends
to be you or someone with authorized access to your
account. He might claim that he's forgotten his checkbook
and needs information about his account. In this way,
the pretexter may be able to obtain personal information
about you such as your SSN, bank and credit card account
numbers, information in your credit report, and the
existence and size of your savings and investment portfolios.
EPIC
similarly indicated that
many other types of private records are being bought
and sold in the public market. Alongside many advertisements
for cell phone records, wireline records and the records
associated with calling cards are advertised. As individuals
shift to VOIP telephones, it is safe to assume that
those records will be offered for sale as well ...
the problem of record sales is not limited to the many
methods of voice communication that we can use. Sites
commonly advertise the ability to obtain the home addresses
of those using P.O. Boxes. Some websites, such as Abika.com,
advertise their ability to obtain the real identities
of people who participate in online dating websites.
A page on Abika.com advertises the company's ability
to perform "Reverse Search AOL ScreenName"
services, a search that finds the "Name of person
associated with the AOL ScreenName" and the "option
for address and phone number associated with the AOL
ScreenName." The same page offers name, address,
and phone number information for individuals on Match.com,
Kiss.com, Lavalife, and Friendfinder.com. These are
all dating websites that offer individuals the opportunity
to meet others without immediately revealing who they
are.
The availability of these services presents serious
risks to victims of domestic violence and stalking.
There is no reason why one should be able to obtain
these records through pretexting, or outside of existing
legal process.
Price
lists include provision of a class schedule for US$80,
an address for US$60 and job data for US$100.
In the US pretexting sometimes sometimes forms the basis
of skiptracing, ie locating someone who doesn't want to
be found. It can involve contacting family, friends and
associates and using a 'busy-back number' routine. Investigators
for example contact the relative, advise that the person
has won a lottery or some other benefit and request that
the person rings a toll-free number to claim the goodies.
That provides an opportunity to identify the caller's
number.
With access to a number through pretexting or through
information supplied to a financial institution or other
entity (and shared with a third party such as a credit
reference service) an investigator may use a reverse directory
of published numbers or a directory of unpublished numbers
- illicitly or otherwise - to link the number to addresses
and/or people. Caller-ID spoofing - in which a call appears
to come from the phone of a friend, relative or employer
- is also used by some investigators.
the pretexting industry
There has been no comprehensive study of the 'pretexting
industry', ie data brokerages based on information that
is obtained through pretexting.
In the US it is clear that operators of such brokerages
obtain substantial revenue. The industry is accordingly
expanding, with a proliferation of sites that offer individuals
and businesses - including major corporations rather than
merely self-employed flatfeet - a range of consumer information.
Private investigators have ostentatiously disclaimed collection
of information through pretexting or use of such information,
with one trade group spokesperson stating that pretexting
"is at a minimum unethical and at a maximum unlawful.
It is a real smear on our profession". As with the
credit reference industry,
which on occasion uses pretexted data and supplies data
that is used by pretexters, such disavowals are somewhat
disingenuous.
During June 2006 US Congressional hearings testimony demonstrated
that customers of data brokers included "automobile
finance companies and repossession companies and major
banks and major corporations" in addition to tabloids,
private investigators and lawyers. PDJ Investigative Services
described its customers as "law offices, repossession
companies, financial institutions, collection agencies,
bail enforcement agencies, law enforcement agencies and
various private investigation and research companies".
Data broker James Rapp reported that he used pretexting
to gather addresses linked to a specific phone number
from the telephone company, Social Security numbers from
credit reporting agencies, and address and phone number
details from a utility company.
His clients "requested anything and everything"
... and apparently received much of what they requested.
If
you're an employee on disability and you're not supposed
to be working, I would" persuade the person to
reveal their workplace. "I'd tell them there's
a gas leak, and I need to reach them during the day.
Whatever it takes".
The lawyer for one broker boldly explained that pretexting
isn't "a lie" or fraud -
it's
a pretext call and it's very commonly done in the PI
industry. That's how they do almost everything that
they do. It's been going on for a long time.
regulation
Regulation of pretexting is complicated by -
- demand
from corporate buyers of pretexted information (and
from individuals who have engaged in pretexting for
identity theft)
- disagreement
about the legality of particular activity (in the US
for example there have been misconceptions that pretexting
is illegal only if it involves financial information)
- difficulties
in identifying abuses
- low
penalties under statute and common law when abuses are
identified (often greatly outweighed by the cost of
legal action)
- low
priority given by regulators to enforcement action.
next page (pretexting
in the US)
|
|
