Slashdot Mirror
PIs Selling Phone Records Sued By The FTC
carl writes "According to an MSNBC article, the FTC has sued five different background investigation firms for selling confidential phone records." From the article: "In the lawsuits announced Wednesday, the FTC charged the companies used 'false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier' to get the phone records. The companies advertised on their Web sites that they could get the confidential phone records of any individual and make them available for a fee, the agency said."
I suppose I could RTFA, but what does 'Pls' stand for?
NSA lost a good business opportunity ;)
Don't steal. Your Government's surveillance programme hates competition.
(Emphasis mine)
So when is the FTC going to charge carriers with improperly handling private information? I hope they don't forget to nail the carriers to the wall for handing out this information in the first place. If they wouldn't just give the information away to every Tom, Dick, and Harry that called without verifiying they are who they say they are, there wouldn't be as much of a problem would there? Some simple ways to avoid giving the information to the wrong person might include calling them back on their cellphone or sending the information to the address that gets the bills. Selling this information is wrong, but the carriers are just as culpable for giving it out without proper verification.
I Am My Own Worst Enemy
the FTC has sued five different background investigation firms for selling confidential phone records.
Good, the competition is eliminated...
Call the SBC's DSL department and claim to be a friend "helping" someone install their DSL modem... but insist that you don't know the address or anything else. Be as dumb as possible on the phone. Get a little drunk if you can't be convincing.
Often, the customer service reps will read back the entire address, and sometimes, even the last for digits of the SSN. I found this out when I was ligitimately calling them because of a line problem.
I never had any problems adding service, removing service, or getting personal account information... all without identifying myself whatsoever. Need an address for a telephone number, call SBC and tell them you want DSL. The phone reps will "verify" your address by reading it back. Awesome, huh?
Isnt posing as a customer a criminal act? Why havent they simply arrested these people?
The phrase "more better" is acceptable English. suck it grammar Nazis
Evil Walrus >83=
Managing records on information of customers is a slow and steady collection.
What was it with that CENSUS BUREAUGH, to only count the population density, yet now there is a one of ten "lottery" that a chosen "unit" will be given a 100-page pamphlet asking information beyond income? Perhaps, when was the Year that CENSUS BUREAUGH began asking about income?
Consider ZABBASEARCH.COM, a somewhat free service that simply reports on queries for background search -- that's right, they don't disclose information other than NAME and AGE and TOWN/CITY and STATE, and only updates its record when SOMEONE is background-checked. Their service offers disclosure of BIRTHDAY and SOCIAL SECURITY NUMBER and DRIVER LICENSE and PHONE NUMBER and ADDRESS, but that is the "subscription" model.
Take Albertons Inc application for members... they deliberatly tease the applicant on their form... I have the form available, and it asks just for a Trust-fund (middle-initialed) name for a person to attach to an address, and then the address and phone number, and nothing els. This gets an applicant a card with a BAR CODE on it, not even a picture or a name on the card -- only a BAR code. The form advertises to the applicant "Share some information about your self...so we can SERVE you", and "We honor your privacy, except when compelled by law". That membership system isn't a matter of exposing the name and address of the person becoming a member to Albertsons Inc, but it's a matter of recognizing that all the store prices are inflated and it is only competitive to give members a price deduction in return for letting Agents and trusted associates (read Police/FBI/CIA) of Albertsons Inc to know the shopping list in return for lowering the price back to an affordable level (known as the "REWARDS PROGRAM" in Albertsons-speak).
Collecting customer information is no different than the schemes in the Insurance business... Whatever they want to manipulate, they'll plan next-year of insurance to raise, and then offer the Insurance at the prior level only if a certain behaviour or regulation from that moment onward is agreed unto. And I don't mean people wearing seatbelts, using mudflaps on the rear wheels, or removing all the miniature mirrors a driver is alleged to be distracted to their facial improvements. Perhaps an example of the largest Insurance encroachment is to compel the people to use a Driver License, in return for affordable or possible insurance. Let me explain... The first federal-area of the country to have licensure for a DRIVER is the State of California (not to be confused with California/state or the California Republic). That State of California legislature is the first to legislate DRIVER LICENSE for their corporate soles and fellow artificial persons. Looking at that first Act that inspired through the States, was the fact that "Driving" is defined as "usinga Motor Vehicle to move property or passengers, for Hire." In that same Act, a "Motor Vehicle" is defined as any vessel deadicated to "Commercial Use". There you have it. The truth at last -- there implies the reservation of private and non-commercial/not-for-hire freedom of movement upon the common ways and postal roads and postal routes (yes, if you accept a speeding ticket/derived from DRIVER LICENSURE, then you are acting in capacity as a postman for yourself -- don't accept mail not AddREsEd tO YOU).
The truth never sees the light of Day...it is its own light, and if it isn't burning hot enough then it will be snuffed out by those that hate it.
with love,
Gregory-Thomas
without prejudice
Heh, social engineering is a technique that essentially all humans are vulnerable to. Also, phone companies are actually one of the top targets of social engineering. That combination makes for a pretty high likelihood of peoples' phone-line-related data to be effectively public domain...
. txt
7
/ Social.htm
There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind. I know people who do this sort of stuff (I don't mean theft though heh) for fun on a fairly regular basis and they can all screw with pretty much any person. It's really amazing how easily you can manipulate someone of any personality type, actually. heh.
The only people who I've found to be highly resistant to any sort of social engineering are the type of people who know how to do it as well. It requires a certain mindset to be able to catch on to when a person might be trying to manipulate you. Unfortunately that sort of mindset usually involves always having a certain amount of suspicion towards peoples' statements all the time...
Some reading material:
http://www.securityfocus.com/infocus/1527
http://www.morehouse.org/hin/blckcrwl/hack/soceng
http://www.kuro5hin.org/story/2004/6/3/223758/226
http://rf-web.tamu.edu/security/secguide/V1comput
etc. etc..
Don't you see the handwritting on the walls.
Most people use a thing called a "question mark" to denote the end of a question.
It looks like this: ?
There was an arricle on Tech Dirt today about this that went on to say that the FBI and some local law enforcement agencies had been purchasing data from the same sources. Aren't the buyers as guilty as the sellers?
What if the Hokey Pokey really is what it's all about?
seriously, and not in a way they'd like it
Should that not be PI's instead of something that looks like an abbreviation for "Please"?
Heh, social engineering is a technique that essentially all humans are vulnerable to.
That's why I never interact with humans. Or at least that's what I tell my mom when she says I shouldn't eat dinner in the basement.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Um, yes you can. If you make the telecommunication carriers liable for giving out your info, then they will only allow access to that info internally by people trained not to be suseptible to social engineering and they will implement procedures that make it very difficult to get the info in the first place (even if you are entitled to it -- although you should have kept your copy of your monthly statement to begin with). And since the problem right now is not social engineering, your comment really does not advance this discussion
Didn't the phone carriers get permission to sell call records for marketing purposes? Just set up Sam Spade's Market Consultants, pay 17 cents per record for the block of 1000 numbers that includes your target (Joe Whistleblower), then charge your client (Sleazeco) $250 for the information that their employee Joe called Sixty Minutes eighteen times in the last six months.
Then if you're entrepeneurial you take the names from the other 999 records and cross-reference them with divorce filings, call up and say "would it be useful to have proof that your soon-to-be-ex husband called Jennifer's Massage every payday?".
And those are some of the least damaging possibilities. Think how much money a crook could make tracking Wall Street traffic patterns.
http://www.nyu.edu/classes/copyXediting/Punctuatio n.html
Use a period to end a rhetorical question.
There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind.
Why not? When you establish service with a company, they should require you to provide them with a security question and answer of your choosing, and not simply ask you to select a common one from a list. Then when someone calls to access information from your account, they simply read back the question to you, and wait for the answer. If it matches, fine, they can presume it's you. If you don't know the answer, then they don't give out any information. If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?
In theory, there's no difference between theory and practice. In practice, there is.
Too much text to turn this into a 4chan copypasta. Shorten it to just the good stuff and then we'll talk.
What would a person be charged with rather than a company set up by some people to hide such an illegal activity? This is basically organized fraud and theft of information committed by individuals who set up a company knowing that because of our insane legal system corporate owners are seldom charged even when their companies were setup to be illegal enterprises from the beginning. Sophisticated con artists and fraudsters routinely form corporations for the purpose of limiting their own personal liability for their criminal enterprises. Spammers do it, cult leaders do it, and now black hats are doing it too.
If I did this under my own name, the media would be calling me a hacker who socially engineered and otherwise broke into computer systems for the purpose of stealing sensitive customer information and selling it to the highest bidder.
So this is how it works...
ANYONE can claim that you owe them a debt and make a report to the credit agency at ANY TIME. The credit agency then happily reports that to everyone who asks as gospel but, you only get ONCE A YEAR to check that the information is accurate (unless you want to pay)!?!?!
That report (that probably has false information (if you pissed off a company)) is then used to set your loan rates, your auto-insurance rates, and a bunch of other un-credit related things!
WHAT KIND OF CRAP IT THAT!
We, the people, should have FREE access to our credit reports at ALL TIMES! And things that we dispute should be removed UNTIL THE REPORTER CAN PROVE that the info is factual!
Your thin skin doesn't make me a troll
My wife owns a private investigations firm and gets the legal information well... legally.
I think its important to remember that licensed companies (by the state) that act on the behalf of their clients need to have some level of access to public data. The licensing agencies should be quite strict with offenders.
Just an aside: Popular media has imprinted so many strange ideas of what it is to be a PI, I think the service they provide is sometimes overlooked, especially in areas of family law or where the local authorities do not expend resources. Getting an abused wife a good divorce settlement, or catching someone in insurance fraud helps society as a whole. Its up to PIs and their licencing states to make sure the PI license is not abused.
If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?
Because 80% of the people will forget their secret answer and then whine, cry, or yell to get what they want. The people on the phone, being people, will give in sometimes - hence the social engineering. As long as there is a human answering the call they can be duped into bending the rules. If a machine answers the phone the company gets a reputation for being cold and inhuman and loses customers. There's no way to win.
It's no different than spam. You tell millions of people not to click the link of naked Paris Hilton pictures - you will get a virus. Next week an email goes around with naked pictures of Nicky Hilton. What happens? 80% click and get a virus. I have no idea why people aren't smarter than this, but they this social engineering stuff definitely works.
Find coupons in Greeley
you didn't read the comment, if you are faced with any negative impact from your credit report, you have to be able to get it there regardless of the annual limitation.
Also, they don't relay info for free either, other people wanting your info have to pay for it.
Still seems horribly broken though.
XML is like violence. If it doesn't solve the problem, use more.
You must not have read the referenced story. The FBI wasn't buying illegally-obtained phone records from these scammers in order to prove that the scammers were breaking laws, they were buying illegally-obtained phone records from these scammers because the FBI wanted to use them.
It's like the difference between the DEA buying illegal drugs in order to prove that somebody was selling illegal drugs vs. the DEA buying illegal drugs so that headquarters can consume them at the next party.
pls to be selling phone records!
hot quality! 100%!
I'll just use my special getting high powers one more time...
But they do love shopping in a free market:
FBI buys illegally acquired phone records for investigations
I'm not tense. I'm just terribly, terribly, alert.
My bank already does this, but it's not going to prevent social engineering in any manner. All that really does is prevent a person from posing as a *customer*.
However, that's a pretty amateur (and often minimally effective) way to social engineer some information out of a company employee. Did you look at the links I posted? It's far more likely that someone would pose as an employee of another department at the same company, or even a higher-up from "the head office in New York", for example. Think about it, an employee isn't going to give out any useful info to someone they think is a "lowly customer" outside of the company. If they think it's the technical director from the head office 500 miles away, obviously it's a very different situation.
To further my point: "Social engineering is successful because the malevolent person attempting to get information (or access) preys upon the good, helpful nature of unknowing and unsuspecting employees."
"In larger organizations, an intruder may pretend to be a fellow employee who needs access because his system is down."
"One trick is for a person to pose as a network troubleshooter who needs an ID and password to verify that a problem on the network is fixed and won't recur"
I'm a libertarian.. I don't see how the libertarianism would solve this as it's a private matter with private phone companies dispensing private information to private investigators... who need kicked in the privates.
Latewire
For all the various issues I might have with my carrier (Telus), security isn't really one. For my home phone, for major changes they will verify against the PIN number than comes on my bills. For cellphone service, the last time I was having issues they asked me for my PIN code before applying major changes.
I guess not all carriers do that... but yes, they should.
Find someone to trade your Albertson's card with. Screw up their statistics. Course, you should hope they don't buy a bunch of apples and razor blades Halloween afternoon . . .
It just came out that the FBI is one of the places buying these records - no pesky judges to ask for permission or anything. They just hand over cash, and get the phone records they want.
Can't let the terrists win, right?
I yearn for you tragically. A. T. Tappman, Chaplain, U.S. Army.
You're thinking far too narrowly--SEs exploit trust wherever it exists.
... etc.
They don't need to pretend to be you, they just have to get access to the phone company's information somehow, directly or indirectly. Between hacking and bamboozling people, you could continually escalate your priviledges and trust with the necessary people until you wormed your way past security.
You do have a point that mandatory procedures for certain things can stop some attacks, but they'll always be looking for the gap that no one thought of, or else they'll find the one employee who is sometimes too lazy to follow procedure for something "harmless"
The suit is a temporary road block. The PIs simply need to assert the state secrets privilege and get the suit dismissed. Then we can go back to buying records of our girlfriends, bosses and enemies.
And if you make it a law that all companies must have a machine-directed first-level operator, flattening the inhumanity bell curve, then what happens?
There is a post appointed by parliment as the chief advocate for personal privacy here in Canada. It's his or her job to get things like companies to have a mandatory privacy policy for the collection of personal information.
Macleans magazine did an article where they got HER cellphone records. All the calls she had made on not only her office Cell, but her personal Cell as well.
Not Tech Dirt. Sorry, my bad. But from that article:
"The FBI's long history of misconduct illuminates the necessity of judicial oversight. Requiring strict adherence to due process is the only way to promote accountability and ensure that our law enforcement agents are not abusing their authority. There is already evidence that law enforcement agents have misused information from data brokering services."
When you begin to break the law to enforce the law where do you draw the line? Illegally purchasing phone records as a means of circumventing the judicial process bypasses our system of checks and balances. That was my point.
What if the Hokey Pokey really is what it's all about?