PIs Selling Phone Records Sued By The FTC

carl writes "According to an MSNBC article, the FTC has sued five different background investigation firms for selling confidential phone records." From the article: "In the lawsuits announced Wednesday, the FTC charged the companies used 'false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier' to get the phone records. The companies advertised on their Web sites that they could get the confidential phone records of any individual and make them available for a fee, the agency said."

tch tch

[dotpavan]

NSA lost a good business opportunity ;)

Re:tch tch

[CRCulver]

The NSA already has plenty of the business opportunities that especially irk us here at Slashdot: patents. Read any introduction to the NSA's work like Bamford's The Puzzle Palace or Body of Secrets , and you'll see the NSA develops plenty of interesting technologies which they then patent. Cryptome often reports on new NSA patents.

Don't Steal.

[Tackhead]

From TFA:

"Trafficking in consumers' confidential telephone records is outrageous," FTC consumer protection chief Lydia Parnes said in a statement. "It robs consumers of their privacy and exposes them to everything from snoops to stalkers."

Don't steal. Your Government's surveillance programme hates competition.

Don't forget

[nizo]

... the FTC charged the companies used "false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier to get the phone records.

(Emphasis mine)

So when is the FTC going to charge carriers with improperly handling private information? I hope they don't forget to nail the carriers to the wall for handing out this information in the first place. If they wouldn't just give the information away to every Tom, Dick, and Harry that called without verifiying they are who they say they are, there wouldn't be as much of a problem would there? Some simple ways to avoid giving the information to the wrong person might include calling them back on their cellphone or sending the information to the address that gets the bills. Selling this information is wrong, but the carriers are just as culpable for giving it out without proper verification.

Re:PLS...

[Kapsar]

private investigators

Re:PLS...

[szembek]

Not a troll, a valid question. PIs is not an intuitive acronym. And unless yer name is Magnum... don't use it!

SBC gives this stuff out for free

[pestilence669]

Call the SBC's DSL department and claim to be a friend "helping" someone install their DSL modem... but insist that you don't know the address or anything else. Be as dumb as possible on the phone. Get a little drunk if you can't be convincing.

Often, the customer service reps will read back the entire address, and sometimes, even the last for digits of the SSN. I found this out when I was ligitimately calling them because of a line problem.

I never had any problems adding service, removing service, or getting personal account information... all without identifying myself whatsoever. Need an address for a telephone number, call SBC and tell them you want DSL. The phone reps will "verify" your address by reading it back. Awesome, huh?

Re:SBC gives this stuff out for free

[CastrTroy]

In order to get the point accross, some reporter bought the Canadian Privacy Minister's phone records and sent them to her. She was amazed that this kind of information was available. It amazes me that a lot of the time the people in charge don't even know what is going on, or what is even possible. By the time the press had gotten wind of bittorrent, I had already been using it for a year.

Selling private information?

[JTorres176]

Doesn't equifax as well as a number of other credit reporting agencies sell private information of consumers without their consent already? Hell, they even want to charge you if you look at it.

1. Collect Private information
2. Sell information to companies
3. profit!
4. Sell individuals their own information
5. More Profit!

Re:Selling private information?

[brjndr]

Under the Free File Disclosure Rule of the Fair and Accurate Credit Transactions Act (FACT Act), each of the nationwide consumer reporting companies -- Equifax, Experian, and TransUnion -- is required to provide you with a free copy of your credit report once every 12 months, if you ask for it.

The three nationwide consumer reporting companies are using one website, one toll-free telephone number, and one mailing address for consumers to order their free annual report. They are:

www.annualcreditreport.com
1-877-322-8228
or complete the Annual Credit Report Request Form and mail it to:
Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281. (The form is at ftc.gov/credit)

Under federal law, you're entitled to a free report if a company takes adverse action against you, such as denying your application for credit, insurance, or employment, and you ask for your report within 60 days of receiving notice of the action. The notice will give you the name, address, and phone number of the consumer reporting company. You're also entitled to one free report a year if you're unemployed and plan to look for a job within 60 days; if you're on welfare; or if your report is inaccurate because of fraud, including identity theft. Otherwise, any of the three consumer reporting companies may charge you up to $9.50 for another copy of your report within a 12-month period.

You can't really secure against social engineering

[necro2607]

Heh, social engineering is a technique that essentially all humans are vulnerable to. Also, phone companies are actually one of the top targets of social engineering. That combination makes for a pretty high likelihood of peoples' phone-line-related data to be effectively public domain...

There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind. I know people who do this sort of stuff (I don't mean theft though heh) for fun on a fairly regular basis and they can all screw with pretty much any person. It's really amazing how easily you can manipulate someone of any personality type, actually. heh.

The only people who I've found to be highly resistant to any sort of social engineering are the type of people who know how to do it as well. It requires a certain mindset to be able to catch on to when a person might be trying to manipulate you. Unfortunately that sort of mindset usually involves always having a certain amount of suspicion towards peoples' statements all the time...

Some reading material:

http://www.securityfocus.com/infocus/1527

http://www.morehouse.org/hin/blckcrwl/hack/soceng. txt

http://www.kuro5hin.org/story/2004/6/3/223758/2267

http://rf-web.tamu.edu/security/secguide/V1comput/ Social.htm

etc. etc..

Re:PLS...

[gpw213]

PIs is not an intuitive acronym. And unless yer name is Magnum... don't use it!

The acronym is not the problem so much as the font. Like the original poster, I also read that at P-L-S, and count not guess what it was supposed to mean. The font used for the title of the article makes capital-I and lowercase-L identical.

Re:You can't really secure against social engineer

[spun]

Heh, social engineering is a technique that essentially all humans are vulnerable to.

That's why I never interact with humans. Or at least that's what I tell my mom when she says I shouldn't eat dinner in the basement.

Why steal?

[Beryllium+Sphere(tm)]

Didn't the phone carriers get permission to sell call records for marketing purposes? Just set up Sam Spade's Market Consultants, pay 17 cents per record for the block of 1000 numbers that includes your target (Joe Whistleblower), then charge your client (Sleazeco) $250 for the information that their employee Joe called Sixty Minutes eighteen times in the last six months.

Then if you're entrepeneurial you take the names from the other 999 records and cross-reference them with divorce filings, call up and say "would it be useful to have proof that your soon-to-be-ex husband called Jennifer's Massage every payday?".

And those are some of the least damaging possibilities. Think how much money a crook could make tracking Wall Street traffic patterns.

Re:You can't really secure against social engineer

[Bob3141592]

There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind.

Why not? When you establish service with a company, they should require you to provide them with a security question and answer of your choosing, and not simply ask you to select a common one from a list. Then when someone calls to access information from your account, they simply read back the question to you, and wait for the answer. If it matches, fine, they can presume it's you. If you don't know the answer, then they don't give out any information. If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?

Buy Instead

[The+Angry+Mick]

Your Government's surveillance programme hates competition.

But they do love shopping in a free market:

FBI buys illegally acquired phone records for investigations