PIs Selling Phone Records Sued By The FTC

carl writes "According to an MSNBC article, the FTC has sued five different background investigation firms for selling confidential phone records." From the article: "In the lawsuits announced Wednesday, the FTC charged the companies used 'false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier' to get the phone records. The companies advertised on their Web sites that they could get the confidential phone records of any individual and make them available for a fee, the agency said."

tch tch

[dotpavan]

NSA lost a good business opportunity ;)

Don't Steal.

[Tackhead]

From TFA:

"Trafficking in consumers' confidential telephone records is outrageous," FTC consumer protection chief Lydia Parnes said in a statement. "It robs consumers of their privacy and exposes them to everything from snoops to stalkers."

Don't steal. Your Government's surveillance programme hates competition.

Don't forget

[nizo]

... the FTC charged the companies used "false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier to get the phone records.

(Emphasis mine)

So when is the FTC going to charge carriers with improperly handling private information? I hope they don't forget to nail the carriers to the wall for handing out this information in the first place. If they wouldn't just give the information away to every Tom, Dick, and Harry that called without verifiying they are who they say they are, there wouldn't be as much of a problem would there? Some simple ways to avoid giving the information to the wrong person might include calling them back on their cellphone or sending the information to the address that gets the bills. Selling this information is wrong, but the carriers are just as culpable for giving it out without proper verification.

SBC gives this stuff out for free

[pestilence669]

Call the SBC's DSL department and claim to be a friend "helping" someone install their DSL modem... but insist that you don't know the address or anything else. Be as dumb as possible on the phone. Get a little drunk if you can't be convincing.

Often, the customer service reps will read back the entire address, and sometimes, even the last for digits of the SSN. I found this out when I was ligitimately calling them because of a line problem.

I never had any problems adding service, removing service, or getting personal account information... all without identifying myself whatsoever. Need an address for a telephone number, call SBC and tell them you want DSL. The phone reps will "verify" your address by reading it back. Awesome, huh?

Re:You can't really secure against social engineer

[Bob3141592]

There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind.

Why not? When you establish service with a company, they should require you to provide them with a security question and answer of your choosing, and not simply ask you to select a common one from a list. Then when someone calls to access information from your account, they simply read back the question to you, and wait for the answer. If it matches, fine, they can presume it's you. If you don't know the answer, then they don't give out any information. If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?