Gandal, 49, from Loveland, Colo., says he gave up pretexting for cell-phone records last winter when the tactic came under criticism from telephone companies and lawmakers (Gandal testified at a congressional hearing on the practice in June). But as the disclosures about the boardroom mess at Hewlett-Packard came to light, it’s clear that pretexting is still employed by private detectives and information brokers. Telcos have filed dozens of lawsuits against pretexters this year and several pending state and federal bills would make it a crime–though most security experts say it’s already illegal under the Federal Trade Commission’s unfair and deceptive trade practices statute. “Telephone pretexting is a cottage industry, and that is very troubling to us,” says Jon Leibowitz, an FTC commissioner.
The extent of the pretexting problem is unclear. But here are some clues: in its complaint to the FTC last year outlining the problem, the Washington-based Electronic Privacy Information Center listed 40 Web sites that promoted a search of someone else’s cell-phone records typically for a fee of about $100. Most of those sites have since shut down or stopped offering the service. Separately, in its January lawsuit against a Florida firm, Verizon admitted it was duped out of “tens of thousands” of records by callers pretending to be part of a non-existent internal “special needs group,” calling on behalf of voice-impaired customers. A judge forced the company to shut down.
Digging for phone records also may be business-as-usual at some companies. Yale School of Management Associate Dean Jeffrey Sonnenfeld says he asks his students each semester about the tactic. Of the 25 percent of his students who worked in consulting before coming to graduate school, one fifth report they were put in a position of using false pretense–in most cases, pretending to be a recruiter–to get confidential information about job candidates or rival companies. “It’s a widespread abuse,” Sonnenfeld says.
Many phone companies are improving security measures to deal with pretexting. Verizon now requires customers to read a special code on their monthly bill if they want their phone records faxed or e-mailed to them; subscribers can also establish a special password for access to their account online. But AT&T, which was apparently the target of some pretexting calls in the HP case, still asks callers to verify their identity only with a phone number and Social Security number, which an employer would have and are easy to obtain on the Internet. AT&T spokesman Walt Sharp says it is unfair to make AT&T’s 48 million landline customers remember a password when they call customer service, particularly when the firm, he says, doesn’t think pretexting is a statistically significant problem. He also argues that the information on a phone record isn’t that sensitive: “Remember, we’re not talking about financial data here. They can’t steal your bank money. It’s calling records.”
The lack of uniform security policies suggests that customers who want to preserve their privacy need to be proactive. But the options are limited. Security experts say you should take two precautions: set up online access to your phone accounts yourself, so someone else doesn’t do it in your name first, and change your password often. Perhaps you should even be careful about whom you call, as long as there are impersonators out there like David Gandal.
