It's a common myth that celebrated criminal hacker Kevin Mitnick was a wiz at 1s and 0s computer hacking; in fact, most of his attacks occurred over the phone, by creating or impersonating people who worked at a targeted company, then finagling the required information out of employees who were only too eager to help out. The social engineering technique is more commonly known as pretexting.
In a breaking story
, pretexters allegedly obtained the home phone records of reporters from CNET News.com, the New York Times,
and the Wall Street Journal
in an attempt to discover who from HP had leaked insider information to those publications. But there have been other high-profile examples, as well. According to the Federal Trade Commission, pretexting is against the law and can, and often does, lead to identity theft. Unfortunately, there's little you can do about it.
How it's done
Today there's a wealth of information readily available on the Internet. One need not be a hacker, and the information obtained need not be trade secrets about some network router. It could salacious financial details about an ex-spouse or a neighbor. Using pretexting and the Internet, anyone can pretend to be anyone else when applying for online credit or account information.
One need not be a hacker, and the information obtained need not be trade secrets about some network router. It could be salacious financial details about an ex-spouse or a neighbor.
In one scenario, a pretexter may call you under the guise of a survey taker. Based upon the candidness of your answers, the pretexter may glean enough information to then contact your bank or phone company or local utility. By pretending to be you (remember, on the Internet nobody knows you are a dog), the pretexter might then set up an online account and have free reign over your personal data. It all depends how freely the various utilities are willing to dispense your personal information. This has already happened in at least one political campaign.
In the news
In the 2005 Maryland gubernatorial campaign, Lauren B. Weiner, a former research associate of the Democratic Senatorial Campaign Committee (DSCC), pretended to be the presumed Republican opponent in that upcoming election, Lieutenant Governor Michael Steele. According to a Department of Justice press release, Weiner conducted various public records searches on Steele and, upon obtaining his social security number, used that information to obtain his credit report.
Most credit bureaus allow you to request a free credit report online. One of them, Experian required the individual's driver's license, and lacking that information, Weiner tried TransUnion instead. There, she was able to create a password-protected account and request, using her DSCC computer, that the financial report be e-mailed to her Yahoo account, firstname.lastname@example.org. Once the document was obtained, it was quickly destroyed. Nonetheless, the event was reported by her supervisors at the DSCC to the District Attorney's Office and the FBI. In a March 2006 plea bargain, Weiner was ordered to perform 150 hours of community work in order for the misdemeanor charge to be dropped.
The fact that most of us haven't signed up for online account services leaves open the possibility that someone else will do so for us.
Is pretexting illegal? Yes
Obtaining personal information through impersonation is illegal. The 1999 Gramm-Leach-Bliley Act makes it illegal to make fraudulent statements or use forged or counterfeit documents to get information from a financial institution or a customer of a financial institution or to ask another person to obtain this financial information on your behalf.
Your personal information is out there, whether you want it public or not. If you've ever been divorced or named in a criminal suit, chances are personal information, such as your home address, date of birth, perhaps even your social security number, is now a matter of public record. In the pre-Internet days, one could march down to the local courthouse, fill out a form, pay a fee, and view a paper or microfiche document with this information. Now, at 3 o'clock in the morning, you can simply google online public records. Or, for a nominal fee, you can pay someone to do a background check on just about anyone.
One solution is to sign up for all those online account services offered by your credit and telephone companies and utilities. The fact that most of us haven't signed up for online account services leaves open the possibility that someone else will do so for us. By signing up and blocking outsider access with a password under your own control, even if you never intend to use the online account service, you at least shut down one method of pretexting.
The FTC further recommends reviewing your credit statements carefully and promptly and requesting a free credit check annually. Talk to your family and make it clear that only you should dispense personal information, even your home address, to others. Avoid giving personal information (in most cases you can opt out of providing a social security number), and never give out personal information over the phone, by mail, or over the Internet unless you initiated the contact yourself.
Unfortunately, the best safeguards will require more regulation. Banks are now required (through their own regulatory agency) to double-layer authentication. At some online institutions, you must now answer one question from a series that cycle through each time you log on. While this thwarts desktop password managers, it increases the amount of knowledge a pretexter must have on you before they can gain access. But that's financial institutions. Logging in to your local electric company requires only nominal information, and that needs to change. How good are you at protecting your private information from outsiders? Do you answer surveys? Talk back to me.