IP: From Telecom Digest Cyber Sleuths Have More Than Your Number

[Dave Farber <farber () cis upenn edu>]

From: Monty Solomon <monty () roscom COM> 
Subject: Cyber Sleuths Have More Than Your Number 
Date: Mon, 22 Feb 1999 14:39:39 -0500

http://www.accessatlanta.com/ajc/bigstory/022199/privacy.html
By Andrew Alexander 
Cox Washington Bureau
Washington -- "You're kidding!" my wife exclaimed when I told her that 
someone had gained access to our private bank records, lifted our 
account number and recorded our balance.
There was more.
They had also tracked our recent long-distance calls, identifying 
those we had telephoned by name, address and occupation. And they had 
compiled dossiers on us, complete with Social Security numbers, 
property holdings and financial dealings.
"That's incredible," she said. "How can they do that?"
Easily, it turns out, in the computer age.
"They," I finally confessed, was actually my Cox Newspapers Washington 
Bureau colleague Elliot Jaspin, a Pulitzer Prize-winning high-tech 
wizard who had delved into our personal lives at my invitation.
He was trying to come up with a way for our reporters to use computer 
databases to do background checks on little-known figures who suddenly 
break into the news, quickly learning about pending lawsuits or 
long-concealed arrests.
Start with only my name, I suggested, and see what you can get.
He hit pay dirt within a few days.
Given more time -- and a little money -- he soon would have been able 
to obtain confidential records of my credit card purchases, salary, 
stocks, bonds, credit history, life insurance policy, recent air 
travel, whether I had ever been nailed for speeding, and even my 
medical records going back 10 years.
While the popular notion is that a computer linked to the Internet is 
a key that unlocks all kinds of personal secrets, most databases on 
the Internet are dull as dishwater.
Switchboard, for example, will allow you to instantly discover Uncle 
Edgar's telephone number in Dubuque. But then, calling information 
will get you the same thing.
The Internet, however, carries ads for a burgeoning and largely 
uncontrolled industry of "information brokers" that -- for a fee -- 
will reveal the most intimate details of your life, right down to that 
birthmark on your backside or ancient records of psychological 
treatment.
For fees as low as $40 per search, they will disclose non-published 
telephone numbers or track down the owners of private 
aircraft. Corporate Investigative Services of Huntsville, Ala., has a 
Web site that also allows you to listen to the theme music from 
"Mission Impossible" while you link to hundreds of other sites.
Some companies, like AutoTrack, have assembled massive computerized 
databases containing several billion public records. Using 
sophisticated database software, information is quickly plucked from 
scores of different files, and within minutes is woven together into a 
report.
AutoTrack files are interesting, but not nearly as revealing as 
companies that use what they politely term "pretexts" to shoehorn 
information from banks, phone companies and anyone else you may do 
business with. The major weapon here is a huckster's patter rather 
than a computer.
Judging from information broker ads, everything is up for grabs. That 
includes the location of your safe deposit box, your bank deposits 
anywhere in the world, and even your bank account history, including 
dates and amounts of deposits, checks written or wire transfers.
As privacy expert Robert Ellis Smith of Rhode Island noted, "Every 
fact about you is on record somewhere," and information brokers see 
that as fair game. Posing as a forgetful husband, telephone repairman 
or bank clerk, a private investigator can often get this information 
by outwitting low-level clerks at the phone company or some obscure 
branch of a major bank.
There are few laws forbidding disclosure.
"It's our company policy not to release any customer information 
without a court order or some legal document," said Sandy Arnette, a 
spokeswoman for Bell Atlantic in Baltimore. "But there is no state or 
federal law against disclosure."
In fact, the House Banking Committee found only three states -- 
Connecticut, Illinois and Maine -- with laws making it a crime to 
induce an employee of a financial institution to disclose data about a 
customer's account. And there are no federal statutes against using 
"pretexts" to wangle private data from financial institutions.
Rep. James A. Leach, R-Iowa, chairman of the House Banking Committee, 
tried unsuccessfully to get the practice outlawed last year, and he 
has introduced the same bill again this year.
But who cares if you have a checking account in Duluth and own 40 
acres of scrub land in Texas?
Creditors do.
Banks, who need to collect on bad credit card debts, routinely turn to 
lawyers who specialize in collections. And these lawyers, in turn, use 
information brokers to find assets they can attach.
"We do a lot of credit card collection. Thousands of cases a week," 
said Mike Martin of Advanced Research Inc.
The American Bankers Association supports Leach's proposed legislation 
to outlaw fraudulently obtaining information from banks. But ABA 
member banks "hire us to do exactly what it is they're trying to shut 
down," Martin said.
Information brokers also will chase deadbeat dads. "Very often, it 
gets used for good purposes," private investigator Edmund Pankau of 
Houston said.
"Not long ago," he recalled, his firm traced the financial dealings of 
a Houston man who had left his family. The information allowed them to 
locate the man in another city. "He had skipped out on his ex-wife," 
Pankau said, "but they needed to find him because his daughter needed 
a bone marrow transplant and he was the only one who could help."
Some in the press also use information brokers to snoop. Al 
Schweitzer, a controversial private investigator -- he pleaded guilty 
in 1992 to illegally buying Social Security records -- became a legend 
by compiling detailed dossiers on Hollywood stars for the National 
Enquirer.
After actor Kiefer Sutherland split from Julia Roberts, Schweitzer 
used her phone records to locate him at his ranch in Whitefish, 
Mont. He used the same method to track down Marlon Brando's daughter 
in Tahiti.
But there is a darker side of riffling through private information.
Federal officials express growing concern about "identity fraud" or 
"identity theft," in which a con artist uses purloined personal 
financial information to assume your identity, then loots your bank 
account or makes costly purchases with your credit card number.
The extent to which Americans are actually harmed by this is unclear.
A report last year by the General Accounting Office, the investigative 
arm of Congress, suggests a startling rise in identity fraud. Trans 
Union, a leading credit reporting firm, told GAO that the number of 
inquiries about credit fraud it receives each year jumped from 35,235 
in 1992 to 522,922 in 1997. Two-thirds involved identity fraud.
But in the same report, GAO acknowledged that it could find "no 
comprehensive statistics on the prevalence of identity fraud." 
Pressured by the Federal Trade Commission and the threat of 
restrictive legislation, some large data collection firms have begun 
self-regulation. Several such companies represented by the Individual 
Reference Services Group recently agreed to abide by rules limiting 
unauthorized disclosure of information.
But hundreds of other firms remain essentially unregulated, including 
the bulk of information brokers.
A decade ago, only a handful existed. Today, said Evan Hendricks, 
editor of the Washington-based Privacy Times newsletter, there may be 
as many as 2,000.
The explosion of the Internet and higher-powered computers means we've 
entered an era where "nothing is private," Pankau warned.
"I can't think of anything that's private," agreed Smith, who 
publishes Privacy Journal, a monthly newsletter that monitors how new 
technology affects privacy.
But the extent of actual financial harm is difficult to gauge. My wife 
was most troubled by the notion that someone could so easily obtain 
information we thought was private. Disclosure, she conceded, does not 
automatically mean damage.
"But I would argue that just the mere unauthorized access [to private 
information] is one form of harm," Hendricks said, "and psychological 
harm is very real."
==================
[TELECOM Digest Editor's Note: The technique called 'pretexts' as well 
as what some term 'social engineering' does not work as well as it 
used to, but sadly it still works well enough in some companies to 
get the information desired. 
One of the largest credit bureaus, Trans-Union Credit Information 
Corporation, takes the problem of 'social engineering' and 'pretexts' 
seriously enough that for a number of years its larger customers -- 
for example banks and credit card processing centers, or anywhere 
there might be several clerks working all day long doing nothing 
but pulling credit bureau reports for other departments, etc -- were 
supplied with large posters to place on walls in the office which 
warned about this problem. 
The poster showed a very stern-looking Uncle Sam, with top hat and 
appropriately striped trousers, etc. With a frown on his face and 
fingers in front of his lips the caption said, 'Please do not violate 
our trust in you. You are entrusted with files from the credit bureau 
as a specific part of your job. It is against federal law to retrieve 
information without a specific and legitimate reason for doing so. It 
is against the law to deliberatly place incorrect information in a 
bureau file. Both of these crimes are punishable by a fine of up to 
XXX dollars, or ten years imprisonment, or both, as a court of law 
would direct.
"DO NOT BE DECEIVED by a telephone call you might receive, or a 
'favor' asked of you by a co-worker! You will NEVER be contacted by 
the credit bureau asking you to reveal a password or information you 
saw in a bureau file. If a person claiming to be a superior at your 
company calls and tries to get you to provide this type of information 
you should disconnect the call and tell your supervisor immediatly. 
The executives at your company would never ask you to do something 
like that. They would go through 'channels' to obtain the information 
they legitimatly need from our files. 
"If you would like to talk to us about one of our employees at the 
credit bureau or about an incident which happened to you in your 
present employment, you can speak with us in confidence by calling 
800-xxx-xxxx. No one will ever know you called, and we will take what 
actions are needed after our own investigation. THANK YOU FOR KEEPING 
THE TRUST WHICH HAS BEEN PLACED IN YOU."
Across the top of the poster in larger block letters, "Uncle Sam 
Wants You to Keep the Trust." A most effective poster and constant 
reminder (Uncle Sam with pursed lips staring at you all day) that 
innocent looking situations could be serious problems. More and more 
people are getting wise to this: do not believe what you hear just 
because it was said on the phone; stay in control of your phone calls; 
never allow a phone caller to pressure you into revealing things. I 
am not recommending that when you get a phone call from someone you 
have never met before who claims to be in authority that you tell him 
he is full of sausage; I am just suggesting that you not be that 
concerned about being considered 'uncooperative' or 'antisocial'. 
Someone from the 'phone company' will deal with their contact person 
at your company, not you. Someone from the credit bureau or the 
computer network, etc will deal with their contact at your company, 
not you. 
And how shall I say this bluntly, yet in a form suitable for this 
family-rated e-journal? If you suddenly find yourself with a new 
girl friend or a new boy friend as happened to me many years ago 
when this new 'friend' discovers that you work for a large credit 
card processing center or the credit bureau or a large national ISP 
or the phone company/bank/government in a sensitive position, give 
careful consideration whether he wants you for your body, your wit 
and your charm, or if all that love-bombing, melt in your arms 
tenderness is intended as a way to get a bit more. Does he want to 
get in your pants, or does he want to get in your desk drawer at 
work? <smile>. Especially if he already knew about your employment 
before he discovered how madly in love he was with you. And before 
you unlock that desk drawer at work in exchange for that momentary 
fling, consider well what you have to gain, and what you have to 
lose. No matter how smart you are, there is always someone smarter 
who can catch you at what you did. PAT]