Interesting People mailing list archives
IP: From Telecom Digest Cyber Sleuths Have More Than Your Number
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 22 Feb 1999 20:10:15 -0500
From: Monty Solomon <monty () roscom COM> Subject: Cyber Sleuths Have More Than Your Number Date: Mon, 22 Feb 1999 14:39:39 -0500 http://www.accessatlanta.com/ajc/bigstory/022199/privacy.html By Andrew Alexander Cox Washington Bureau Washington -- "You're kidding!" my wife exclaimed when I told her that someone had gained access to our private bank records, lifted our account number and recorded our balance. There was more. They had also tracked our recent long-distance calls, identifying those we had telephoned by name, address and occupation. And they had compiled dossiers on us, complete with Social Security numbers, property holdings and financial dealings. "That's incredible," she said. "How can they do that?" Easily, it turns out, in the computer age. "They," I finally confessed, was actually my Cox Newspapers Washington Bureau colleague Elliot Jaspin, a Pulitzer Prize-winning high-tech wizard who had delved into our personal lives at my invitation. He was trying to come up with a way for our reporters to use computer databases to do background checks on little-known figures who suddenly break into the news, quickly learning about pending lawsuits or long-concealed arrests. Start with only my name, I suggested, and see what you can get. He hit pay dirt within a few days. Given more time -- and a little money -- he soon would have been able to obtain confidential records of my credit card purchases, salary, stocks, bonds, credit history, life insurance policy, recent air travel, whether I had ever been nailed for speeding, and even my medical records going back 10 years. While the popular notion is that a computer linked to the Internet is a key that unlocks all kinds of personal secrets, most databases on the Internet are dull as dishwater. Switchboard, for example, will allow you to instantly discover Uncle Edgar's telephone number in Dubuque. But then, calling information will get you the same thing. The Internet, however, carries ads for a burgeoning and largely uncontrolled industry of "information brokers" that -- for a fee -- will reveal the most intimate details of your life, right down to that birthmark on your backside or ancient records of psychological treatment. For fees as low as $40 per search, they will disclose non-published telephone numbers or track down the owners of private aircraft. Corporate Investigative Services of Huntsville, Ala., has a Web site that also allows you to listen to the theme music from "Mission Impossible" while you link to hundreds of other sites. Some companies, like AutoTrack, have assembled massive computerized databases containing several billion public records. Using sophisticated database software, information is quickly plucked from scores of different files, and within minutes is woven together into a report. AutoTrack files are interesting, but not nearly as revealing as companies that use what they politely term "pretexts" to shoehorn information from banks, phone companies and anyone else you may do business with. The major weapon here is a huckster's patter rather than a computer. Judging from information broker ads, everything is up for grabs. That includes the location of your safe deposit box, your bank deposits anywhere in the world, and even your bank account history, including dates and amounts of deposits, checks written or wire transfers. As privacy expert Robert Ellis Smith of Rhode Island noted, "Every fact about you is on record somewhere," and information brokers see that as fair game. Posing as a forgetful husband, telephone repairman or bank clerk, a private investigator can often get this information by outwitting low-level clerks at the phone company or some obscure branch of a major bank. There are few laws forbidding disclosure. "It's our company policy not to release any customer information without a court order or some legal document," said Sandy Arnette, a spokeswoman for Bell Atlantic in Baltimore. "But there is no state or federal law against disclosure." In fact, the House Banking Committee found only three states -- Connecticut, Illinois and Maine -- with laws making it a crime to induce an employee of a financial institution to disclose data about a customer's account. And there are no federal statutes against using "pretexts" to wangle private data from financial institutions. Rep. James A. Leach, R-Iowa, chairman of the House Banking Committee, tried unsuccessfully to get the practice outlawed last year, and he has introduced the same bill again this year. But who cares if you have a checking account in Duluth and own 40 acres of scrub land in Texas? Creditors do. Banks, who need to collect on bad credit card debts, routinely turn to lawyers who specialize in collections. And these lawyers, in turn, use information brokers to find assets they can attach. "We do a lot of credit card collection. Thousands of cases a week," said Mike Martin of Advanced Research Inc. The American Bankers Association supports Leach's proposed legislation to outlaw fraudulently obtaining information from banks. But ABA member banks "hire us to do exactly what it is they're trying to shut down," Martin said. Information brokers also will chase deadbeat dads. "Very often, it gets used for good purposes," private investigator Edmund Pankau of Houston said. "Not long ago," he recalled, his firm traced the financial dealings of a Houston man who had left his family. The information allowed them to locate the man in another city. "He had skipped out on his ex-wife," Pankau said, "but they needed to find him because his daughter needed a bone marrow transplant and he was the only one who could help." Some in the press also use information brokers to snoop. Al Schweitzer, a controversial private investigator -- he pleaded guilty in 1992 to illegally buying Social Security records -- became a legend by compiling detailed dossiers on Hollywood stars for the National Enquirer. After actor Kiefer Sutherland split from Julia Roberts, Schweitzer used her phone records to locate him at his ranch in Whitefish, Mont. He used the same method to track down Marlon Brando's daughter in Tahiti. But there is a darker side of riffling through private information. Federal officials express growing concern about "identity fraud" or "identity theft," in which a con artist uses purloined personal financial information to assume your identity, then loots your bank account or makes costly purchases with your credit card number. The extent to which Americans are actually harmed by this is unclear. A report last year by the General Accounting Office, the investigative arm of Congress, suggests a startling rise in identity fraud. Trans Union, a leading credit reporting firm, told GAO that the number of inquiries about credit fraud it receives each year jumped from 35,235 in 1992 to 522,922 in 1997. Two-thirds involved identity fraud. But in the same report, GAO acknowledged that it could find "no comprehensive statistics on the prevalence of identity fraud." Pressured by the Federal Trade Commission and the threat of restrictive legislation, some large data collection firms have begun self-regulation. Several such companies represented by the Individual Reference Services Group recently agreed to abide by rules limiting unauthorized disclosure of information. But hundreds of other firms remain essentially unregulated, including the bulk of information brokers. A decade ago, only a handful existed. Today, said Evan Hendricks, editor of the Washington-based Privacy Times newsletter, there may be as many as 2,000. The explosion of the Internet and higher-powered computers means we've entered an era where "nothing is private," Pankau warned. "I can't think of anything that's private," agreed Smith, who publishes Privacy Journal, a monthly newsletter that monitors how new technology affects privacy. But the extent of actual financial harm is difficult to gauge. My wife was most troubled by the notion that someone could so easily obtain information we thought was private. Disclosure, she conceded, does not automatically mean damage. "But I would argue that just the mere unauthorized access [to private information] is one form of harm," Hendricks said, "and psychological harm is very real." ================== [TELECOM Digest Editor's Note: The technique called 'pretexts' as well as what some term 'social engineering' does not work as well as it used to, but sadly it still works well enough in some companies to get the information desired. One of the largest credit bureaus, Trans-Union Credit Information Corporation, takes the problem of 'social engineering' and 'pretexts' seriously enough that for a number of years its larger customers -- for example banks and credit card processing centers, or anywhere there might be several clerks working all day long doing nothing but pulling credit bureau reports for other departments, etc -- were supplied with large posters to place on walls in the office which warned about this problem. The poster showed a very stern-looking Uncle Sam, with top hat and appropriately striped trousers, etc. With a frown on his face and fingers in front of his lips the caption said, 'Please do not violate our trust in you. You are entrusted with files from the credit bureau as a specific part of your job. It is against federal law to retrieve information without a specific and legitimate reason for doing so. It is against the law to deliberatly place incorrect information in a bureau file. Both of these crimes are punishable by a fine of up to XXX dollars, or ten years imprisonment, or both, as a court of law would direct. "DO NOT BE DECEIVED by a telephone call you might receive, or a 'favor' asked of you by a co-worker! You will NEVER be contacted by the credit bureau asking you to reveal a password or information you saw in a bureau file. If a person claiming to be a superior at your company calls and tries to get you to provide this type of information you should disconnect the call and tell your supervisor immediatly. The executives at your company would never ask you to do something like that. They would go through 'channels' to obtain the information they legitimatly need from our files. "If you would like to talk to us about one of our employees at the credit bureau or about an incident which happened to you in your present employment, you can speak with us in confidence by calling 800-xxx-xxxx. No one will ever know you called, and we will take what actions are needed after our own investigation. THANK YOU FOR KEEPING THE TRUST WHICH HAS BEEN PLACED IN YOU." Across the top of the poster in larger block letters, "Uncle Sam Wants You to Keep the Trust." A most effective poster and constant reminder (Uncle Sam with pursed lips staring at you all day) that innocent looking situations could be serious problems. More and more people are getting wise to this: do not believe what you hear just because it was said on the phone; stay in control of your phone calls; never allow a phone caller to pressure you into revealing things. I am not recommending that when you get a phone call from someone you have never met before who claims to be in authority that you tell him he is full of sausage; I am just suggesting that you not be that concerned about being considered 'uncooperative' or 'antisocial'. Someone from the 'phone company' will deal with their contact person at your company, not you. Someone from the credit bureau or the computer network, etc will deal with their contact at your company, not you. And how shall I say this bluntly, yet in a form suitable for this family-rated e-journal? If you suddenly find yourself with a new girl friend or a new boy friend as happened to me many years ago when this new 'friend' discovers that you work for a large credit card processing center or the credit bureau or a large national ISP or the phone company/bank/government in a sensitive position, give careful consideration whether he wants you for your body, your wit and your charm, or if all that love-bombing, melt in your arms tenderness is intended as a way to get a bit more. Does he want to get in your pants, or does he want to get in your desk drawer at work? <smile>. Especially if he already knew about your employment before he discovered how madly in love he was with you. And before you unlock that desk drawer at work in exchange for that momentary fling, consider well what you have to gain, and what you have to lose. No matter how smart you are, there is always someone smarter who can catch you at what you did. PAT]
Current thread:
- IP: From Telecom Digest Cyber Sleuths Have More Than Your Number Dave Farber (Feb 22)