ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

From...
Computerworld

FTC takes aim at underground information trafficking

June 24, 1999
Web posted at: 2:05 p.m. EDT (1805 GMT)

by Kim S. Nash

(IDG) -- The underground market in personal information is like any other: It has buyers, sellers and suppliers of raw material.

The buyers include lawyers and employers, who want financial and medical data about litigants, employees or job applicants. The sellers are "information brokers," who use a variety of tricks -- most of them legal, some legally hazy -- to obtain those personal details.
MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Computerworld Year 2000 resource center
  Computerworld's online subscription center
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers
   

And who supplies the raw material? Corporate employees who have been duped into divulging the salaries, bank balances and medical histories held in customer information systems.

The data traffickers use a technique known as "pretext calling." That's when a broker telephones a bank, for example, and impersonates a customer to get information about his account. Armed with details such as Social Security number and address, the broker persuades customer service agents to reveal more valuable nuggets.

As one data dealer advised in a recent online post: "You can't be afraid to play roles and place yourself in positions of getting caught. ... You can always hang up."

But the Federal Trade Commission calls the ruse illegal and is cracking down. In an April lawsuit against Denver data broker Touch Tone Information Inc., the agency said the practice is deceptive, unfair and "a particularly pernicious invasion of consumers' privacy."

FTC officials set up a sting, recording a pretext call allegedly from Touch Tone to Bank One Corp. in Chicago, seeking -- and gaining -- customer account information that was later sold.

"We caught them on tape lying to a federally insured bank to obtain financial information. And the trafficking is the unfair part," said David Medine, an FTC official on the case.

In the information underground, facts are compiled in databases, sometimes transferred to clients electronically or sold on the Internet. Hundreds of information brokers advertise online and on Web chat boards and e-mail listservs are full of deal-making traffic.

Certainly not all information dealers are underhanded. Most probably don't break any laws, agreed both privacy advocates and brokers. And the strength of the FTC's legal case is unclear.

Touch Tone filed court papers last month that said the FTC doesn't have authority to pursue the case because, among other reasons, the agency is charged with protecting consumers and a bank isn't a consumer. Touch Tone also said it shouldn't be blamed if banks give out "confidential information by virtue of a telephone call, without adhering to its security protocols."

Risky business

Last month, the American Bankers Association in Washington met with local bankers to warn them that pretext calling is growing -- and banks could be held liable if customer information is revealed in error.

"Bank employees who release information risk penalties or legal action by their employer, the government and the customer," a spokeswoman for the trade group said. "We say, take this issue seriously."

Information brokers often use public databases such as court rulings or motor vehicle records to get started on a search about someone. They then use that routine data to concoct ruses to get more sensitive information from other sources.

The same techniques work for people seeking private medical data, said Rob Douglas, CEO of American Data Protection Services Inc. in Alexandria, Va.

A pretext caller with a search target's name, date of birth and Social Security number can easily call a hospital and pretend he's filling out forms for a new insurance policy. Insurers often ask applicants for prior medical history.

Companies are easily deceived, and a big problem is that some don't separate sensitive data from routine customer records, said Bob Campbell, managing director at Alpine Computer Systems, a security and privacy consulting company in Woodbridge, Va.

What's needed are multilevel access controls. "I've gone into organizations where all the personal information regarding a customer -- financial or insurance data, for example -- is available to all the employees that have any role in [customer] service," Campbell said.

Meanwhile, as the Touch Tone case progresses, company owners James and Regana Rapp agreed to stop pretext calling but "do not admit to any of the actual allegations," said their lawyer, Jim Butera, at Butera & Andrews in Washington.

Butera wouldn't say whether the Rapps are still in business and advised his clients not to do interviews.

To help Touch Tone fight the government and to defend pretext calling, brokers have formed a lobbying group that raises money by charging customers an extra $5 per search.

"Pretext is just a technique to mine data," said Lee Wind, a founder of the Coalition to Amend the Financial Information Privacy Act, in Mamaroneck, N.Y. "It is done very specifically and in all the cases, at least by the scrupulous brokers, for what we consider to be justifiable legal purposes."

The practice isn't wrong, in part because many brokers use it for good causes, such as to track down withheld child-support money or divorce settlements, he said.

Wind, an information broker in New York, co-founded the coalition last year to combat a bill pending in Congress that would outlaw obtaining someone's financial information under false pretenses. A vote on H.R. 30 is expected this year.

The FTC's Medine declined to say if the agency plans to pursue other information brokers. But he added, "If I were trafficking illegally in medical or financial information, I would not rest easy."

Stopping leaks

Aside from written -- and enforced -- policies against customer information leaks, companies can use technology and common sense to help guard against data seepage.

  • Database administrators can create dialog boxes that pop up on a customer service agent's screen when particular data is requested. For example, a pop-up note might ask, "Have you verified the caller's identity sufficiently?"

  • Programmers can write routines to track the frequency of calls about each customer account. Lots of calls about a single account can indicate someone trying to pry. When a threshold is crossed, the agent could be advised to transfer the caller to a security manager.

  • Agents should also be alerted to commonsense discrepancies, security consultant Rob Douglas said. "If a banker sees on his screen that the customer is 67 years old and the person on the line doesn't sound that way, be aware," he advised.

  • IT managers should also check up on outsourcers, which frequently hire subcontractors or even part-time at-home workers to do the routine data entry. Yet "there's very loose accountability" as the work moves further from the core company, privacy consultant Bob Campbell said. "The information brokers know where all these leakage points are."

Profile: Jane Doe

For $750, Computerworld hired an information broker to create a profile of our subject, whose name and complete Social Security number have been omitted to preserve what little privacy she has left. The following sampling of data, however, is real:

Date of birth: 6/22/53

Social Security number: 102-XX-XXXX

Cars: 1997 Lexus ES300, 1992 Lexus LS400, 1982 Toyota Cressida, 1986 Chevrolet C10 pickup truck (all cars traced to Doe are registered to her husband, whose Social Security number and date of birth were also recovered)

Cost of house: $218,500

Amount financed: $196,650

Annual real estate taxes: $3,782

House description: Four bedrooms, two-and-a-half bathrooms, two fireplaces, on 1.3 acres

Next-door neighbors: The Capones on one side, Stephen Pope on the other

Criminal record, driving tickets, liens, bankruptcies: None

Source: Ferguson Investigation Agency, Dumas, Ark.


RELATED STORIES:
California governor orders agency not to sell confidential wage information
June 5, 1999
Hackers react to FBI crackdown by invading Senate Web site
May 27, 1999
Study: 94% of top 100 Web sites post privacy policies
May 14, 1999
The information exchange economy
April 30, 1999

RELATED IDG.net STORIES:
FTC files suit against information broker
(Computerworld)
EU, U.S. push back data-privacy deadline
(Computerworld)
FTC will use survey to examine privacy issue
(The Industry Standard)
States more proactive than feds on privacy protection, advocates say
(Civic.com)
FTC accuses young investor site of privacy violations
(Computerworld)
What's private enough?
(PC World Online)
PC World Online's Special Privacy Issue
(PC World Online)
Year 2000 World
(IDG.net)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
Federal Trade Commission
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.