Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Pretexting: The Legal Basics, Then and Now

Two experts in information security law explain how laws about telephone pretexting have changed since the HP scandal

By Sandy Kendall

December 14, 2007 — CSO — By Joseph M. Burton, Esq. and Gregory G. Iskander, Esq.

Webster’s defines the term “pretext” as “that which is put forward to conceal a true purpose or object; an ostensible reason; the misleading appearance or behavior assumed with this intention.” Although the variation “pretexting” is not in the dictionary, the use of the term has become commonplace--primarily because of its extensive use in the media after the HP scandal in 2006, when investigators used questionable tactics to research leaks from HP’s board of directors. (See CSO’s in-depth coverage, “Five Things about Investigations That Won’t Change as a Result of the Hewlett-Packard Scandal” for details.)

Largely in response to the public outcry against the perceived invasion of privacy, in the last year Congress and many states have passed new anti-pretexting laws. This article provides an overview of pretexting and information about some of the key federal and state statutes that now regulate the access of private telephone records.

The Definition of Pretexting
In 2001, the Federal Trade Commission issued a publication on pretexting, defining it as “the practice of getting your personal information under false pretenses.” As described by the FTC definition, pretexting goes beyond obtaining telephone records. Pretexters also seek to obtain bank records, credit card numbers, Social Security numbers, credit reports and other personal information.
Typically, an investigator will pretend to be an individual (the target), using some personal information already gathered, to gain access to other information about a target held by a third party. A good example is set forth in the warrant supporting the charges in the HP case:

First, an account can be created by the customer by using the telephone to which the account is tied. AT&T has an automated system that recognizes the customer’s telephone number (similar to caller I.D.) and will open an on-line account. “Pretexting” is accomplished by “spoofing” the telephone number. “Spoofing” is where the out-bound caller identity of a telephone (telephone number) is changed to reflect a different number. There are commercial “spoofing” services that allow a user to change their call out-bound caller identity. In this case the suspect would “spoof” the customer’s telephone number thereby tricking AT&T into believing that the customer’s telephone was being used to open the account.

Second, an account can be created by the customer on-line by providing the telephone number and the last four digits of the customer’s social security number. “Pretexting” is accomplished by using the legitimate customer’s information to gain access to the on-line account.

Finally, an account can also be created by using a multi-digit code that is found on the customer’s “paper” billing statement. “Pretexting” here involves tricking AT&T service representatives to reveal this code. A common tactic employed is to pretend to be the customer who lost their billing statement and who needs to make an on-line payment.

Of course, there are many techniques that creative investigators use to gather personal information about a target. Some of those methods, such as pretexting, may be considered unethical by many, but whether they are illegal (or were illegal at the time of HP’s investigation, for that matter) is another question. This gap between what many people perceived to be inethical, and what was actually illegal, has led to a proliferation of federal and state laws in the past two years.