There is finally some buzz around the crime of impersonation to steal customer information, such as cell phone records. Data criminals have advertised such unsavory services openly, with impunity, for years. Now, people are noticing.
Let's review quickly: Criminals pretend to be you, get a copy of last month's cell phone bill and then sell it for about $100. The practice should scare anyone, even if you think your call history is fairly tame. What if your boss got it and used it to claim you were goofing off during work hours? What if your soon-to-be ex wife’s lawyer had a peek? Of course, the practice is even more scary to law enforcement types and their ilk.
Lately, the issue has gotten attention, spawning a new literary genre: the writer who buys a prominent person's cell records, then pens a dramatic narrative. The most recent is a blogger who bought former presidential candidate Wesley Clark’s records.
But the issue of customer service record privacy cuts much deeper than cell phone records, and requires much more than dramatic headlines or political grandstanding. Every time a piece of data is collected about you -- from the milk you buy at the grocery store to the toll you pay on the turnpike -- it can be stolen. It's time to talk about that.
The recent spate of news stories does have politicians jumping on the bandwagon. Gov. Rod Blagojevich of Illinois this month proposed legislation to ban sale of cell phone records. New York Sen. Charles Schumer is expected to propose similar legislation at the federal level soon. And both the Federal Trade Commission and the Federal Communications Commission are investigating, according to Rep. Edward Markey (D-Mass.).
Companies have reacted, too. Verizon and Cingular have filed lawsuits in an attempt to shut down some Web sites that advertise the practice. On Friday, a Federal Judge granted a temporary restraining order at Cingular’s request, calling on a Web site named LocateCell.com to stop advertising the unsavory practice.
LocateCell has gotten a lot of media attention of late. A Chicago Sun-Times reporter this month hired the company to look up his own cell phone records. It was also featured in a recent NBC News story by Kevin Tibbles.
Tip of the iceberg
All this activity is good, and long overdue. But shutting down LocateCell will do very little to stop the overall problem of stolen consumer records. Hundreds of other Web sites -- almost all of them run by digital-age private investigators -- will continue to obtain and sell cell phone records. And even if wireless providers start piling up the lawsuits, ravaging the stolen mobile bill industry, it’s important to know this problem goes far, far beyond cell records. A quick internet search reveals that these same companies offer to sell everything from bank account information to OnStar automobile tracking records.
This is why privacy wonks get so excited about our culture of rabid data collection. Perhaps it's not so bad to let your grocery store track your milk purchases if everyone involved in the data chain is honorable. But sometimes, they’re not. If there's a record, it can be stolen, cajoled from a confused customer service professional or bribed from a corrupt one. What $8-an-hour phone rep wouldn't consider an offer of a quick $50 to divulge someone's milk-buying habits? Particularly if that phone rep isn't even in the U.S., isn't even subject to U.S. criminal law?
Passing more laws that make theft of personal records illegal isn't a bad idea. Putting LocateCell out of business isn't a bad idea. But to security expert Avivah Litan, a Gartner consultant, that's simply sticking your finger in a leaky dam. Ultimately, companies that possess our data need to be held responsible, she said.
"Who gave the criminals the data? They did," she said. "They should be suing themselves."
Time to pay the piper
Litan consults with companies that are concerned about leaking data; often they call her after an embarrassing incident. She says there are effective technologies that can be used to deter the theft of data, and firms that keep track of us need to start ponying up the cash to protect us. She generally has two recommendations.
The first is simple, but effective: It's called "out-of-band authentication.” Call your wireless firm asking for records; you receive a text message with a PIN number that must be supplied to the customer service rep before the conversation proceeds. Visit your online broker and try to change your automatic deduction settings? You get an old-fashioned letter in the mail. Out-of-band notification isn't fool-proof, but it sharply increases the odds that the person calling the company is really the person who's entitled to the information. By sending a simple text message to your cell phone, the wireless company can be pretty sure they are talking to the person who is holding their phone. That would stop many thefts such as those allegedly committed by LocateCell. And it has the added benefit of notifying consumers every time their records are accessed.
But out-of-band notice doesn't go far enough, Litan says. Much of this data theft is the result of a corrupt insider, who can evade such practices. So an even better solution, she said, is "out-of-character" testing.
Consumers know this technology well. Every time you take a trip to Europe, your credit card company calls to ask if that's really you buying the Irish sweater in Dublin. In the business, it's called "transaction anomaly detection."
Similar software can be used to watch the actions of customer service representatives. Someone who suddenly accesses several dozen records at the end of a shift probably isn't being suddenly productive; they're probably stealing. Likewise for an agent who normally helps consumers in the northeast who suddenly looks up a Utah caller's records.
"I would say 95 to 99 percent of the (fraudulent) transactions are out of context with the normal flow of work," Litan said. Companies can implement such solutions for around a half-million dollars; a small price to pay for such essential consumer protection.
There ought to be a law
That's not to say criminals shouldn't also have to pay. Security Consultant Rob Douglas, who runs PrivacyToday.com, helped the Federal Trade Commission run a sting against data theives in 2000. At the time, he found 1,000 Web sites claiming to sell such information; a similar number still advertise stolen data, he said. Part of the reason, Douglas says, is a lack of clarity about the illegality of the practice of calling up a company and pretending to be someone else for the purpose of obtaining information -- called pretexting, or calling under a false pretext.
Federal law does explicitly make pretext calling to obtain financial records illegal. But the legal question is a bit more murky for data such as cell phone records. It might be identity theft; it might be an unfair and deceptive trade practice, and thereby run afoul of the Federal Trade Commission Act. But to end the discussion, and to cut off the legal running room the data thieves claim, Douglas is in favor of a federal law which makes pretexting explicitly illegal.
“Until Congress makes it absolutely clear that pretending to be someone you are not in order to deceive any business into turning over customer information is illegal, the practice will continue,” he said. “Outlaw the practice for just phone records and the data thieves will turn to cable and satellite television records."
Few options for consumers
For now, consumers are left with some scary headlines and very few realistic options. Adding an additional password to your customer service records is a good idea -- Cingular now recommends it. But that's a hassle, and few consumers will do it. Watching your accounts for signs of suspicious activity couldn't hurt. Asking customer service reps to tell you when the last time your records were accessed might tip you off that someone else has looked up your account.
Still, those practices won’t stop a determined criminal. If there are records, they can be stolen, Litan said. And there’s little consumers can do to drop out of the big database in the sky that tracks what we buy, where we travel, and whom we talk to. Such databases are a gold mine for anyone who might want to spy on us.
“There really is nothing we can do to stop the flow of information," Litan said. “We have to rely on the companies that have it.”