Well, it seems like after the federal “justice” system left Patricia Dunn and her co-conspirators out of the jam they were in () with not even a slap on the wrist, FTC, the Congress and even Bush decided that they better pretend they care about pretexting, and have supported and signed an anti-pretexting law.
Why should you care about this? Well, for starters, what’s pretexting? Wikipedia says:
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. It’s more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g., for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).
So, it’s a social engineering trick used to obtain information you shouldn’t have. Mostly, it’s used to obtain information about a person or company, like in the HP case (), in which pretexting was used to obtain the phone records of members of the board of directors and a couple of journalists. In the majority of cases, pretexting is done by impersonating an individual or company that does have the right to the information the pretexter is looking for, which many of us would believe to be identity theft, view that the US “justice” system seems to not agree with.
Now, with this new law, it’d outlaw:
…the practice of getting confidential phone records by “making false or
fraudulent statements” to a phone company employee, by “obtaining
false or fraudulent documents to access accounts” or by “accessing
customer accounts through the Internet” without authorization.
and would punish those breaking this new law with imprisonment of up to 10 years as well as fines. There are also cases in which additional time and heavier fines would be imposed.
Unfortunately, at least in the case of HP’s crappy corporate behavior, laws aren’t retroactive, so they still walk away with a slap to the wrist.
Sad state of affairs, but getting less bad with this new legislation.
Tags: Security, Tech
If you enjoyed this post, make sure you subscribe to my RSS feed!!
