WHO DO YOU TRUST?
How to protect your company from becoming a victim of pretexting.
By Esther Shein

The recent spying scandal at US computer maker Hewlett-Packard garnered plenty of headlines – with good reason. The episode, essentially a clandestine operation intended to plug press leaks, harkened back to the tactics of the Nixon Administration and its infamous Plumbers unit.

Despite the dubious morality and legality of HP’s spying operation, some observers suggested that the company’s covert activities might not be all that unusual. Maybe. But companies are far more likely to be victims of pretexting than they are to be perpetrators. The unsettling lesson from the HP affair is that its operatives had very little difficulty extracting sensitive information about the company’s directors and officers. Says Joel Gross, principal of US security firm Risk Strategies International: “No matter what you do, someone is going to get pretexted in an organization.”

Pretexting, the art formerly known as social engineering, involves gathering an individual’s personal information under false pretenses. A favorite method of black-hat hackers for pilfering personally identifiable data, pretexting can take several forms. In HP’s case, private investigators pretended to be the very people they wanted to get information about. In other instances, pretexters claim to be company managers in order to get valuable information about employees.

Sometimes, pretexters pose as low-level employees like maintenance workers or repairmen. Jay Foley, executive director of the not-for-profit Identity Theft Resource Center, says companies spend considerable cash on sophisticated monitoring software and security devices but ignore obvious weak spots. “They forget that cleaning people come in and carry all that hard paper out the door,” he says. “It’s the simple things that sneak up and beat you.”

Pretenders’ Greatest Hits

And companies get beaten a lot. According to the “2006 Computer Security Institute/FBI Computer Crime and Security Survey,” unauthorized access to information was the fourth most common attack that organizations experienced last year (viruses, laptop/mobile-device theft, and insider abuse of internet access topped the list). Nearly a third of the survey respondents said they had experienced a breach of information in the past 12 months.

Stopping pretexters isn’t easy. Executives who pay personal or business bills online can be fooled into going on to bogus websites. What’s more, corporate health insurers and financial-service providers often use US Social Security numbers as de facto ID numbers. Armed with somebody else’s SSN, a pretexter generally has little difficulty obtaining additional private information on that person.

But as in the HP case, phones or phone records offer the easiest access to personal data, and any effort to protect such data should begin there. For starters, managers might consider the advantages of prepaid cell phones. Since US prepaid carriers like Tracfone and Virgin Mobile don’t record calls to assess monthly charges (the bill is paid in advance), they don’t generate identifiable phone logs. Outgoing calls do get recorded in the accounts of those receiving the calls, but prepaid providers rarely include a name to go with the phone number. The downside: Tracfone and other prepaid cellular providers don’t include email or web-browsing in their services yet.

Doug Howard, COO of managed security firm BT Counterpane, advises managers to inform phone providers not to give out records without written authorization. Howard also advises clients to tell their phone carriers and credit-card and utility providers to send records via regular mail. This ups the ante for would-be thieves. “If someone goes into my mailbox,” he explains, “that’s a federal crime (in the US).”

In addition, companies need to provide periodic training for workers, particularly those who handle outside requests for information. “[Often], that’s where the weak links are,” says Risk Strategies’ Gross. Much of the training should involve role-playing. That way, a worker will direct calls to the right department, thereby reducing a pretexter’s ability to troll for information. “If you educate every person, you extend security down to the lowest common denominator,” Gross notes. “Everyone will know what pretexting is and who to call in the event it happens.”

The same rules apply at home. Surprised? Don’t be: pretexting is just as likely to happen at home as at the office. So it’s important to educate family members about the dangers of pretexting. One rule of thumb: never give out any personal data unless you place the call yourself. Phone pretexters often mask their true intent by asking ten innocuous questions before slipping in the one they’re actually interested in.

Esther Shein covers technology from the us.