5 ways to protect yourself against pretexting
That HP investigators got personal phone records of others without their consent shows how anyone pretending to be you can get access to your valuable personal information.
NEW YORK (CNNMoney.com) -- It's not just about millionaires spying on other millionaires.
"Pretexting," the tactic investigators hired by Hewlett-Packard used to snoop on HP board members and reporters, is a big concern for everyone.
The practice involves someone pretending to be you or pretending to be someone representing you to get phone records or other valuable information.
Consumers are already extremely vulnerable to pre-texting by any number of entities, including identity thieves, brokers who sell personal data, stalkers and anyone who wants to get a better handle on your circumstances and affiliations.
According to Robert Ellis Smith, publisher of The Privacy Journal, several parties potentially might be interested in your phone records, including employers, exes and debt collectors.
When it comes to gaining access to your financial records, thieves might want your banking or credit records to gain access to your funds, open accounts in your name or otherwise build enough of a profile to pass themselves off more convincingly as you.
The criminality of pretexting is not as clear cut as one might hope.
"From a civil perspective, it is illegal to use pretexting to gain access to confidential consumer records," said Robert Douglas, editor of PrivacyToday.com. In other words, the pretexter, if caught, may be subject to fines.
In addition, Douglas said, many states -- including Colorado and Illinois -- have outlawed the use of pre-texting to obtain phone records, with some of them making it a civil offense and others making it a criminal offense, punishable by prison.
And in many cases, pretexting may be criminally prosecuted under other laws such as identity theft and fraud.
To date, however, it has been hard to prove that anyone other than the actual party that engaged in pretexting is guilty of a crime. "It's very difficult to get someone twice or three times removed from the act," Douglas said. In HP's case, for instance, prosecutors might need to prove that someone at HP had knowledge of the methods investigators would use to obtain the phone records.
"'Should have known' isn't a standard in the law," Douglas said.
What can you do to protect yourself?
"If someone wants to pretext you, they can do it because the system is so easy to beat," said attorney and privacy consultant Mari Frank.
One way to make the system less easy to beat is to insist the companies with which you do business strengthen the way they verify your identity when you (or a pretexter pretending to be you) requests your records.
Frank recommends that you contact your phone companies, banks and any other businesses where you have accounts, and do five things:
-- Change your passwords so that they are at least 8 to 10 characters long, combining letters and numbers. Be sure, too, to change your passwords every six to eight months
-- Insist the company never use your Social Security number for verification of your identity and instead use a randomly assigned number.
-- Ask the company to use three to four pieces of information to verify your identity, especially if it continues to use the last four digits of your Social Security number.
For example, have them ask you specific questions as part of the verification process the answers to which are not easy for others to get. Instead of asking for your mother's maiden name -- information which can be found in plenty of databases -- it would be better to be asked something along the lines of "what is the name of your favorite teacher in grade school?"
-- Insist that they only send account statements to your home address.
-- Insist that they only accept a change of address request in writing and that they verify that you want that change in address either by calling you or sending a postcard to your old and new address.
If privacy advocates had their way, here's how your personal information would be treated.
Your identity is for sale, and others are making a tidy profit off of you.