DailyTech - The FCC's New Phone Pretexting Regulations

Submit News

IT The FCC's New Phone Pretexting Regulations
Michael Hoffman (Blog) - April 4, 2007 12:17 AM

E-mail

del.icio.us

2 comment(s) - last by crystal clear.. on Apr 4 at 8:31 AM

The Federal Communications Commission hopes to keep consumers safe with new regulations aimed at phone companies

The Federal Communications Commission recently strengthened privacy rules to protect users by forcing phone carriers to make customer data more secure. The new regulations follow new federal legislation to ban pretexting altogether.

The FCC will use several new methods to attempt to keep personal data safe, targeted specifically at phone companies -- land-based, wireless and voice over IP (VOIP).

The first major regulation overhaul will force phone carriers to stop releasing phone records to customers unless the customer calls and provides a password. The only way records can be released without a password is if the records are forwarded either by postal address and/or by calling to confirm with the customer.

"The unauthorized disclosure of consumers' private calling records is a significant privacy invasion," said Kevin Martin, FCC chairman. "Compliance with our consumer protection regulations is not optional for any telephone service provider."

To further protect consumers, phone carriers now are required to inform the customer with any of the following changes -- password, back-up for forgotten passwords, an online customer account or address of record.

The FCC hopes that these additional measures will ensure that customer records and personal information does not go to the wrong parties.

Carrier Authentication Requirements. Carriers are prohibited from releasing a customer’s phone call records when a customer calls the carrier except when the customer provides a password. If a customer does not provide a password, carriers may not release the customer’s phone call records except by sending it to an address of record or by the carrier calling the customer at the telephone of record. Carriers are required to provide mandatory password protection for online account access. Carriers are permitted to provide all customer proprietary network information (CPNI), including customer phone call records, to customers based on in-store contact with a valid photo ID.
Notice to Customer of Account Changes. Carriers are required to notify the customer immediately when the following are created or changed: (1) a password; (2) a back-up for forgotten passwords; (3) an online account; or (4) the address of record.
Notice of Unauthorized Disclosure of CPNI. A notification process is established for both law enforcement and customers in the event of a CPNI breach.
Joint Venture and Independent Contractor Use of CPNI. Consent rules are modified to require carriers to obtain explicit consent from a customer before disclosing a customer’s CPNI to a carrier’s joint venture partners or independent contractors for the purposes of marketing communications-related services to that customer.
Annual CPNI Certification. Certification rules are amended to require carriers to file with the Commission an annual certification, including an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the previous year regarding the unauthorized release of CPNI.
CPNI Regulations Applicable to Providers of Interconnected VoIP Service. CPNI rules are extended to cover providers of interconnected voice over Internet Protocol (VoIP) service.
Business Customers. In limited circumstances, carriers may bind themselves contractually to authentication regimes other than those adopted in this Order for services they provide to their business customers that have a dedicated account representative and contracts that specifically address the carrier’s protection of CPNI.

Pretexting once again garnered attention after it was discovered that Hewlett-Packard used pretexting as one of the key ways for the company to spy on employees and journalists. HP revealed that it hired a third-party company which used investigators who pretexted to get access to phone records. The scandal forced several prominent HP board members to resign, with charges being dropped on several executives.

While the FCC approved a handful of changes, the organization turned down a provision that would allow phone carriers to not tell customers of record breaches up to 14 days after the event occurred.

The FCC order ultimately puts the burden of phone pretexting on the shoulders of the telcos. The mandate also bolsters federal involvement in security breaches. Section 64.2011 of the order reads, "As soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach, the telecommunications carrier shall electronically notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni" rel="nofollow" rel="nofollow."

Even with these strong security measures, phone companies are still not entirely required to notify customers during a breach. Due to this loophole, the mandate has strong criticisms, particularly within the ranks of several FCC commissioners.

"Despite the Order’s conclusion that customers should have notice of unauthorized disclosure of customer information, this Order set up a process which can result in the unnecessary and even indefinite delay of consumer notification without any accountability," states FCC commissioner Jonathan Adelstein.

Comments

Threshold

Username
Password
remember me

This article is over a month old, voting and posting comments is disabled

"We're from the government, and we're here to help you,"

By crystal clear on 4/4/2007 8:31:03 AM , Rating: 1

Could This Be The 'Longest-Running Internet Breach Ever'?

That old saw, "We're from the government, and we're here to help you," could stand some updating in this digital life. How about this one: "We're from the government, and we're here to give your identity away, no questions asked."

That was pretty close to it in California over the last three years, and who knows right now on how many local, state, county, and federal Web sites nationwide?

State Assemblyman Dave Jones has accused the state of "selling an identity theft starter kit on the Internet" after he discovered the gaping security hole on the California secretary of state's Web site. The site had been posting uniform commercial code filings -- which are voluntarily provided by banks -- with "enough information to open a credit card in someone else's name." Jones said the state was selling Social Security numbers for $6 each, an Internet connection, and a credit card. As a test, Jones bought 20 public records, 14 of which he said contained enough information to enable him to open credit cards in someone else's name, had he wanted to.

The filings are only supposed to be available to financial institutions and contain information about collateral used for loans, mostly from businesses, but some personal loans as well. The state has to accept the filings, but good lord, it doesn't have to make the information so easy to access online.

http://www.informationweek.com/showArticle.jhtml;j...

Pretexting of another type ?

By crystal clear on 4/4/07, Rating: 0

By crystal clear on 4/4/2007 7:22:23 AM , Rating: 0

Quote-

Microsoft confirms Xbox Live pretexting issues
Published: 2007-03-26

Microsoft reversed itself on Friday, confirming that some vandals have likely been able to con its Xbox Live support personnel into giving up users' personal information and assigning accounts to malicious thieves.

The reversal comes after security researcher Kevin Finisterre provided the software giant with a recording of a conversation with an Xbox Live support person, in which the staff member reads off the gamertag and city of residence for a random user after being provided with fake identity information. While some Xbox Live members have boasted that they could steal accounts by social engineering the support staff at Microsoft's gaming service, the software giant had dismissed the incidents as more likely the fault of the users involved.

Microsoft has now acknowledged that many of the incidents could very well be the fault of the support staff, as SecurityFocus first reported. The software giant is continuing to investigate, but will also be making changes to head off the threat, said Larry Hryb, Microsoft's director of programming for Xbox Live.

http://www.securityfocus.com/brief/469

"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot

DailyTech Poll

Which web browser do you use on your primary personal machine?
Microsoft Internet Explorer
Mozilla Firefox
Google Chrome
Apple Safari
Opera
Other (list in comments section)

44 Comments

Charges Dropped Against Former HP Chief Dunn
March 14, 2007, 2:03 PM

Congress Bans Pretexting
December 12, 2006, 2:31 PM

California Attorney General Charges HP Insiders in Spy Probe
October 5, 2006, 1:22 AM

Latest Headlines

11/20/2009 Daily Hardware Reviews
November 20, 2009, 1:10 PM

Hackers Reverse Ill-Effects of Apple's Update, Restoring Intel Atom Support
November 20, 2009, 12:59 PM

China Defense Ministry Targeted by Cyber Attacks 2 Million Times
November 20, 2009, 12:42 PM

Interview With AT&T About Verizon's "Deceptive" Ads
November 20, 2009, 11:22 AM

California Votes to Regulate TV Power Consumption
November 20, 2009, 11:07 AM

POET Cuts Its Cellulosic Ethanol Costs from $4.13/Gallon to $2.35/Gallon
November 20, 2009, 7:43 AM

More Headlines