I just read about HP’s board hiring investigators to find the source of a boardroom leak, and admitting that pre-texting was used by the investigators to obtain the cell phone records of reporters and board members. Pre-texting is the name given to a social engineering technique – you call the phone company and pretend to be the cell phone owner, and ask for the records. In this case, someone used Yahoo! email addresses to claim the online accounts of the cell phone owners, knowing as little as their names and last 4 digits of their social security numbers.
HP’s board found their leak, and 2 people so far are not expected to be on the board anymore. The attorney general people of course are now involved, and I assume the investigators are in for some hot water. Small price to pay to find two board members and an information leak? If it seems so, that might just fuel a handful of million dollar lawsuits (I hope).
Everyone should claim their own online account, even if they don’t use it. And also tell (don’t ask… tell) the cell phone company to put a password on your account that only you know. I did this with Verizon a year ago after reading about some Colorado Senator who had a company that re-sold cell phone records obtained through pre-texting (yes, it really is true). Verizon locked my account with a password, and it has been a hassle ever since because I picked a hard-to-pronounce password (what was I thinking… duh!). Anyway, at least it is safer than normal.
Is claiming your account secure enough without the extra password, which some cell companies might not be prepared to handle? No. The cell phone device is used as a token, so that if you process a “lost password” sequence and have the device in your hand, you can reset the password. All you need is two minutes with the device, which is easily done by “making a call”. Maybe not easy for some overseas hacker to get your cell records, but a piece of cake for a fellow board member (ahem) who just needs to make a quick call.
Oddly, the CNet article actually published the IP address used to execute the pre-texting. It was 220.127.116.11, which appears to be a Cox cable IP address in Nebraska. The IP is assigned geocoordinates 41.2603, -96.0463. If that is correct, not too smart, guys. There goes the neighborhood, at least. Unless it was a zombie proxy, which I suppose we’ll find out in the next few weeks as the privacy concerns are addressed in the media. oh, and isn’t it coincidental that the FBI has offices in that same neighborhood?