phone records for sale

coderman coderman at gmail.com
Fri Jan 6 14:50:18 PST 2006


http://www.suntimes.com/output/news/cst-nws-privacy05.html

---cut---
Steven M. Bellovin Fri, 06 Jan 2006 14:02:12 -0800
18 USC 2702(c) says

        A provider described in subsection (a) may divulge a record or
        other information pertaining to a subscriber to or customer of
        such service (not including the contents of communications
        covered by subsection (a)(1) or (a)(2)) ...

        (6) to any person other than a governmental entity.
...
If the phone companies are not giving it out voluntarily, perhaps
they're being tricked or perhaps they have corrupt employees.
---end-cut---

from the article:
""In some cases, telephone company insiders secretly sell customers'
phone-call lists to online brokers, despite strict telephone company
rules against such deals, according to Schumer.""

the call center employees and other data services API's (less common)
is exactly how they do it.  t-mobile, verizon, sprint, they all
contract out to call centers for various things which provide the call
center operators a restricted environment in which to use their
internal applications (usually IE, sometimes Remedy or Oracle Forms,
graphical Java apps, etc).

obviously part of the features of these applications is search by
name, MIN, account, etc.  often you can access a person's entire
account through such systems and very little if any oversight is
provided.  the carriers sole focus (as it seems) is to prevent
fraudulent equipment/phone deliveries to operators using customer
accounts.  they could care less about unauthorized access given their
lack of any attempt to halt such activity.

in addition to this, many of these internal networks are horribly
insecure, as was well demonstrated by the t-mobile hacks earlier this
year. [1]

the only reason they continue to get away with such poor practice is
that these networks are (in theory) all internal with dedicated lines
from the call center back to the carrier networks on which the
applications are run. and the fallout from their insecurity is not
directly attributable back to them (they can and do blame various
middle men, from devious operators to negligent call center policies,
etc)

[1] http://www.theregister.co.uk/2005/02/16/t_mobile_hacker_guilty/

----

more fun quotes:

"To test the service, the FBI paid Locatecell.com $160 to buy the
records for an agent's cell phone and received the list within three
hours, the police bulletin said."

"I would say the most powerful investigative tool right now is cell
records," Rizzo said. "I use it a couple times a week. A few hundred
bucks a week is well worth the money."





More information about the cypherpunks-legacy mailing list