Pretexting Is Alive and Well in Corporate America
MELISSA BLOCK, host:
From NPR News, this is ALL THINGS CONSIDERED. I'm Melissa Block.
ROBERT SIEGEL, host:
And I'm Robert Siegel.
Here's the latest twist in the tale of Hewlett Packard and its attempt to prevent news leaks by spying on its board of directors and reporters. Newspaper reports today suggest that HP's chief executive, Mark Hurd, played a more active role in the leak investigation than was previously known. Hurd has scheduled a news conference tomorrow. HP has admitted using private detectives who obtained the telephone records of board members and reporters.
As NPR's Scott Horsley reports, that's a trick that's long been used to track deadbeat borrowers and cheating spouses.
SCOTT HORSLEY: Hewlett Packard used a variety of private detectives in its search for the source of boardroom news leaks. The company hasn't said publicly who actually obtained the personal phone records, but security consultant Robert Douglas says HP and its helpers wouldn't have had to look very far.
Mr. ROBERT DOUGLAS (Security Consultant): There are 40,000 private investigators in this country. I would venture to say 95 percent of them know somebody who can get banking and phone records and far too often are willing to put clients in touch with someone who's willing to steal information.
HORSLEY: New Jersey investigator Jimmie Mesis says phone records can be extremely useful in locating debtors who disappear or parents in custody battles who run off with their children. Mesis, who also publishes PI Magazine, once tracked down a woman who'd kidnapped her child in less than 12 hours, after obtaining telephone records from the woman's father.
Mr. JIMMIE MESIS (Private investigator): Now why couldn't law enforcement have done that? They said the woman's father had nothing to do with the case and they wouldn't be able to get a subpoena or warrant for those toll records. We were able to get the phone records by using a subcontractor that is able to get toll records and got them.
HORSLEY: And do you know how the subcontractor got the records?
Mr. MESIS: No idea. We put in the request and we got them. That's all we know.
HORSLEY: That kind of response is typical in the underground information business, where personal data passes from hand to hand and no one asks too many questions about where it came from.
At the center of this industry are a relatively small number of professional con artists who actually gather the information. For two decades James Rapp was one of the best. Before he plead guilty to racketeering charges in Colorado in 1999, Rapp says his company was grossing about a million dollars a year. By pretexting, or pretending to be someone else, Rapp could get phone records, bank records, even medical records. All it took was a telephone and a willingness to end the truth.
Mr. JAMES RAPP (Private investigator): Of course, you had to impersonate, you had to lie. There's just no way around that lie. A lot of my former employees are still working throughout the country and nothing's really changed.
HORSLEY: Phone companies take precautions to protect their customers' information, but even the best trained customer service representative can be fooled by a wily con artist posing as a legitimate customer. It takes charm and improvisation, Rapp says. Not everyone can do it.
Mr. RAPP: I want to equate it in that respect to the NFL. Everybody wants to try out, very few can make it.
HORSLEY: Successful pretexters are persistent. Congressional investigators have obtained emails in which con artists write about trying four times, eight times, even 10 times to obtain a piece of information. Rapp says eventually he usually got what he wanted.
Mr. RAPP: My first contact may be let's go over the last bill, did you get a payment for it. Oh really? What date did you get that payment? And if the person's real friendly I may push and if they're not I'm going to stop. And then I'm going to go in the next call and I'm going to say wait a minute, now I've got a question about my last payment on this date.
And why would they not believe me? Because now I'm telling them exactly when the bill was mailed, when they got the payment and exactly how much. So now I've got a better foot in. They're going to want to help me. Oh, what do you want to know.
HORSLEY: Pretexting for financial information as expressly outlawed seven years ago. But until recently, pretexters who go after other kinds of information were rarely prosecuted, even though they may be breaking antifraud statutes or laws against identity theft. Rapp freely admits he sometimes broke the law to get the records he wanted. And he didn't hide that fact from the people he worked for.
Mr. RAPP: Some clients even said now I don't want you to break any laws. I said ok, well, then find somebody else. And they didn't like that, but most clients, truthfully, they understood maybe not the techniques that you were going to use, but they understood that if this was what they wanted to know, this was what you were going to do to achieve it.
HORSLEY: Others selling personal records are less candid. One data broker told Congress his company relied on public databases or Internet searches to get personal information. Even though he'd promised a client in an e-mail, quote, "no database information, just real-time info obtained directly from the telephone carrier."
Security consultant Douglas says other vendors have claimed to have legal proprietary methods for obtaining personal records. But those proprietary methods turn out to be the same old con.
Mr. DOUGLAS: What I always warn people is these are professional liars. They lie for a living. They lie to steal the information. And they lie to the client to try to convince them that what they're doing is perfectly lawful.
HORSLEY: And Douglas says Hewlett Packard is not the first big company to play along, either wittingly or unwittingly. Pretext information's been used to track debtors and suspected insurance cheats. Data brokers questioned by the House Energy and Commerce Committee this summer said their clients include Chase Bank, Wells Fargo, and Progressive Insurance.
Mr. DOUGLAS: This is the dirty little secret in the underground information business. The money that fuels these businesses is coming from major corporations.
HORSLEY: Chase Bank declined to comment. Wells Fargo says it stopped using the data broker last year. And Progressive Insurance says it expects all of its vendors to obey the law. The law may soon get tougher. A bill before the house would expressly outlaw pretexting for telephone records and also make it illegal to buy and sell such information. Still veteran pretexter Rapp doubts any new law will completely stop the practice, so long as someone, like HP, has a need for the information.
Mr. RAPP: Did they have a legitimate gripe or a concern? Absolutely. I'm sure it's done all over. They just got caught.
HORSLEY: Scott Horsley, NPR News.