Pretexting.. Heh, used to be called Social Engineering
Prosecutors have filed “pretexting” charges in the first cases brought under a federal law passed in 2006 in the wake of the Hewlett-Packard spying scandal.
Pretexting is a method in which a perpetrator poses as a phone-company customer, or someone else, in order to request records of the customer’s phone calls.
Authorities in Ohio filed an indictment last month against 28-year-old Vaden Anderson alleging that the defendant used pretexting to obtain confidential phone records from Sprint/Nextel. According to the indictment, Anderson served the phone company with a fake U.S. District Court civil subpoena to obtain the records.
If convicted, Anderson faces a maximum prison sentence of 10 years and a $250,000 fine.
In a separate Alabama case, Nicholas Shaun Bunch was charged in November with using a victim’s name and the last four digits of his Social Security number to obtain confidential phone records from T-Mobile. He was also charged with aggravated identity theft for use of the victim’s Social Security number.
Bunch agreed to plead guilty to both charges and pay restitution in an amount to be determined by the court. The pretexting charge, as in the Ohio case, carries a possible prison sentence of up to 10 years and a fine up to $250,000. The aggravated-identity-theft charge carries a possible sentence of up to two years per offense and a fine of up to $250,000. The government has agreed to recommend a decrease in his sentence for his cooperation.
Private investigators and data brokers have used pretexting for years to obtain records for their clients, but the tactic was unknown to the general public until September 2006 when private investigators working for Hewlett-Packard were found to have used the method to spy on company board members and reporters.
The Telephone Records and Privacy Act, which outlaws the pretexting of phone records, was introduced in the House in February 2006, shortly after news broke that Verizon had filed lawsuits against data brokers who used pretexting to obtain the phone records of thousands of its customers. The House passed the bill, and it moved to the Senate in April of that year where it languished until the HP story broke that September. The Senate passed the bill three months later in December, and the law went into effect in January 2007.
So I am guessing that this is focused on “phone records” and not so much a charge that could be used against someone performing a social engineering exploit? Either way, it seems that perhaps you could be charged with the above sentencing guidelines for “pretexting” anything…