How Pretexters Steal Your Private Information

Al Schweitzer, a former pretexter, described before Congress the underlying principle of how, for fun and profit, he was able to trick various agencies and institutions into giving up other people’s confidential and personal information.

Identify the piece of information you are after; identify who or what institution is the custodian of the information sought; based on real world situations or actual operational procedures of the target institution, figure out under what circumstances and to whom the desired information would be released; be that person under those circumstances.

Emphasis added. Using this method Al was able to get people’s phone records, bank statements, and tax returns for his clients, who were often insurance companies, lawyers, and law enforcement. He successfully pretexted the IRS and the Social Security Administration. Simply put, if someone with money wants it, your personal information is not secure.

[via Red Tape Chronicles]


Edit Your Comment

  1. socalrob of the 24 and a half century says:

    It almost sounds like this should be illegal. Its Social Engineering. He’s a glorified hacker.

  2. lostalaska says:

    Isn’t it illegal to impersonate someone even by phone for the purpose of getting someone’s personal information?

    …and that guys a douche

  3. lostalaska says:

    @socalrob: Excellent point he’s a Social Engineering douche… much better

  4. clevershark says:

    That word, “hacker”… it does not mean what you think it means.

  5. Anonymous says:

    This is how Kevin Mitnick got details on the Motorola StarTAC before it was released.

    This is actually old school hacking.

  6. target_veteran says:

    It is illegal; it’s called fraud. Depending on the lies told, this may fall under the criminal or tort definitions. That’s the inclusive or, btw.

    Now, it’s scary how easy it is to do this. All you really need is to tell people what they want to hear and have the confidence to not look/sound nervous. Social engineering is just the scientific study of confidence scams. If you know an agency’s protocols, lingo, and operating procedures, you can pretty much do anything you want, on the assumption that people don’t care.

  7. bricklayer says:

    Great. Sprint wouldn’t give me my own phone records even after I verified my identity. I guess I should have asked this jerk.

  8. molife says:

    Al Schweitzer is the grandfather of pretexting in the modern day. At one time he used his skills for not. But he – like many “hackers” – is probably the most valuable tool to thwart this type of offense there is. That one paragraph sums up the complete and final strategy for getting information you want that others don’t want you to have.

    Next time you call a company that has your private information – ask yourself how hard it would be for anyone to call up and say what you just said and receive your private information. This will give you some idea of how easy it is. And how lax most companies security really is.

    Great post. I’m surprised. You really did your homework. Al Schweitzer should be the first person companies turn to when they’ve had a pretext breach. He wrote the bible on pretexting back in the 80’s.

    Funny side note – he published it on red paper with black ink – as copy machines at that time could not reproduce a copy. The red original turned the copies black. Not that anyone couldn’t have retyped it. But pretty funny coming from a guy like him.

  9. Buran says:

    @lostalaska: Yes and yes. Why isn’t he in jail with all his “service fees” taken from him?

  10. varco says:

    When did fraud start being called “pre-texting”?

    It sounds cool when you’re talking about “hackers” or “social engineering” stealing Paris Hilton’s Sidekick pics, but it’s not so cool when the insurance company use it to steal personal information and deny you coverage or when the local meth head uses it to steal your identity and credit to fuel his habit.

  11. Hedgy2136 says:

    I had someone calling my cell number that I didn’t want to talk with (yeah, it was a collector, but that really is beside the point). I called T-Mobile and had my cell number changed. Within 2 days, the collector was calling my cell phone again, relentlessly. Mind you, I hadn’t given the new number to anyone! I called T-Mobile to get the number changed again and explained to the rep that either someone used pretexting to get the new number or someone on the inside was leaking this info. I actually had to explain to him what pretexting was. He was very helpful, though. They changed the number again, without charge and put a password on my account so if my number was leaked again, it would have to be an insider providing it.

  12. Buran says:

    @Hedgy2136: Also consider a drop dead letter if this happens again. They have to stop calling if you tell them to.