Verizon Gave Phone Data To Armed Stalker Who Posed As Cop Over Email (404media.co) 27
Slash_Account_Dot writes: The FBI investigated a man who allegedly posed as a police officer in emails and phone calls to trick Verizon to hand over phone data belonging to a specific person that the suspect met on the dating section of porn site xHamster, according to a newly unsealed court record. Despite the relatively unconvincing cover story concocted by the suspect, including the use of a clearly non-government ProtonMail email address, Verizon handed over the victim's data to the alleged stalker, including their address and phone logs. The stalker then went on to threaten the victim and ended up driving to where he believed the victim lived while armed with a knife, according to the record.
The news is a massive failure by Verizon who did not verify that the data request was fraudulent, and the company potentially put someone's safety at risk. The news also highlights the now common use of fraudulent emergency data requests (EDRs) or search warrants in the digital underworld, where criminals pretend to be law enforcement officers, fabricate an urgent scenario such as a kidnapping, and then convince telecoms or tech companies to hand over data that should only be accessible through legitimate law enforcement requests. As 404 Media previously reported, some hackers are using compromised government email accounts for this purpose.
The news is a massive failure by Verizon who did not verify that the data request was fraudulent, and the company potentially put someone's safety at risk. The news also highlights the now common use of fraudulent emergency data requests (EDRs) or search warrants in the digital underworld, where criminals pretend to be law enforcement officers, fabricate an urgent scenario such as a kidnapping, and then convince telecoms or tech companies to hand over data that should only be accessible through legitimate law enforcement requests. As 404 Media previously reported, some hackers are using compromised government email accounts for this purpose.
Wait! What? (Score:2)
the dating section of porn site xHamster
xHamster has a dating section? Gotta go now ...
Re: (Score:2)
xHamster has a dating section?
I'm assuming "dating" is used more of a euphemism for hooking up a la Tinder/Grindr. This [reddit.com] also comes to mind.
No verification? (Score:2)
Maybe this simply isn't a tactic criminals have thought to exploit much. But it seems like it should be standard if you get a warrant or EDR (electronically or paper) you should have a standard way to verify its authenticity with the court or law enforcement org that issued it.
Re: No verification? (Score:2)
Well, what needs to happen here first, is we need to dig deeper into if they have an SOP for this. I would be very surprised if such a large telecom *didn't* have an SOP in place.
Deeper than that, we need to see what the Verizon employee who answered the phone did. Did they use their tools and KB articles to try and find out what they should do? Did they panic and just go with it for fear of reprisal from the (alleged) police? If the employee DIDN'T do the right thing, how well had Verizon trained them,
Re: (Score:2)
SOP won't help. There's a loophole for exigent circumstances in the law. And there are small town, four deputy departments that will claim they don't have the proper log in credentials or even trained personnel to navigate the telecom's law enforcement portal.
On the other hand, if they really are a four deputy department, it's unlikely that they will be able to chase that Verizon rep all the way to Kolkatta.
Re: No verification? (Score:2)
What do you *mean* "SOP won't help"?
Having an established method by which a Verizon employee is supposed to interact with law-enforcement won't help? So you expect all Verizon employees should just wing it when someone says they're a cop?
Re: No verification? (Score:2)
Cite the law you are speaking of, please.
Not the guy's fault, the victim was just too picky (Score:2)
I mean, if they rule out every guy with a lizard tongue, or a low I.Q., or an explosive violent temper, of course they're gonna be lonely.
Disclaimer for the oblivious: It's a (slightly tweaked) Futurama quote - it's not my actual opinion.
Verify the sender (Score:2)
Everyone's talking about Verizon needing to stop and verify the sender, which is good practice. How about police issue an advisory such as "we will never ask for a 'suspect's' personal information over a personal email/phone? That's a simple rule, so it'll never happen.
As cop dramas like Law and Order demonstrate, anything can be the crime of obstructing police, so Verizon and others can't demand verfication. If the government really cared, they would enforce these very rules on 'I say so' warrants an
Cancel and Sue (Score:3)
The victim should cancel and sue Verizon for 100 million dollars and make as much noise as possible over it. Need to sway as much public opinion that Verizon is bad, evil, and the way they give up our data is not okay.
Re: (Score:2)
If they had the money to hire a lawyer and sue Verizon with any hope of success, they don't need to sue Verizon to be rich.
It was probably settled out of court.
Re: (Score:2)
This is a standard slam dunk case a lawyer would take on at own risk for a fraction of the expected verdict afterwards. No plaintiff cash needed for that. And yes, it would be pretty stupid to sign a settlement offer without prior review of that agreement by a lawyer.
How do you verify a law enforcement request? (Score:2)
Re: (Score:2)
Re: (Score:3)
Did you not read the article? He sent the requests to the VERIZON CORPORATE LEGAL TEAM that specifically deals with LE requests. Not a half-trained clerk in a rural town, but the core group in Verizon's Legal department that's supposed to be able to vet these and respond to legitimate requests. And they just rolled over and handed him the goods with no validation. And apparently not for the first time, either.
Either Verizon's training and oversight are completely substandard (and what else are they scre
Re: (Score:2)
My experience in LE is that when you call and ID yourself as LE and mention a case... that's almost always enough to have people enthusiastically provide the access you request unless they're involved in an incident or the company they work for has very strict policies they continually reinforce with employees.
I was never involved in an inappropriate request, but the lack of concern with which people handed over stuff to someone based on a phone call was a bit disturbing. I suppose it helped that they were
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
You'll end up with a minimum of 51 parallel systems, as each state will insist on running its own, and the Feds will need theirs. That doesn't mean it can't work, though. Vehicle registrations are handled the same way and out-of-state cars are not difficult to look up (generally).
Just an email? (Score:3)
Re: (Score:2)
It is as if the process was in place for a reason! (Score:2)
The "warrant" process exists for a reason (to prevent abuse). Removing the safe guards will inevitably result in abuse.
Social engineering dept, how can I help you today? (Score:2)
Great news for criminals! (Score:2)
Verizon's compliance area is full of rubes.
Directly to legal dept (Score:2)