Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Verizon

Verizon Gave Phone Data To Armed Stalker Who Posed As Cop Over Email (404media.co) 27

Slash_Account_Dot writes: The FBI investigated a man who allegedly posed as a police officer in emails and phone calls to trick Verizon to hand over phone data belonging to a specific person that the suspect met on the dating section of porn site xHamster, according to a newly unsealed court record. Despite the relatively unconvincing cover story concocted by the suspect, including the use of a clearly non-government ProtonMail email address, Verizon handed over the victim's data to the alleged stalker, including their address and phone logs. The stalker then went on to threaten the victim and ended up driving to where he believed the victim lived while armed with a knife, according to the record.

The news is a massive failure by Verizon who did not verify that the data request was fraudulent, and the company potentially put someone's safety at risk. The news also highlights the now common use of fraudulent emergency data requests (EDRs) or search warrants in the digital underworld, where criminals pretend to be law enforcement officers, fabricate an urgent scenario such as a kidnapping, and then convince telecoms or tech companies to hand over data that should only be accessible through legitimate law enforcement requests. As 404 Media previously reported, some hackers are using compromised government email accounts for this purpose.

This discussion has been archived. No new comments can be posted.

Verizon Gave Phone Data To Armed Stalker Who Posed As Cop Over Email

Comments Filter:
  • the dating section of porn site xHamster

    xHamster has a dating section? Gotta go now ...

    • xHamster has a dating section?

      I'm assuming "dating" is used more of a euphemism for hooking up a la Tinder/Grindr. This [reddit.com] also comes to mind.

  • Maybe this simply isn't a tactic criminals have thought to exploit much. But it seems like it should be standard if you get a warrant or EDR (electronically or paper) you should have a standard way to verify its authenticity with the court or law enforcement org that issued it.

    • Well, what needs to happen here first, is we need to dig deeper into if they have an SOP for this. I would be very surprised if such a large telecom *didn't* have an SOP in place.
      Deeper than that, we need to see what the Verizon employee who answered the phone did. Did they use their tools and KB articles to try and find out what they should do? Did they panic and just go with it for fear of reprisal from the (alleged) police? If the employee DIDN'T do the right thing, how well had Verizon trained them,

      • by PPH ( 736903 )

        SOP won't help. There's a loophole for exigent circumstances in the law. And there are small town, four deputy departments that will claim they don't have the proper log in credentials or even trained personnel to navigate the telecom's law enforcement portal.

        On the other hand, if they really are a four deputy department, it's unlikely that they will be able to chase that Verizon rep all the way to Kolkatta.

  • I mean, if they rule out every guy with a lizard tongue, or a low I.Q., or an explosive violent temper, of course they're gonna be lonely.

    Disclaimer for the oblivious: It's a (slightly tweaked) Futurama quote - it's not my actual opinion.

  • ... accessible through legitimate law enforcement requests.

    Everyone's talking about Verizon needing to stop and verify the sender, which is good practice. How about police issue an advisory such as "we will never ask for a 'suspect's' personal information over a personal email/phone? That's a simple rule, so it'll never happen.

    As cop dramas like Law and Order demonstrate, anything can be the crime of obstructing police, so Verizon and others can't demand verfication. If the government really cared, they would enforce these very rules on 'I say so' warrants an

  • by sizzlinkitty ( 1199479 ) on Friday December 08, 2023 @08:39PM (#64067645)

    The victim should cancel and sue Verizon for 100 million dollars and make as much noise as possible over it. Need to sway as much public opinion that Verizon is bad, evil, and the way they give up our data is not okay.

    • by Barny ( 103770 )

      If they had the money to hire a lawyer and sue Verizon with any hope of success, they don't need to sue Verizon to be rich.

      It was probably settled out of court.

      • by Slayer ( 6656 )

        This is a standard slam dunk case a lawyer would take on at own risk for a fraction of the expected verdict afterwards. No plaintiff cash needed for that. And yes, it would be pretty stupid to sign a settlement offer without prior review of that agreement by a lawyer.

  • If someone hands you a warrant or claims to be a police officer who do you authenticate them? Has anyone ever done this? This seems like a fairly common occurrence in some parts of the world.
    • For a company like Verizon? You refer the person to the appropriate department and you're done. They have folks who handle this sort of thing day in and day out. I wonder if this was a rep at a non corporate store (franchisee or whatever they're called), and they didn't do all the training required of them. (because I'd be shocked if Verizon didn't have _something_ in their requirements to cover this sort of thing)
      • by markana ( 152984 )

        Did you not read the article? He sent the requests to the VERIZON CORPORATE LEGAL TEAM that specifically deals with LE requests. Not a half-trained clerk in a rural town, but the core group in Verizon's Legal department that's supposed to be able to vet these and respond to legitimate requests. And they just rolled over and handed him the goods with no validation. And apparently not for the first time, either.

        Either Verizon's training and oversight are completely substandard (and what else are they scre

        • My experience in LE is that when you call and ID yourself as LE and mention a case... that's almost always enough to have people enthusiastically provide the access you request unless they're involved in an incident or the company they work for has very strict policies they continually reinforce with employees.

          I was never involved in an inappropriate request, but the lack of concern with which people handed over stuff to someone based on a phone call was a bit disturbing. I suppose it helped that they were

          • Exactly. The fail-safe presumption on the request servicer's side must be that it's shady business (blue light bandit, stalker, unethical PI, fishing expedition, or abuse of access) until there is proof of a specific LEA and their LEO acting in an official capacity on a specific matter. Did these corporate bozos simply forget their prime directive was "CYA"?
        • Perhaps US LE has no consistent, authoritative method of verifying LEO credentials. This seems like a glaring omission that should be handled by a publicly well-known, nonprofit, government-sponsored entity. Every officer should be able to be verified given a badge number and county by anyone, at any time.
          • by Mal-2 ( 675116 )

            You'll end up with a minimum of 51 parallel systems, as each state will insist on running its own, and the Feds will need theirs. That doesn't mean it can't work, though. Vehicle registrations are handled the same way and out-of-state cars are not difficult to look up (generally).

  • by kmoser ( 1469707 ) on Friday December 08, 2023 @10:46PM (#64067829)
    Meanwhile, regular folks have to provide actual government ID to do something as innocuous as fly as a passenger in a plane.
  • Who would have thought that taking shortcuts in a given process would lead to unintended side effects!
    The "warrant" process exists for a reason (to prevent abuse). Removing the safe guards will inevitably result in abuse.
  • Also, don't fucking date, much less interact with, people on porn forums.
  • Verizon's compliance area is full of rubes.

  • As a sysadmin I have gotten such requests directly from cops/feds and/or impersonators. Our policy was to forward all of those to our legal department and only help once I had explicit instructions to. No exceptions.

The goal of Computer Science is to build something that will last at least until we've finished building it.

Working...