SECURITY BREACH BY STUPIDITY ...
Security, especially in connection with computer systems, is first and foremost on everyone’s mind these days. Stories abound about hackers breaking into systems to steal access credentials. Phishers sending phony e-mails to convince you to log-on to a bogus website that looks like your bank. People who call you on the telephone to ask you to verify your account details.
Whether it is is called pretexting, social engineering, phishing or good old hacking, it is costing Americans multiple millions of dollars each year. The truth is that most computer-related theft is an inside job. An executive or employee who already has the access credentials and somehow becomes motivated enough to steal.
But I reserve a special place on my threat list for companies who are so blind or stupid as to create their own problems – and in the process, create problems for the rest of us trying to maintain secure systems.
Today’s cautionary tale …
Today’s outrage comes from a provider of Internet-based telephone services, also known as VoIP – Voice over Internet Protocol – which is an inexpensive and reliable way to use the Internet to replace costly telephone services that are offered by the major common carriers.
It starts out with a good practice …
The service provider recognizes that the computer connection that you are using is not the same one that was used when you signed-up for their service.
Their response is to send you a cautionary e- mail advising you that :
“This message was generated in response to an attempt to access your account from a computer we did not recognize. If you did not attempt a login from a different computer, we recommend change your password immediately.”
“Thank you for your help in keeping your account secure.”
and ends with a security breach …
This appears to be a helpful message from a security-conscious company … until you ironically realize that the message also prominently features both your account number and password and has been sent over the Internet in clear, easily readable text which could be read by anyone curious enough to intercept the message.
The security code for your account xxxxxxxxx is:
xxx
End result: your security has been breached by stupidity.
But it gets worse …
Of course, being a responsible customer, you notify the vendor of the problem – sending a copy of the e-mail with the account and password x’ed out to preserve security.
Since the company is responsive to all such communications, you receive an e-mail verification of the receipt of your communication followed by a personal telephone call by a customer service representative. Great customer service.
Until your customer service representative doesn’t seem to understand what you are talking about when you mention a bad practice which could lead to a security breach. He then asks you to provide access to your computer to capture a screenshot of the original e-mail. Which brings the security issue to the forefront once again.
One, after offering to send him a copy of the original e-mail (of course, with the redacted account information), he claims that he cannot receive an e-mail at his location. Something about a server and the lack of access to individual e-mails.
Two, I did not follow up his offer of allowing him access to my computer – and didn’t even want to know how he proposed to accomplish this task. My computer sits behind a secure firewall and contains what the government fondly calls NPI – Non-Public Personal Information. Credit card account numbers, passwords, financial information and other information that is required by law to be protected. Even though it is encrypted, providing unrestricted access to your computer is a very, very bad idea.
And three, this was no ordinary customer service representative – he was simply a voice on the telephone. I could not see his company—issued identification and knew nothing about him or even if he was a legitimate employee of the vendor. Even worse, he was a foreign national operating out of a foreign country; not subject to United States law and could not be easily apprehended by the appropriate U.S. law enforcement officials. A crap-shoot at best.
Thanking him and explaining I would take the matter up with management, I told him he could close the trouble ticket. Again, I received an acknowledgement e-mail (this time only referencing the account number and trouble ticket) followed by a chance to participate in a customer service survey. Again, great customer service and follow-up.
The plan …
The plan is simple. To call the chief security officer and explain the situation to him on Monday. After all, this appears to be a reputable company headquartered in the United States and deserving of a second chance.
Bottom line …
This story provides a cautionary tale for people who should become more aware of computer security and the possibility that an e-mail or telephone call can place you and your data in jeopardy.
Be aware: there are people that do not wish you well circulating in the world just waiting for the opportunity to drain your bank account or assume your identity. Forewarned is forearmed.
-- steve
P.S. This is not the first time security has been breached by stupidity, nor will it be the last.
Is Time Warner Cable Compromising your PayXpress Account Security (and other financial accounts) with their stupid mistake? (The reason I used the Time Warner name was that they were unresponsive to my request to speak to their security people)
“Nullius in verba”-- take nobody's word for it!
"Acta non verba" -- actions not words
“Beware of false knowledge; it is more dangerous than ignorance.”-- George Bernard Shaw
“Progressive, liberal, Socialist, Marxist, Democratic Socialist -- they are all COMMUNISTS.”
“The key to fighting the craziness of the progressives is to hold them responsible for their actions, not their intentions.” – OCS "The object in life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius “A people that elect corrupt politicians, imposters, thieves, and traitors are not victims... but accomplices” -- George Orwell “Fere libenter homines id quod volunt credunt." (The people gladly believe what they wish to.) ~Julius Caesar “Describing the problem is quite different from knowing the solution. Except in politics." ~ OCS