Slashdot Mirror

← Back to Stories (view on slashdot.org)

Telling Your Superiors Their Financial Data Is At Risk?

Posted by Cliff on from the just-because-they-aren't-paranoid-enough... dept.

alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"

100 comments

  1. let it go. your boss doesn't care, and they don't. by User+956 · · Score: 3, Insightful

    I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot

    translation: I'm looking for a creative way to get myself fired.

    and if it bugs you, just keep your head down and look for a better job. If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

    --
    The theory of relativity doesn't work right in Arkansas.
  2. In a word: yes by Icarus1919 · · Score: 3, Insightful

    Continue to make good faith efforts to change the policy. However, if you keep getting stonewalled, then let it slide; you may start making enemies if you continue past that point. It won't be your ass on the line if something goes wrong, especially if you can document that you tried to solve the problem.

    1. Re:In a word: yes by Splab · · Score: 3, Insightful

      Pay particular care to the last part, documenting! Some time back I worked as a PHP programmer part time, and during transition from one server to another for one of our major sites I noticed that forms was open for injection attacks, now this being a legacy system it wasn't just fixing it a few places, but all over the site which means a lot of hours. The reason for this being a non issue on the old server was it was running with magic quotes. The reason for the new one not being able to run it was newer sites was programmed around the assumption that magic quotes was off and would thus escape all input.

      I told my boss on several occations that it also meant you could easily gain admin priviledge, but fixing it meant spending money so it wasn't. I made sure to document my warnings, because sooner or later someone would stumble across the sites admin interface and deface the site - which they did and when the boss wen't haywire I had documentation that he was warned.

    2. Re:In a word: yes by MobiusRenoire · · Score: 1

      Quite the contrary, actually. Remember that the crap flows downstream and if there is something that happens, it won't be the suits that make several times your wage that need the shower.

      Documenting that you at least tried would be in your best interest IF something happens and it ends up in court but only if you can prove that you didn't pen the documents the night before you took the witness stand. IANAL, but those are my best guesses as to what happens. There isn't justice in most workplaces, it's definitely not a democracy and there is no 'innocent until proven guilty'.

    3. Re:In a word: yes by Pig+Hogger · · Score: 2, Informative

      and when the boss wen't haywire I had documentation that he was warned.
      Congratulations! You just found out why you got fired and can no longer work in this industry any more...
    4. Re:In a word: yes by TheSkyIsPurple · · Score: 1

      It might not even be quite that bad... but it can still come out badly if you're not careful with your approach.

      There's always the "Oh! that's what you meant, you know where your job description says you need to be able to communicate clearly and professionally to non-technical folks? Yeah... you sure messed that one up, didn't you?"

    5. Re:In a word: yes by UncleTogie · · Score: 1

      Remember that the crap flows downstream and if there is something that happens, it won't be the suits that make several times your wage that need the shower.
      Funny, that's just what Enron and Martha Stewart said...
      --
      Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    6. Re:In a word: yes by Anonymous Coward · · Score: 0

      To cover yourself for really important things, use something like the PGP timestamper at http://www.itconsult.co.uk/stamper.htm. You send it a digital signature of something and it signs the signature, giving you really good proof that you had written it on a certain date.

  3. Take some money by focitrixilous+P · · Score: 1
    Move a large sum of money into your least favorite neighbor's bank account. They'll figure it out real quick. If the record keeping is as bad as you claim they will never figure out who did it, plus your loud obnoxious neighbor gets to move into a new apartment courtesy of your local government institution.

    To actually correct it? Wait for someone else to steal a bunch of money, it's bound to happen sooner or later. Problems don't get fixed unless it's obvious more money will be saved by fixing it than letting it stay.

    --
    SAILING MISHAP
    1. Re:Take some money by qwijibo · · Score: 1

      Your theory presumes that someone has yet to steal a bunch of money. I don't share your unbridled optimism. I wouldn't be surprised if management set it up this way so they can skim money themselves without anyone being able to figure out who is doing it. Transactions don't have to be untraceable if you can ensure there is a large enough suspect pool to minimize the chances of getting caught.

    2. Re:Take some money by ronanbear · · Score: 1

      If that was the case he'd already have been fired for gross incompetence and his name would be mud. That's why you have to tread really carefully. If your boss (or the person you tell) is in on it they're gonna frame you.

      --
      the more they over-think the plumbing the easier it is to stop up the pipe
    3. Re:Take some money by qwijibo · · Score: 1

      Of course they are, but why would they cut the scam short? People who steal money aren't likely to say "ok, I better stop now because I have enough money and I found a patsy." They can pin it on you at any time, even after you leave if they only use information that was available to you at the time you left.

    4. Re:Take some money by kalirion · · Score: 1

      If that was the case he'd already have been fired for gross incompetence and his name would be mud. That's why you have to tread really carefully. If your boss (or the person you tell) is in on it they're gonna frame you.

      Heh, this reminds me of Neil Gaiman's Anansi Boys where the main character's boss keeps an incredibly high turnover rate at his company just so that nobody can figure out that all the rich clients are being embezzled from. As soon as the boss thinks his employee figured him out, the employee gets framed for the embezzlement.

    5. Re:Take some money by ronanbear · · Score: 1

      If you suspect something then you are a threat. They need to get rid of you anyway they can. If they can also pin it on you then they can deflect the blame. If they're careful they can fire you without enough proof for a criminal investigation (so no one looks too closely).

      Once there's someone who got fired for it they can change the practise and keep the money. Or they could keep stealing, have you disclose to someone else and get caught. Even if they stop an audit could reveal the sortcoming. Someone would miss the money eventually.

      The police don't always need to be involved. Director can steal from another firm, blame and fire patsy. Then compensate the firm quietly when they come looking for the money. Your company pays up to protect it's reputation (worth more than the small amount they don't know you stole) and no one is ever the wiser. Patsy stays quiet because the police might get involved and they'll happily cut their losses and move into another field. Better than (risk of) jail.

      --
      the more they over-think the plumbing the easier it is to stop up the pipe
    6. Re:Take some money by DreadSi · · Score: 3, Insightful

      Better yet - move a large sum of money into your apathetic boss's account. You would be doing your employer a favor and killing two birds with one stone.

  4. Consider your duties completed by arlo5724 · · Score: 2, Insightful

    If you have communicated your concerns to your superiors then your obligation is filled and you don't have to worry about it.

    That said, if you are still worried for some reason then you should either find a way to express the problem to your superiors' superiors (if they have any) or possibly anonymously report it to the clients themselves (if you won't be endangering yourself in the process).

    Good luck.

    1. Re:Consider your duties completed by Secret+Rabbit · · Score: 1

      I agree that his duties have been fulfilled by communicating this security issue to his superior. But, so that his ass is covered, I'd extend this to make sure that a paper trail of sorts exists for his recommendation (if one doesn't exist already). Perhaps a last email bcc'ing himself offsite saying something like:

      "
      I know you've already stated that you don't wish to improve the security situation regarding our clients accounting records. So, please consider this my final attempt to improve this security.

      As I've already stated, /anyone/ can access these records. Even just a file cabinet that locks would greatly improve the situation. It is a relatively cheap solution and even if the keys are not required to be handed in at the end of a shift, if something happens, it reduces the amount of people that may be responsible from everyone, to a relatively few people.

      etc etc etc

      Again, this will be my last word on this topic.

      best regards,
      blah blah blah.
      "

      As you can see, I'm not exactly good at writing such things, but you get the idea.

    2. Re:Consider your duties completed by Anonymous Coward · · Score: 0

      Na... Just tell the Washington Post - that should take care of the problem...

    3. Re:Consider your duties completed by Anonymous Coward · · Score: 0

      Wrong: if you don't write it down you didn't do it or it didn't happen!

  5. Re:let it go. your boss doesn't care, and they don by __aaclcg7560 · · Score: 3, Informative

    If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

    I had a college roommate who had a similar problem when he pointed out an ethical issue at a brokerage firm. He got busted to the mailroom. A friend who was a senior broker at a different firm told him to get out before he gets fired for something he didn't do if he wanted to work in the industry. He decided to become a tech writer instead.

  6. I hope you have a good boss. by Anonymous Coward · · Score: 0

    I know the parent sounds like something out of Dilbert, but what he said is true.

    I hope like hell you brought it up with more tact than your post (asking questions around the situation rather than making statements is one good way). Trying to understand process and procedure may not be looked down upon, trying to change it... Well, I hope you have a good boss.

    Seriously, get a good job before the shit hits the fan, like all good programmers do...

    1. Re:I hope you have a good boss. by User+956 · · Score: 1

      I hope like hell you brought it up with more tact than your post (asking questions around the situation rather than making statements is one good way). Trying to understand process and procedure may not be looked down upon, trying to change it... Well, I hope you have a good boss.

      If following up on it is an absolute requirement, don't forget the CYA (cover your ass) email politely outlining the situation to your boss, with a BCC to yourself. At least if the shit hits the fan, there's proof you tried to alert people beforehand. Which, in this case, would mean your boss gets shitcanned, so he'll likely just move on to another company in the same field... taking with him a dislike for you. Not to be a pessimist, but I really don't think there's a "win-win" here.

      --
      The theory of relativity doesn't work right in Arkansas.
  7. Is this really that confidential? by mwvdlee · · Score: 1

    You state you need to keep account numbers and routing info on accessible paper, nowhere did you mention the need to keep transaction details as well.

    Account numbers and routing information aren't confidential, it's just a matter of convenience to put them on paper. It wouldn't be hard for anybody to obtain such information in legal ways.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:Is this really that confidential? by ThinkingInBinary · · Score: 1

      Account numbers and routing information aren't confidential...

      Yes, they are. Many websites will let you debit purchases from a checking account with only this information plus the address on the account. Personal accounts often require a driver's license number as well, but these are businesses. Once again (like Social Security numbers) we have a "cryptosystem" where the "public key" and "private key" are the same thing.

      --
      ttuttle is a rankmaniac
  8. Start looking for work elsewhere... by unitron · · Score: 3, Informative

    Remember, they will never forgive you for being right.

    --

    I see even classic Slashdot is now pretty much unusable on dial up anymore.

    1. Re:Start looking for work elsewhere... by mstahl · · Score: 1

      Who was it that said no good deed goes unpunished?

  9. Frankly by aitikin · · Score: 1

    If you don't like your job, want to be on welfare, or already know who you're going to work for next, go for it... Who knows, maybe they'll even listen!

    --
    "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
  10. Re:let it go. your boss doesn't care, and they don by bladesjester · · Score: 1, Insightful

    Ethical issues at a brokerage firm? I'm shocked :P

    All kidding aside, I feel kind of sorry for the people who post this kind of ask slashdot. As bad as it sounds, the best course of action most of the time is just to keep your mouth shut and continue with life as usual. Most entrenched management and executives do not want anyone to rock the boat and will make your life a living hell not only in your current job, but also possibly in the industry as a whole if you do rock the boat (and I don't care how big you think your industry is, most of the people at the upper levels know, or at least know of, each other).

    Unless your job is specifically to do security audits, just let it go. Chances are they don't want to hear it and won't be happy if they *do* hear it.

    I used to be bright-eyed, idealistic, and naieve with respect to this sort of thing. It lasted all of five minutes. Now I'm more of a hopeful cynic (expect the worst and hope it doesn't happen) lol

    Offtopic: I think this makes you It again...

    --
    Everything I need to know I learned by killing smart people and eating their brains.
  11. Yes and no... by Cervantes · · Score: 2, Insightful

    You have a moral responsibility to encourage data to be safe.

    If you push it, you're quite likely to get stonewalled, destroy your future at the company, and possibly hasten the demise of your job.

    If you plan a long future at this company and can live with the moral ambiguity, shut up and leave it until you're higher up in the chain.

    If you can live with possibly losing career opportunities, make your complaints, but target the right person. Usually most companies will have someone who's actually supposed to make sure data is secure and privacy is assured. Find them and explain things to them.

    If you really don't care about the job, make a good list of all the problems, written out and carefully phrased, and push it as far up the chain as you can. You'll get shit for it, maybe tossed, but with those concerns sitting on the CEOs desk, it's quite unlikely they'll get forgotten.

    At the end of the day, it just depends on your personal moral standing.

    --
    If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
  12. Youve done your part by Warbringer87 · · Score: 2, Insightful

    If you warn people and they don't listen you've done your part.

  13. What should I do? by Anonymous Coward · · Score: 0

    Should I just smile, nod, and play along in this situation?
    You should shut your mouth and get back to work. They don't pay you to think.
  14. You're probably witnessing a scam. by Animats · · Score: 2, Informative

    Remember Enron? WorldCom? Both had major telcom billing fraud components. You may be looking at a fraud.

    If there's an internal audit department, they should know about this. They have Sarbanes-Oxley responsibilities to check that internal audit controls are sufficiently tight.

    Sarbanes-Oxley has whistleblower protection: "Sarbanes-Oxley creates severe criminal penalties (including substantial fines, and up to 10 years in prison) for retaliation against whistleblowers who raise concerns about violation of any federal criminal statute, not simply laws limited to financial fraud." So if your boss threatens you, you can threaten back.

    Also, "Congress required corporate Audit Committees to create mechanisms for receiving anonymous employee concerns about financial improprieties." Find out how that channel works and make a report.

    The burden of proof is on the employer in these cases. This law has real teeth.

    Here's a lawyer who specializes in Sarbanes-Oxley whistleblower claims.

    1. Re:You're probably witnessing a scam. by passthecrackpipe · · Score: 2, Interesting

      Well, Scam may be harsh - there simply isn't enough information to determine that - burglars use crowbars - does that make everyone that uses a crowbar a burglar? However, SOX is right on the money, although it doesn't apply to all organisations. Nevertheless, outside of SOX there is pretty good whistleblower protection anyway.

      The question is, do you *want* to be a whistleblower? I just recently found myself in a similar situation where I was "asked to leave" because I insistently pointed out serious issues with the integrity of some significant financial datasets my (now previous) employer was processing. Subsequent discussions with my solicitor (who was very keen on running with a major whistleblower case) and a lot of discussions with my wife and other close friends made me decide to simply take some hush money and go away - your career will be ruined, your life will be a disaster for many years, and there is simply to much aggrevation, with no little payback for being some idealistic flag-bearer in what is -essentially- no longer your problem. I am on record as bringing these issues up, and these records are non-repudiable. My ass is covered. So is my mortage and my the education funds for my kids.

      --
      People who think they know everything are a great annoyance to those of us who do.
    2. Re:You're probably witnessing a scam. by qwijibo · · Score: 4, Insightful

      What the law says and how it works are very different. Anyone who takes a hard stand based on being legally in the right is in for a firm reality check.

      Depending on the size of the company, there is a very real possibility that the people in management got there by knowing the law well enough that they can violate it with plausable deniability. I work in a large bank where I see that happen all the time. I have pointed out numerous security problems and blatant violations of company policy, but management is willing to take those risks. We have people telling us what we need to do because sarbox has teeth, but there's absolutely no consequences for when we blatantly ignore them. The reality is that the worst that can happen is the offender gets transferred to another department, or in extreme cases, they could get fired.

      Everyone has a potential security breech waiting to happen. The laws exist to point fingers after the fact. The law isn't going to help someone who is just pointing out a potential flaw. What's worse is that if someone exploits the hole this person identified, the law has good reason to consider him a suspect since he's obviously thought about it.

    3. Re:You're probably witnessing a scam. by Jonny+do+good · · Score: 1

      The whislteblower act is relatively clear, as well as SOX requirements on data security. Physical security of financial data is part of SOX and this is a clear violation. As an accountant I know these laws fairly well and this case is a no brainer if proper evidence can be provided. Whistleblowers are afforded much protection, but in reality your career is over even if they can't fire you. They can make you want to quite by treating you poorly and refusing to promote you. If you are labeled a whistleblower your corporate career is over though, you will never have any position of consequence in a large organization. This doesn't really mean that your career is over. Many smaller firms would welcome a whistleblower due to the fact that many of them try to do the right thing. Another possible route for whistleblowers is to become a guest speaker. MBA programs bring them in constantly to teach in ethics courses... hah MBA and ethics... I kid because I am one and the ethics lectures I have had are hardly worth hearing except when they bring in people that have spent time in prison... they usually have good stories and give a good sense of reason as to why relatively honest people end up in bad situations and end up crossing the line at some point. Whistleblowers also make good investive journalists and writers because of their experiences. I know a guy who was a whistleblower at a finacial firm (I think it was Morgan Stanley, but I can't be sure... it's been a while since I communicated with him). He became set for life because the act povides the whistleblower with 30% of any penalties the corporation has to pay. In his case the settlement was in the 100's of millions so he got a big chuck of change. He got his PhD, teaches ethics as an adjunct on occasion, and writes independantly for the WSJ and other major financial publications as well writes books. Not a bad way to live, being semiretired since his mid-30's. On another note it seems that the situation at hand has nothing to do with fraud, fraud may be happening, but there is no evidence here of it. This just sounds like sloppy bookkeeping. I have managed a bookkeeping depatment and all of the account and routing numbers we had for our clients were under lock and key. Only the bookkeepers and the owners of the company had keys to the room and the file cabinet they were in. I didn't even have a key even though I wrote the contracts, ran the programs to make the transactions, and managed the AIS which had the data in it. We had no legal requirement for this since we weren't a public company and our contract with our customers didn't state anything about us protecting their data more than it would be held confidential. SOX requires that data security rules be followed (including physical protection of data) so this is a clear breach of SOX. It is a personal decision to become a whistleblower. It will change your life forever and force a new career path. If you have stong morals and ethical standards that make you feel that you must fix the problem then it may be right to blow the whistle. If you go that route make sure you have already spoken with a lawyer before acting and have as much documentation as possible to make your case. Just showing up in court in a me said he/she said case won't get you anywhere and ruin your life. Secure copies of performance evaluations (as evidence that you weren't fired for performance) and all communication between you and anyone you report the offense to, particulalry your superiors (I hate that term because in this case they are obviosly not superior, just higher ranking). No one here can tell you what to do, and the 1-liners saying to shut up are thoughtless. Just keeping your mouth shut is part of the problem in the corporate world these days and obviuosly everone that says to keep quiet is just keeping the status quo... they are just as guilty as the perpetratiors in my eyes. Giving one word of warning is not a valid attempt to fix a problem. If you witness a horrible crime should you just keep your mouth shut? No, you should repo

  15. the plan! by Tumbleweed · · Score: 4, Funny

    As a proof of concept, steal as much money as you possibly can. As payment for this security evaluation, keep the money and retire to a country with no extradition to the United States.

    One little implementation detail: don't get caught.

    Extra credit: put the blame onto your criminally-negligent boss.

  16. Don't Jump To Conclusions by rueger · · Score: 2, Interesting

    You're a junior employee by the looks of it, possibly part time, taking phone orders.

    There is every likelihood that your employer has safeguards in place that you don't know about, and even that they don't want you to know about.

    --
    Three Squirrels
    1. Re:Don't Jump To Conclusions by qwijibo · · Score: 1

      I think it's even more likely that there are no safeguards in place at all. Security is an expense with the goal of having nothing to show for it, except for a lack of problems. It makes for a horrible powerpoint presentation.

      My cynicism comes from working for a major bank where I have to keep resetting my idea of "bare minimum" to include things like mailing unencrypted CD's of personal identifiable information and account numbers to third parties. At first I was disappointed to see this happening, until I learned that the same people who think this is acceptable are the ones auditing the security for the third parties. The atrocities know know bounds. Every morning I wake up without a complete collapse of our banking system I am amazed.

    2. Re:Don't Jump To Conclusions by Anonymous Coward · · Score: 0

      > There is every likelihood that your employer has safeguards in place that you don't know about, and even that they don't want you to know about.

      If the vault is unlocked, it doesn't much matter that the strongboxes are. My bet is that the problems are even worse if they can't even manage something that basic.

      Just bring up SOX. Scares the shit out of 'em.

  17. That's normal for the telecommunications industry by Anonymous Coward · · Score: 1, Funny

    Obvious incompetence is normal in the telecommunications industry. Once you are found out not to be incompetent, you will certainly be let go, possibly following a promotion to recognize your ability. If you do not believe this, I strongly suggest you purchase every Dilbert book you can find, and study them thoroughly. Scott Adams once worked in the telecommunications industry, so it's the best reference available for your line of work. If only I was kidding, unfortunately I am not.

    Good luck.

  18. No big deal... It's more secure than you think. by JRHelgeson · · Score: 4, Informative

    It sounds like you're getting account information to create an Electronic Funds Transfer (EFT) or electronic draft whereby the company authorizes a transaction for $50,000 or whatever and you "take" the money from their account. It is the same thing as having a company 1) write a check, 2) submit it to you, 3) you deposit it, only to 4) have the funds transferred to your account. Your company is simply performing step 1, skipping step 2, 3 happens electronically and 4 happens essentially overnight.

    They are giving you the SAME information that you could obtain from a written paper check, no more, no less. Now, obviously these companies have millions of dollars at any given time in their accounts and this alone makes them targets for check fraud; people creating their own checks and trying to pass them. The solution to this problem came about many, many years ago and is what makes the EFT system more secure than any other form of payment.

    I am the accounts payable rep for Massive Corp. I'm going to authorize a payment for $5mil to your company: Dark Fiber Telco. I give you the check number (or transaction number or transaction code) and my bank account number and routing code. I enter the details into my Accounts Payable system which every afternoon uploads a delimited text file to our bank providing them with a list of checks written and their dollar amount. This is very similar to how credit card terminals upload their batch at the end of business day.

    Meanwhile, DFTelco enters the data into their Accounts Receivable system which initiates the electronic draft, (which along with any paper check, EFT or ACH is all generically referred to as an "item"). When the item clears the Federal Reserve and is presented to Massive Corp's bank, if the dollar amount of the item doesn't exactly match the check number and dollar amount that Massive Corp uploaded, it is rejected and returned non-paid to the sender.

    Very simple, very secure, and presenting your biggest customers with an IVR HELL system will only piss them off. They expect, and deserve, to speak to a human being and that is what your company provides. I wouldn't sweat it.

    As an aside, I had an insurance agent come out to my property for a claim. The agent wrote a check from his checkbook and handed it to me, and then he had to enter the dollar amount and check number into his computer, over a VPN connection to his corporate office, so that the check would clear the bank.

    The US Postal Service also does the same thing for Money Orders. Law Enforcement can actually log in to a LE only site provided by the USPS and check the validity of any US Postal Money Order based upon the $ amt and item number so they can see if someone is trying to "wash" a money order to alter the dollar amount, or creating a downright fraudulent Money Order.

    -joel

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
    1. Re:No big deal... It's more secure than you think. by Anonymous Coward · · Score: 0

      That's all well and good for major corporations.

      Now explain to me how I convince my bank to block all check transfers out of my personal account unless I clear them first so that the various employees that use my routing+account # to deposit my paycheck and withdraw my bills don't take my money and run.

    2. Re:No big deal... It's more secure than you think. by JRHelgeson · · Score: 1

      They can't and they don't. That is why you need to keep control of your bank account number. Still though, you are not held liable for theft/fraud because your money is insured by the FDIC.

      The money stolen due to fraud on your consumer account is covered directly by the bank, they rarely turn to their FDIC insurance policy for coverage. Once your bank closes the account due to fraudulent access, the checks get returned to the merchants and the merchants take the loss - banks have 15 days from the date the item is presented to send it back to the merchant. So, banks don't lose from check fraud, merchants do. This is why merchants rarely accept checks any more.

      Credit/debit cards are different. Once they authorized the transaction, the merchant is guaranteed payment. If the charge is fraudulent, the card issuer (Visa, Mastercard, American Express or Discover) eats the loss due to fraud, not the issuing bank. If the charge is disputed as non-fraud, it gets pushed back to the merchant. Only in worst case scenarios is the issuing bank held liable.

      -Joel

      --
      Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
    3. Re:No big deal... It's more secure than you think. by Anonymous Coward · · Score: 0

      Positive Pay

      "is an automated fraud detection tool offered by the Cash Management Department of most banks. In its simplest form, it is a service that matches the account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the company. All three components of the check must match exactly or it will not pay.

      "How does Positive Pay work?

      "Positive Pay requires the company to send (transmit) a file of issued checks to the bank each day checks are written. When those issued checks are presented for payment at the bank, they are compared electronically against the list of transmitted checks. The check-issue file sent to the bank contains the check number, account number, issue date, and dollar amount. Sometimes the payee name is included, but is not part of the matching service.

      "When a check is presented that does not have a "match" in the file, it becomes an "exception item". The bank sends a fax or an image of the exception item to the client. The client reviews the image and instructs the bank to pay or return the check.

      "There is generally a fee charged by the bank for Positive Pay, although some banks now offer the service for free. The fee might well be considered an "insurance premium" to help avoid check fraud losses and liability." (http://www.positivepay.net)

  19. Smile... by Anonymous Coward · · Score: 0

    Smile, nod, and move a few $M to your private swiss bankaccount. While drinking margarita's on some tropical island, send your boss an "I told you so" email.

    Hey, it works in the movies!

  20. Not credit card numbers. by Ihlosi · · Score: 2, Informative
    for those bank routing and account numbers to be laying around unsecured,



    Bank routing and account numbers are different from credit card numbers. There's very little you actually can do with a routing and account number because these two don't give you any authorization to do any withdrawals from that account (at least if the US system has some basic degree of sanity).



    At least over here (Europe), giving your account numbers to other people and have them deposit money to your account is a very common way of receiving payments. They can deposit to your account, but they cannot withdraw from it.



    Now, if you were talking about credit card numbers, that would be a different beast altogether.

    1. Re:Not credit card numbers. by JRHelgeson · · Score: 1, Informative

      With our system in the USA, if you have someone's account number, basically all the information on the paper check, you then have ALL the information you need to take money from anyone's account.

      Right now, check fraud is more rampant than credit card fraud in the USA, at least among serious ID theft rings:
      Example: http://www.usdoj.gov/usao/fls/PressReleases/051006 -01.html

      These folks cleared out over $4,000,000 before they were caught, using stolen checking account information. It wasn't until the reached the million-dollar mark did they get multi-agency multi-jurisdiction law enforcement cooperation to bring them in. The thieves have now learned to keep the dollar amounts smaller now.

      When you use a paper check at most stores now, they take the check, scan it at the cash register, void it and hand it back to you. They simply run the "item" through as an electronic draft.

      Make no mistake, for the criminal in the USA, having checking account information is MUCH MORE valuable than having a credit card if the desire is to obtain cash. Credit cards can be canceled. Checking accounts can be closed, but that doesn't stop criminals trying to pass the bad checks...

      They print up fake checks, and get this... They go to the post office and buy stamps. Hundreds and often thousands of dollars in stamps... because stamps have a declared face value that can be sold for face value or at most a 5% loss...

      I have a presentation and training class that I deliver on ID theft, one I developed to teach Law Enforcement and Magistrates, some info I came across i've written about on http://www.appiant.com/ I think its under the EV SSL subject.

      link: http://www.appiant.com/security_today/2007/01/ev_s sl_certific.html

      -joel

      --
      Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
    2. Re:Not credit card numbers. by Joelfabulous · · Score: 1

      This might be somewhat offtopic, but it's related to credit card information. Take it as an anecdote, if you will.

      Volunteering at a local non-profit community radio station, we have an annual funding drive. Listeners can submit their info online via secure form using a credit card, mail in a cheque, come by the station and drop off cash, or call in their credit card number over the phone. You have to understand that the last option *is* a very significant risk, since we don't have a touch-tone system to record the credit card number -- the operators (volunteers, no less) write down the credit card number (CCN) and name. I don't remember if the phone number and address are taken down or not. Either way, their CCN is taken, and this can be stolen / used in unethical means rather easily. The onus is on the operators to be honest and to guard those papers zealously -- they obviously contain very valuable information. I don't think we've yet to have any problems with CCN misuse, but it does seem like it's inevitable. I guess it all boils down to the morality of the volunteers. Most of us who are there for the phone shifts and other stuff are generally dedicated and ethical people, but all it takes is one person to mess it up.

      General ethics triumphs once again? Just my two cents.

      --
      Sometimes I wonder if I think too much.
  21. Whistleblower protection by IrquiM · · Score: 1

    Investigate if you might be covered by whistleblower protection laws!

    --
    This is blinging
    1. Re:Whistleblower protection by jimmydevice · · Score: 1

      Unless you desire to change carrer paths and can talk some very good lawers into taking the case, don't even think about trying it. You will be blackballed, any money will take years to get, if you see any, ever. You can say goodbye to any friends in that industry, Their stocks, raises or profit sharing took a hit because of you. In my case, the government agency I contacted denied that I contacted them. It was a transportation safety issue and I couldn't ignore it. I'll Never do that again.

  22. embarrassment by fozzmeister · · Score: 1

    Before you embarrass your boss, make sure your not embarrassing yourself...

    BTW It's never good to embarrass your boss anyway.

  23. Its not worth loss of a job or jail time by narf501 · · Score: 1

    The first knee-jerk reaction a manager will do to someone who points out security flaws is fire the person, and possibly find some way to press criminal charges. Barring that, from the time you tell them about the flaw, for the rest of the time you work at that place (as well as subsequent places if people know each other), if *anything* happens to breach security, you will be called in front of management (and possibly police) to explain yourself why you did not do the break-in, even though its brain-dead obvious you have nothing to do with the breach.

    Its just not worth it. I have had friends fired at jobs on the spot (as in the mgr calling for security and having two guards escort the person out, then calling for a "forensics" expert to go through the person's comp to find anything to have him arrested for) because they pointed to management that the place had wide-open wireless, or wireless with brain-dead security settings.

    This is assuming its not your field of responsibility to watch that data, so when (not if) its stolen, its not you being roasted by the various corporate regulations, but the people have the data left exposed, who are failing in their basic job duties.

    I know I sound cruel and heartless, but business is business, and its better to shut up and let people take the fall than try to be "honest" and point out holes which results in you being the next guy who gets the axe (and bad character/job references) come "rightsizing" time.

    If you *have* to alert people, find a way to do it anonymously, but securely. Don't just send anonymous E-mail or a SMS message to them (as it can be read by people who could take advantage of the issue.) Remember, ethics are important in the work world, but you are not trying to make an eighth in Honesty to complete your Ultima IV Avatar-hood.

    1. Re:Its not worth loss of a job or jail time by SocratesJedi · · Score: 1

      The expectation of hardship does not absolve a person of ethical responsibility to protect others. A company that will not protect the data of its partners is a company you ought not serve. I realize that it might be significantly difficult to find a company that engages in ethical dealings, but the moment you settle for anything less you've become yourself an agent of evil and have sold out your basic principles for a modest paycheck.

      That said: I'm not in a position to evaluate whether or not there is a security threat here. The ethical demand to protect others when you are aware of their danger applies only if that is a security threat, so perhaps there is no moral liability at all.

    2. Re:Its not worth loss of a job or jail time by narf501 · · Score: 1

      In the abstract world of ethics, reporting security issues is a main thing. So was being taught to take blame for a friend's actions as a noble act. However in the real world, all that does is land a person jobless, with a bad work record, and possibly with criminal charges. (Its VERY trivial to assemble stuff that looks like evidence to put someone away for "cybercrimes"). At the very least, it means management will audit and scrutinize every single thing you do forevermore, every second at the job from when pulling onto their property until you drive off, and if you drop the ball *once*, there will be zero tolerance for mistakes. Stuff that may result in a polite "word to the wise" E-mail fired from a manager normally, will be grounds for immediate termination.

      There is a difference between ensuring security as part of the job, versus calling attention to oneself in such a way that one will forever be considered a "security risk", which will be a career ending move. If I were writing a paper for a university ethics class, maybe I would state something different, but in the real world, someone perceived to be a whistleblower will get the boot to the head fast, and it will forever be on their record somehow. Yes, there are anti-revenge laws... but most companies will sit there over a period of months or years, gather evidence slowly but surely (or just overtly make fake evidence) to get the whistleblower fired or jailed. Its trivial for someone to make up some "secret" data, and have it sent out with that person's username forged to a "plant" in return for money. Or, a mysterious bag of illegal substances may appear in the person's desk, just when there is a security search going on. Whistleblowers don't last long anywhere, no matter how stiff the anti-retaliation laws are. At best, it means a "window seat" office, and a position which leads to nowhere in a company.

      This is not a case of ethics, but of basic self-preservation. In most cases, being "honest" in this case will only land a person unemployed, with a nice gaping hole in their resume and only bad remarks like "works well when closely supervised... WELL away from anything sensitive" data forever on their work record, if the company doesn't lie and just say that the person never worked there. At worst, it can mean jail or prison time.

      To sum up: You won't lose an eighth for keeping your mouth shut, and going about your business.

    3. Re:Its not worth loss of a job or jail time by bslorence · · Score: 1

      I have had friends fired at jobs on the spot (as in the mgr calling for security and having two guards escort the person out, then calling for a "forensics" expert to go through the person's comp to find anything to have him arrested for) because they pointed to management that the place had wide-open wireless, or wireless with brain-dead security settings.
      Really? Friends? As in, this has happened to more than one person that you know well? How did these people go about "pointing to management"?

  24. CONFIDENTIAL PROPOSAL by ReidMaynard · · Score: 0

    Dear alterimage,

    Based on the recommendation made to me by a reputable official of the commercial sector of the South African Chamber of Commerce who guaranteed me of your reliability and trustworthiness in business dealings, I wish to entrust a large amount with you believing that it will be of our mutual benefit; this has to be highly confidential...

    --
    -- www.globaltics.net

    Political discussion for a new world

  25. Re:let it go. your boss doesn't care, and they don by 91degrees · · Score: 1

    If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

    There are ways to handle this. It does require a lot of tact and diplomacy to make it sound like your entire concern is for the wellbeing of the company and the manager especially, and that it was your boss's idea in the first place. Unfortunately, tact and diplomacy are traits that Computer Science Majors tend not to have a lot of practice in... Computer Science is a culture where if you do something wrong, you want to be told about it as soon and as unambiguously as possible.

  26. Speak to Information Security by Anonymous Coward · · Score: 0

    "So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"

    The human aspect of security must be considered at every point of the business - logistics, management, janitorial, accounts, catering... In most environments humans are by far the weakest link - human error, social engineering and downright laziness.


    Have you identified and spoken with the Information Security Officer? It is his/her responsibility to ensure that business units are following documented and management approved procedures for the handling of sensitive information, whether it be electronically or otherwise. If you have concerns, then speak to them about it. It's not all doom and gloom - It may well be that there are compensating controls in place to deal with this, even though they may not be obvious to you.


    I've been in InfoSec consulting for many years, and nearly every client I have started at has had terrible controls in place for accounts/treasury etc. Just make sure you discuss this with the right people as matters like these are highly sensitive and could damage your reputation/make you look foolish if you don't follow proper channels.

  27. Trust is always a contentious point by Toreo+asesino · · Score: 3, Funny

    I'm the sys-admin for my company I work for (when not coding). Only the boss and myself knew the password for the entire domain, and everyone was happy. One day, during a software demo I need to pull some files off my machine for the demo. Boss says "come back once the files are on the public share, and we'll re-test". I say "Not to worry; i'll go through the admin share" (\\machinename\c$ or such) - I'll just log you into my machine as network admin.
    This worried my boss - "What? You can access any machine's drives if you're the network administrator?".

    I try and explain that yes you could; it's by design; the admin being the super-power on the network - full access to everything, etc. This leads him to the next question of "What? Even you could access even my PC? I've got sensitive information on here?!". I reply "Yes, even yours if I really wanted to".

    Unimpressed, he changes the network admin password.

    Precisely 1 hour and 20 minutes later; I get an email saying "User xyz can't access a file YYY on the abc share - what's the problem?". I explain the permissions on the file probably got corrupted/lost and resetting the file-system permissions for the root directory structure should flush out the problem.

    He gives me the new network admin password. Problem was fixed in 2 mins.

    In conclusion, us geeks rule the world. On modern IT systems, someone, must have complete power over all. That is why we are geeks because we can do what others cannot.

    And it's true what they say; being a sys-admin is a power-trip.

    *evil laugh*
    The machines! They're all miiiine! Aaaalll mine!!!!

    --
    throw new NoSignatureException();
    1. Re:Trust is always a contentious point by Anonymous Coward · · Score: 0

      don't forget to reverse the polarity while you're at it, ya dang hack

    2. Re:Trust is always a contentious point by Anonymous Coward · · Score: 0

      And this is why there should be time-restricted root user/passwords. Your boss is right, there is sensitive data on his system that you should not have access to. Sure he can trust you but what about the next guy? He should be able to send you a problem or the system should be able to send you a problem and along with it you get a coupon that has a time-limited root user/password on it. The only thing it doesn't let you do is change the super root password or change to a different user. Sure you could do some damage in the window available BUT you couldn't do it off the clock AND there would be a record of your edits under the temp user.

    3. Re:Trust is always a contentious point by Anonymous Coward · · Score: 0

      And yet the world still laughs at you behind your back. You are Nick Burns, Your Company's Computer Guy.

      The SNL skit was too true. :)

    4. Re:Trust is always a contentious point by nuzak · · Score: 1

      > In conclusion, us geeks rule the world.

      If you ruled the world, you wouldn't be babysitting the systems 24/7.

      > And it's true what they say; being a sys-admin is a power-trip.

      Speak for yourself. I code, mostly stuff I want to write, in whatever language I want, because it's stuff I thought of, designed, planned, and built (productivity tools, basically). It's like working for myself but with a W-2. And oh yeah, I don't wear a pager.

      --
      Done with slashdot, done with nerds, getting a life.
  28. Re:let it go. your boss doesn't care, and they don by jimmydevice · · Score: 1

    Parent is totally correct. When this operation melts down, it will reflect poorly on those aware of the problems and you brought visibility to a fucked up system. Your name will be dredged up from email records and you will be shown the door, rudely. You will have to find another industry to work in, don't plan on any recomendations. The other plan is to take the bank routing and account numbers, setup a quick exit to a foreign country and steal as much money as possible before you can be detected. There is no third choice. Been there, done that (the first, not the second).

  29. Tell him again.... by hairykrishna · · Score: 3, Funny

    ....from your new beach house in the Caymen islands.

    --
    "Physics is to math as sex is to masturbation." -R. Feynman
  30. BOFH by Anonymous Coward · · Score: 0

    Simon,

    Is that you?

    1. Re:BOFH by Tumbleweed · · Score: 1

      That's the best compliment anyone's ever paid me. Thank you so much! :)

  31. you need to store them encrypted by DougWebb · · Score: 1

    Send me a sample set of the account numbers, and I'll show you how to do it...

    1. Re:you need to store them encrypted by Anonymous Coward · · Score: 0

      Send me a sample set of the account numbers, and I'll show you how to do it...
      Gonna also need the street address of the building with the file cabinet . . and office hours . . . gonna need those too . . .
  32. Make a Record by Shihar · · Score: 1

    Explain your concerns to your supervisor via e-mail. By doing it with e-mail, you are making a record of your worries. This way, if any information is stolen, you can wave your e-mail around saying, "I told you so!" This leaves you in a pretty strong position to spearhead improvements to the system and score yourself a raise.

    I would make a 5 slide presentation as to what your concerns are. Make it brief, but make the security concerns clear. Present this to your boss. If he still doesn't react... well, you tried. You have a record of your concerns and you clearly made a strong attempt to do something about it. The only thing you could possibly do after that is go over your bosses head. This generally is not a terribly wise idea if you want to stay with this company for the long term. You take a gamble when you go over your bosses head, and it is a gamble that a lot of people loose. Unless someone above your boss decides to champion your cause, you will just wind up with a boss that is pissed off at you who can make your life miserable. Even if a champion takes up your cause, unless they change who you report to, you still could have a boss pissed off at you.

    I probably would not risk it unless you really don't care all that much if you get fired. Just do your best, make a record, and practice your smirk for when data is stolen... oh, and if data is stolen, be sure to forward your old e-mail to your bosses boss.

    1. Re:Make a Record by Ihlosi · · Score: 1
      This way, if any information is stolen, you can wave your e-mail around saying,



      Judging from the rest of the thread, it's more likely that your superiors will wave your e-mail around saying "There's our prime suspect !".



      This leaves you in a pretty strong position ...

      ... to get yourself fired/arrested.

  33. Did you suggest a solution? by Bearhouse · · Score: 1

    I have people coming to me every day with problems. After a while, you just feel like 'shooting the messenger', even if it's wrong. Why not sit down & think about how you could fix this, and then suggest this to your boss? If he still blows you off, at least you've managed to document the problem & CYA in a positive way... Send a copy of the document by internal mail & keep a copy of everything at home, or better still at a non-obvious location.

  34. Re:let it go. your boss doesn't care, and they don by ravenfan · · Score: 1

    I was in a similar perdicament once and found that there is a "language" barrier between management and techies. Management speaks in terms of money while we speak in terms of technology. If you can convey the issue in terms of money then he's more likely to listen.

  35. Re:let it go. by PinkPanther · · Score: 1

    ...the best course of action most of the time is just to keep your mouth shut and continue with life as usual.
    Depends on your definition of "best", I believe. "Suck it up" and "lemming" do not describe what I view as "best" and certainly wouldn't describe what I want my "life as usual" to be.

    I believe that one can be non-naieve (sic) and still Do The Right Thing. Yes, it could have negative immediate consequences, but the alternative could have significantly worse long term consequences...

    --
    It's a simple matter of complex programming.
  36. Re:let it go. your boss doesn't care, and they don by markov_chain · · Score: 3, Insightful

    The sad thing is, his unlocked filing cabinet is probably more secure than having the information sit on some server where hackers from Bulgaria can steal it and blackmail the company.

    --
    Tsunami -- You can't bring a good wave down!
  37. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  38. How about an introduction by WebHostingGuy · · Score: 1

    Introduce your boss to Kevin Mitnick

    --
    Quality Hosting e3 Servers
    1. Re:How about an introduction by Anonymous Coward · · Score: 0

      Jesus Christ, why the hell do people think Mitnick is relevant? If I wanted my boss to meet an obnoxious douchebag with a ego the size of a barn, I'd introduce him to my brother.

    2. Re:How about an introduction by WebHostingGuy · · Score: 1

      He was suggested because rather than having the most elite hacking skills, he was actually a very, very good social engineer. In fact some will say that is why he was *successful* during his crime spree despite his technical skills, not because of them.

      --
      Quality Hosting e3 Servers
  39. confidential? Three Stooges by Gary+W.+Longsine · · Score: 2, Insightful

    If you're giving the routing number and account number of your checking account to 3rd parites to make payments over the web then you're not treating the data as though it were confidential. Now, in addition to any employee at your bank, any random person at the company of the 3rd party has access to this information. They could rack these things up for a year and then sell them on the internet. Or maybe their web server gets hit by a worm which steals all these numbers along with credit card numbers.

    I like your analysis that this is a cryptosystem with the "routing + account" number standing in for both the public and private key. A proper crypto system would allow you to pay someone with some information and a public key, perhaps with a one-time use bit of some sort. This would prevent funds-extraction by 3rd parties (who bought your information on the internet after you paid the first 3rd party for something) because the information couldn't be used to extract money from your account without a new one-time thingy. Meanwhile, never provide your "routing + account" number to anyone (except your employer for auto-deposit... life is all about risk-reward trade-off). Instead, use credit cards to pay third parties so you have better consumer protection against fraud.

    However, it's not completely clear that the problem in the original post would be solved by such a system without disrupting the "business process" that the customers probably think they need. An obvious approach would be something like a PKI system with a little card that generated a one-time tidbit on the fly, which the customer would provide to 3rd parties to authorize a payment, and presumably to a banker to authorize a fund transfer or wire or whatever over the phone. The bank's customers may view this as inconvenient and may switch to another bank (the key generator is yet another thing they need to carry around and keep physically secure). After all, the customers clearly want to be able to make a phone call and talk to a person to perform a transaction. In any case, the bank managers will fear this customer response.

    Under the existing system, the bank employees are trusted and the customer will need to detect the missing funds and report them to the bank. Many other bank employees (any teller, any banker, any computer operator) already have access to the same sensitive information as is written to paper and placed in the drawer, which is why the bank managers are not really concerned about the drawer. They know, but perhaps haven't completely thought through that the funds will have been transferred to another account somewhere, and that will be traceable. The funds may not be recoverable but the money trail could be followed from account to account to the perpetraitor... right up to the point where the bank manager and the FBI agents are watching a grainy video of somebody in a wig and fake nose-mustache-glasses pull up to a drive through window in a car that was purchased with cash and uh, donated to a rural fire department for, uh, practice extinguishing gasoline fires shortly thereafter, close their account, and drive off with the cash.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  40. Re:let it go. your boss doesn't care, and they don by the_B0fh · · Score: 1

    Very good. Now please show how that works with Microsoft (or indeed, most software)

  41. Re:let it go. your boss doesn't care, and they don by GuyverDH · · Score: 1

    Ask your boss if he'd like to work at McDonald's.

    He's instructing you to perform a non SOX Compliant activity.
    If it was the medical industry, it would also be non HIPAA compliant, as that is personally identifiable information.
    I don't know whether the financial industry has a HIPAA like set of rules to follow. If they don't, they need one.

    --
    Who is general failure, and why is he reading my hard drive?
  42. Thanks for posting by f1055man · · Score: 1

    Where do you work?
    I can't help you without a firm name and address. Any hopeless administrative or cleaning staff that could use some buttering up? What's the filing cabinet look like?

  43. Time to be an Anonymous Coward by JohnnyGTO · · Score: 1

    and contact a few of the clients.

    --
    Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
    1. Re:Time to be an Anonymous Coward by JohnnyGTO · · Score: 1

      After reading JRHelgeson, ignore what I said :-)

      --
      Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
  44. Wow. That's a bit unprofessional isn't it? by WebCowboy · · Score: 1

    just keep your head down and look for a better job

    While the "look for a better job" part is probably sound advice at some point, I wouldn't say "keep your head down" is the best thing to do...not in the ethical sense in this situation and not as a means to success in general. People who always just "keep their heads down" don't stand out in a crowd, aren't recognised for their achievements (and achieve less overall) and don't advance very fast in their career.

    If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

    Guess what? That is exactly WRONG. If you DON'T make a stink and something goes wrong, the buck could stop with YOU! The key is to make the "right kind of stink". Do not be insulting to you boss, follow professional practices and protocol (don't go over anyone's head until/if you are stonewalled, make an intelligent argument, etc) and DOCUMENT THE HELL out of the whole situation. Then...WHEN something goes wrong and your boss tries to pass the buck you have documented proof of your boss' negligence.

    Keep your head down and keep your job (or maybe find a similar job elsewhere). Speak out and gain respect, and perhaps you could even end up replacing your boss. This will also keep your company in compliance with regulations like Sarbanes-Oxley. But above all, you will make sure that as much is done as possible to prevent your employer's customers from becoming fraud victims.

    It seems that IT people aren't as thoroughly regulated as other professions such as doctors, lawyers and engineers. In such professions there is mandatory participation in professional bodies (the bar, medical board, engineering council/professional association). In the light of increased scrutiny of corporate governance and major security incidents such as that with TJX (TJMaxx/TKMaxx, HomeSense, Winners stores having credit card info stolen by hackers) such regulation should be seriously examined for those in MIS or senior systems analyst positions. Part of being registered with a professional body involves ethics training, including just the kind of situation as described by this article poster. In the end everyone would benefit from increased professionalism in IT.

  45. Re:let it go. your boss doesn't care, and they don by Marxist+Hacker+42 · · Score: 1

    Since he's a college student and probably NOT going to stay in this job forever, I suggest the best course is:

    1. Say NOTHING to the boss about this matter from here on out.
    2. Collect names and account numbers and contact information.
    3. When you leave this job one day, and you will, and when you need money, and you will, contact the account holders *directly* and offer to tell them where you got your information for a fee.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  46. Re:let it go. your boss doesn't care, and they don by kennygraham · · Score: 2, Funny

    1. Say NOTHING to the boss about this matter from here on out.
    2. Collect names and account numbers and contact information.
    3. When you leave this job one day, and you will, and when you need money, and you will, contact the account holders *directly* and offer to tell them where you got your information for a fee.

    You must be new here.

    1. Say NOTHING to the boss about this matter from here on out.
    2. Collect names and account numbers and contact information.
    3. ???
    4. Profit!

    There, fixed.

  47. Re:let it go. your boss doesn't care, and they don by dhasenan · · Score: 1

    Ethical concerns are different from security concerns, somewhat. If you can suggest a cheap way to increase security, you'll be very mildly rewarded or ignored.

    Still, the requester should likely change jobs before any major security breaks occur, and not mention anything further about security.

  48. How does that make sense? by SanityInAnarchy · · Score: 1

    If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

    So, you're telling me it will go something like this:

    Employee: You might be insecure!
    Boss: You're overreacting. We're fine.
    Some time later...
    Boss: Well, shit, we got 0wned. Employee!
    Employee: Yes?
    Boss: You knew we were vulnerable?
    Employee: Yeah...
    Boss: And you didn't do anything?
    Employee: I tried, but...
    Boss: You're fired! You'll never work in this industry again!

    How does this make sense, even to the boss? I mean, shouldn't it go differently? Maybe like this:

    Just after they get 0wned...
    Boss: Employee!
    Employee: Yes?
    Boss: You knew we were vulnerable?
    Employee: Yeah...
    Boss: Wow, you know your shit after all! Here, have a promotion!
    Employee: Thanks! Oh, by the way, our mailservers are acting as open relays. Want me to fix them?
    Boss: Make it so!

    To be fair, if the security is that bad to begin with, I don't imagine you'd be lucky enough to have a sane, intelligent, fair boss. However, you might at least have a chance suing said boss for firing you over his own mistake...

    --
    Don't thank God, thank a doctor!
  49. Check your local laws. by Em+Adespoton · · Score: 1

    Many countries, states, provinces, etc. have data retention policies; check and see if he is actually doing anything illegal in your locale. If he is, email him a URL to the appropriate laws with a line saying something like, "Hey! I just discovered this, and I thought you should know about it." Inoffensive, and you've covered yourself by letting someone higher up know about it. If you don't have any laws governing such data, I'd go with the emailing him that it would probably be a good idea to get audited. After that, it's no longer your problem.

  50. don't tell your boss by scum-e-bag · · Score: 1

    Fully document the problem, with a fix. Cost it.

    Wait until your bosses boss comes to visit. Present the report to your bosses boss.

    Make sure you bypass your current boss. Your current boss won't do a thing about it while he has power over you... bosses aren't about the company/organisation/entity... they are all about themselves and having power over other people.

    Seize power.

    I hate to give the example of Hitler and the nazis... but... a soldier once wrote a letter to hitler telling him that his troop commander was a fool and asked for hitlers help in removing him. Hitler simply wrote back and said something like "then you must take control". Just remember: "do no evil".

    --
    Does it go on forever?
  51. Look at your check by Quinto · · Score: 1

    Bank routing numbers and account numbers appear on any check you write or receive. This information is just one step away from being public anyway.

    1. Re:Look at your check by mysidia · · Score: 1

      Exactly. I wouldn't say routing + acct# is public; it is private, but not secret, and any time you make a payment by bank account (cheque or otherwise), it will be known by the recipient.

      It's not as if just anyone off the street can walk to your bank, show them the routing number + account number of your account, and walk out with 50 grand plus a ship showing a withdrawl.

      To cause payment from an account, you need written authorization, an actual check, or you need to be a bank.

      Most people aren't banks and won't be able to convince their own bank to randomly debit some account at another bank and credit them with the proceeds.

  52. Re:let it go. your boss doesn't care, and they don by monkeydo · · Score: 1

    There's an easy answer to this. All big public companies have an ethics or compliance hotline that you can call and anonymously report stuff like this. It usually goes directly to the audit committee of the BoD or similar. Call, and then youcan feel comfortable knowing that you've done your part, and the people who need to know are informed.

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  53. Have you guys heard of "checks"? by Anonymous Coward · · Score: 0

    I smell BS. Strange that you guys do business with verbal money transfers. I work at a medium sized ISP and almost all of our transactions are done by people mailing in checks every month, even the big fortune 100 customers. Reason given: You get to keep the interest earned during the "float" (although this is less and less of an excuse nowadays.) Also you get to pay late and play games with the the "f*** you if my payment is always late - waive my late charges or I'll just take my business elsewhere" routine that the big guys like to pull on the little ones.

    We do ACH for customers with small monthly balances, or on request. Nobody calls us in and gives us verbal wire instructions.

  54. Re:let it go. your boss doesn't care, and they don by monkeydo · · Score: 1

    You do know that extortion and blackmail are illegal, right?

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  55. Re:let it go. your boss doesn't care, and they don by Marxist+Hacker+42 · · Score: 1

    In today's international corporate world, legality is for chumps who actually care about the nation they are in or the system they are working for. Simply select the overseas addresses.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  56. Re:let it go. your boss doesn't care, and they don by afidel · · Score: 1

    The correct answer is to tell the companies internal and/or external auditors. If this is a publicly traded company then SOX requires this kind of problem be fixed. If you ask them to they most likely won't even reveal where the information came from (of course your boss will probably know since you already raised the issue).

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  57. Re:let it go. your boss doesn't care, and they don by Anonymous Coward · · Score: 0

    The problem with this is that when the 'fix' trickles through the chain, the manager immediately knows who called it in, and will duely fire him/her. Whistleblowers, even through internal channels, always have problems. Catch 22: You don't tell the manager and instead call the hotline to get it fixed, or tell the manager, gets brushed off, then when a lock is added to the file cabinets from 'corporate' the next day, you get fired. Fucking corporate mofo mentality. Ugghhhh. I hate the system.