Slashdot Mirror
Telling Your Superiors Their Financial Data Is At Risk?
alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"
If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
I had a college roommate who had a similar problem when he pointed out an ethical issue at a brokerage firm. He got busted to the mailroom. A friend who was a senior broker at a different firm told him to get out before he gets fired for something he didn't do if he wanted to work in the industry. He decided to become a tech writer instead.
Remember, they will never forgive you for being right.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Remember Enron? WorldCom? Both had major telcom billing fraud components. You may be looking at a fraud.
If there's an internal audit department, they should know about this. They have Sarbanes-Oxley responsibilities to check that internal audit controls are sufficiently tight.
Sarbanes-Oxley has whistleblower protection: "Sarbanes-Oxley creates severe criminal penalties (including substantial fines, and up to 10 years in prison) for retaliation against whistleblowers who raise concerns about violation of any federal criminal statute, not simply laws limited to financial fraud." So if your boss threatens you, you can threaten back.
Also, "Congress required corporate Audit Committees to create mechanisms for receiving anonymous employee concerns about financial improprieties." Find out how that channel works and make a report.
The burden of proof is on the employer in these cases. This law has real teeth.
Here's a lawyer who specializes in Sarbanes-Oxley whistleblower claims.
It sounds like you're getting account information to create an Electronic Funds Transfer (EFT) or electronic draft whereby the company authorizes a transaction for $50,000 or whatever and you "take" the money from their account. It is the same thing as having a company 1) write a check, 2) submit it to you, 3) you deposit it, only to 4) have the funds transferred to your account. Your company is simply performing step 1, skipping step 2, 3 happens electronically and 4 happens essentially overnight.
They are giving you the SAME information that you could obtain from a written paper check, no more, no less. Now, obviously these companies have millions of dollars at any given time in their accounts and this alone makes them targets for check fraud; people creating their own checks and trying to pass them. The solution to this problem came about many, many years ago and is what makes the EFT system more secure than any other form of payment.
I am the accounts payable rep for Massive Corp. I'm going to authorize a payment for $5mil to your company: Dark Fiber Telco. I give you the check number (or transaction number or transaction code) and my bank account number and routing code. I enter the details into my Accounts Payable system which every afternoon uploads a delimited text file to our bank providing them with a list of checks written and their dollar amount. This is very similar to how credit card terminals upload their batch at the end of business day.
Meanwhile, DFTelco enters the data into their Accounts Receivable system which initiates the electronic draft, (which along with any paper check, EFT or ACH is all generically referred to as an "item"). When the item clears the Federal Reserve and is presented to Massive Corp's bank, if the dollar amount of the item doesn't exactly match the check number and dollar amount that Massive Corp uploaded, it is rejected and returned non-paid to the sender.
Very simple, very secure, and presenting your biggest customers with an IVR HELL system will only piss them off. They expect, and deserve, to speak to a human being and that is what your company provides. I wouldn't sweat it.
As an aside, I had an insurance agent come out to my property for a claim. The agent wrote a check from his checkbook and handed it to me, and then he had to enter the dollar amount and check number into his computer, over a VPN connection to his corporate office, so that the check would clear the bank.
The US Postal Service also does the same thing for Money Orders. Law Enforcement can actually log in to a LE only site provided by the USPS and check the validity of any US Postal Money Order based upon the $ amt and item number so they can see if someone is trying to "wash" a money order to alter the dollar amount, or creating a downright fraudulent Money Order.
-joel
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Bank routing and account numbers are different from credit card numbers. There's very little you actually can do with a routing and account number because these two don't give you any authorization to do any withdrawals from that account (at least if the US system has some basic degree of sanity).
At least over here (Europe), giving your account numbers to other people and have them deposit money to your account is a very common way of receiving payments. They can deposit to your account, but they cannot withdraw from it.
Now, if you were talking about credit card numbers, that would be a different beast altogether.