Slashdot Mirror

← Back to Stories (view on slashdot.org)

Telling Your Superiors Their Financial Data Is At Risk?

Posted by Cliff on from the just-because-they-aren't-paranoid-enough... dept.

alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"

6 of 100 comments (clear)

  1. let it go. your boss doesn't care, and they don't. by User+956 · · Score: 3, Insightful

    I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot

    translation: I'm looking for a creative way to get myself fired.

    and if it bugs you, just keep your head down and look for a better job. If you make a stink, the first time something goes wrong, you'll be the first guy they blame.

    --
    The theory of relativity doesn't work right in Arkansas.
  2. In a word: yes by Icarus1919 · · Score: 3, Insightful

    Continue to make good faith efforts to change the policy. However, if you keep getting stonewalled, then let it slide; you may start making enemies if you continue past that point. It won't be your ass on the line if something goes wrong, especially if you can document that you tried to solve the problem.

    1. Re:In a word: yes by Splab · · Score: 3, Insightful

      Pay particular care to the last part, documenting! Some time back I worked as a PHP programmer part time, and during transition from one server to another for one of our major sites I noticed that forms was open for injection attacks, now this being a legacy system it wasn't just fixing it a few places, but all over the site which means a lot of hours. The reason for this being a non issue on the old server was it was running with magic quotes. The reason for the new one not being able to run it was newer sites was programmed around the assumption that magic quotes was off and would thus escape all input.

      I told my boss on several occations that it also meant you could easily gain admin priviledge, but fixing it meant spending money so it wasn't. I made sure to document my warnings, because sooner or later someone would stumble across the sites admin interface and deface the site - which they did and when the boss wen't haywire I had documentation that he was warned.

  3. Re:You're probably witnessing a scam. by qwijibo · · Score: 4, Insightful

    What the law says and how it works are very different. Anyone who takes a hard stand based on being legally in the right is in for a firm reality check.

    Depending on the size of the company, there is a very real possibility that the people in management got there by knowing the law well enough that they can violate it with plausable deniability. I work in a large bank where I see that happen all the time. I have pointed out numerous security problems and blatant violations of company policy, but management is willing to take those risks. We have people telling us what we need to do because sarbox has teeth, but there's absolutely no consequences for when we blatantly ignore them. The reality is that the worst that can happen is the offender gets transferred to another department, or in extreme cases, they could get fired.

    Everyone has a potential security breech waiting to happen. The laws exist to point fingers after the fact. The law isn't going to help someone who is just pointing out a potential flaw. What's worse is that if someone exploits the hole this person identified, the law has good reason to consider him a suspect since he's obviously thought about it.

  4. Re:let it go. your boss doesn't care, and they don by markov_chain · · Score: 3, Insightful

    The sad thing is, his unlocked filing cabinet is probably more secure than having the information sit on some server where hackers from Bulgaria can steal it and blackmail the company.

    --
    Tsunami -- You can't bring a good wave down!
  5. Re:Take some money by DreadSi · · Score: 3, Insightful

    Better yet - move a large sum of money into your apathetic boss's account. You would be doing your employer a favor and killing two birds with one stone.