Slashdot Mirror
Telling Your Superiors Their Financial Data Is At Risk?
alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"
I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot
translation: I'm looking for a creative way to get myself fired.
and if it bugs you, just keep your head down and look for a better job. If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
The theory of relativity doesn't work right in Arkansas.
Continue to make good faith efforts to change the policy. However, if you keep getting stonewalled, then let it slide; you may start making enemies if you continue past that point. It won't be your ass on the line if something goes wrong, especially if you can document that you tried to solve the problem.
If you have communicated your concerns to your superiors then your obligation is filled and you don't have to worry about it.
That said, if you are still worried for some reason then you should either find a way to express the problem to your superiors' superiors (if they have any) or possibly anonymously report it to the clients themselves (if you won't be endangering yourself in the process).
Good luck.
If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
I had a college roommate who had a similar problem when he pointed out an ethical issue at a brokerage firm. He got busted to the mailroom. A friend who was a senior broker at a different firm told him to get out before he gets fired for something he didn't do if he wanted to work in the industry. He decided to become a tech writer instead.
Remember, they will never forgive you for being right.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
You have a moral responsibility to encourage data to be safe.
If you push it, you're quite likely to get stonewalled, destroy your future at the company, and possibly hasten the demise of your job.
If you plan a long future at this company and can live with the moral ambiguity, shut up and leave it until you're higher up in the chain.
If you can live with possibly losing career opportunities, make your complaints, but target the right person. Usually most companies will have someone who's actually supposed to make sure data is secure and privacy is assured. Find them and explain things to them.
If you really don't care about the job, make a good list of all the problems, written out and carefully phrased, and push it as far up the chain as you can. You'll get shit for it, maybe tossed, but with those concerns sitting on the CEOs desk, it's quite unlikely they'll get forgotten.
At the end of the day, it just depends on your personal moral standing.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
If you warn people and they don't listen you've done your part.
Remember Enron? WorldCom? Both had major telcom billing fraud components. You may be looking at a fraud.
If there's an internal audit department, they should know about this. They have Sarbanes-Oxley responsibilities to check that internal audit controls are sufficiently tight.
Sarbanes-Oxley has whistleblower protection: "Sarbanes-Oxley creates severe criminal penalties (including substantial fines, and up to 10 years in prison) for retaliation against whistleblowers who raise concerns about violation of any federal criminal statute, not simply laws limited to financial fraud." So if your boss threatens you, you can threaten back.
Also, "Congress required corporate Audit Committees to create mechanisms for receiving anonymous employee concerns about financial improprieties." Find out how that channel works and make a report.
The burden of proof is on the employer in these cases. This law has real teeth.
Here's a lawyer who specializes in Sarbanes-Oxley whistleblower claims.
As a proof of concept, steal as much money as you possibly can. As payment for this security evaluation, keep the money and retire to a country with no extradition to the United States.
One little implementation detail: don't get caught.
Extra credit: put the blame onto your criminally-negligent boss.
You're a junior employee by the looks of it, possibly part time, taking phone orders.
There is every likelihood that your employer has safeguards in place that you don't know about, and even that they don't want you to know about.
Three Squirrels
It sounds like you're getting account information to create an Electronic Funds Transfer (EFT) or electronic draft whereby the company authorizes a transaction for $50,000 or whatever and you "take" the money from their account. It is the same thing as having a company 1) write a check, 2) submit it to you, 3) you deposit it, only to 4) have the funds transferred to your account. Your company is simply performing step 1, skipping step 2, 3 happens electronically and 4 happens essentially overnight.
They are giving you the SAME information that you could obtain from a written paper check, no more, no less. Now, obviously these companies have millions of dollars at any given time in their accounts and this alone makes them targets for check fraud; people creating their own checks and trying to pass them. The solution to this problem came about many, many years ago and is what makes the EFT system more secure than any other form of payment.
I am the accounts payable rep for Massive Corp. I'm going to authorize a payment for $5mil to your company: Dark Fiber Telco. I give you the check number (or transaction number or transaction code) and my bank account number and routing code. I enter the details into my Accounts Payable system which every afternoon uploads a delimited text file to our bank providing them with a list of checks written and their dollar amount. This is very similar to how credit card terminals upload their batch at the end of business day.
Meanwhile, DFTelco enters the data into their Accounts Receivable system which initiates the electronic draft, (which along with any paper check, EFT or ACH is all generically referred to as an "item"). When the item clears the Federal Reserve and is presented to Massive Corp's bank, if the dollar amount of the item doesn't exactly match the check number and dollar amount that Massive Corp uploaded, it is rejected and returned non-paid to the sender.
Very simple, very secure, and presenting your biggest customers with an IVR HELL system will only piss them off. They expect, and deserve, to speak to a human being and that is what your company provides. I wouldn't sweat it.
As an aside, I had an insurance agent come out to my property for a claim. The agent wrote a check from his checkbook and handed it to me, and then he had to enter the dollar amount and check number into his computer, over a VPN connection to his corporate office, so that the check would clear the bank.
The US Postal Service also does the same thing for Money Orders. Law Enforcement can actually log in to a LE only site provided by the USPS and check the validity of any US Postal Money Order based upon the $ amt and item number so they can see if someone is trying to "wash" a money order to alter the dollar amount, or creating a downright fraudulent Money Order.
-joel
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Bank routing and account numbers are different from credit card numbers. There's very little you actually can do with a routing and account number because these two don't give you any authorization to do any withdrawals from that account (at least if the US system has some basic degree of sanity).
At least over here (Europe), giving your account numbers to other people and have them deposit money to your account is a very common way of receiving payments. They can deposit to your account, but they cannot withdraw from it.
Now, if you were talking about credit card numbers, that would be a different beast altogether.
I'm the sys-admin for my company I work for (when not coding). Only the boss and myself knew the password for the entire domain, and everyone was happy. One day, during a software demo I need to pull some files off my machine for the demo. Boss says "come back once the files are on the public share, and we'll re-test". I say "Not to worry; i'll go through the admin share" (\\machinename\c$ or such) - I'll just log you into my machine as network admin.
This worried my boss - "What? You can access any machine's drives if you're the network administrator?".
I try and explain that yes you could; it's by design; the admin being the super-power on the network - full access to everything, etc. This leads him to the next question of "What? Even you could access even my PC? I've got sensitive information on here?!". I reply "Yes, even yours if I really wanted to".
Unimpressed, he changes the network admin password.
Precisely 1 hour and 20 minutes later; I get an email saying "User xyz can't access a file YYY on the abc share - what's the problem?". I explain the permissions on the file probably got corrupted/lost and resetting the file-system permissions for the root directory structure should flush out the problem.
He gives me the new network admin password. Problem was fixed in 2 mins.
In conclusion, us geeks rule the world. On modern IT systems, someone, must have complete power over all. That is why we are geeks because we can do what others cannot.
And it's true what they say; being a sys-admin is a power-trip.
*evil laugh*
The machines! They're all miiiine! Aaaalll mine!!!!
throw new NoSignatureException();
....from your new beach house in the Caymen islands.
"Physics is to math as sex is to masturbation." -R. Feynman
The sad thing is, his unlocked filing cabinet is probably more secure than having the information sit on some server where hackers from Bulgaria can steal it and blackmail the company.
Tsunami -- You can't bring a good wave down!
Comment removed based on user account deletion
If you're giving the routing number and account number of your checking account to 3rd parites to make payments over the web then you're not treating the data as though it were confidential. Now, in addition to any employee at your bank, any random person at the company of the 3rd party has access to this information. They could rack these things up for a year and then sell them on the internet. Or maybe their web server gets hit by a worm which steals all these numbers along with credit card numbers.
I like your analysis that this is a cryptosystem with the "routing + account" number standing in for both the public and private key. A proper crypto system would allow you to pay someone with some information and a public key, perhaps with a one-time use bit of some sort. This would prevent funds-extraction by 3rd parties (who bought your information on the internet after you paid the first 3rd party for something) because the information couldn't be used to extract money from your account without a new one-time thingy. Meanwhile, never provide your "routing + account" number to anyone (except your employer for auto-deposit... life is all about risk-reward trade-off). Instead, use credit cards to pay third parties so you have better consumer protection against fraud.
However, it's not completely clear that the problem in the original post would be solved by such a system without disrupting the "business process" that the customers probably think they need. An obvious approach would be something like a PKI system with a little card that generated a one-time tidbit on the fly, which the customer would provide to 3rd parties to authorize a payment, and presumably to a banker to authorize a fund transfer or wire or whatever over the phone. The bank's customers may view this as inconvenient and may switch to another bank (the key generator is yet another thing they need to carry around and keep physically secure). After all, the customers clearly want to be able to make a phone call and talk to a person to perform a transaction. In any case, the bank managers will fear this customer response.
Under the existing system, the bank employees are trusted and the customer will need to detect the missing funds and report them to the bank. Many other bank employees (any teller, any banker, any computer operator) already have access to the same sensitive information as is written to paper and placed in the drawer, which is why the bank managers are not really concerned about the drawer. They know, but perhaps haven't completely thought through that the funds will have been transferred to another account somewhere, and that will be traceable. The funds may not be recoverable but the money trail could be followed from account to account to the perpetraitor... right up to the point where the bank manager and the FBI agents are watching a grainy video of somebody in a wig and fake nose-mustache-glasses pull up to a drive through window in a car that was purchased with cash and uh, donated to a rural fire department for, uh, practice extinguishing gasoline fires shortly thereafter, close their account, and drive off with the cash.
If you mod me down, I shall become more powerful than you could possibly imagine.
Better yet - move a large sum of money into your apathetic boss's account. You would be doing your employer a favor and killing two birds with one stone.
2. Collect names and account numbers and contact information.
3. When you leave this job one day, and you will, and when you need money, and you will, contact the account holders *directly* and offer to tell them where you got your information for a fee.
You must be new here.
There, fixed.