Slashdot Mirror
Telling Your Superiors Their Financial Data Is At Risk?
alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"
I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot
translation: I'm looking for a creative way to get myself fired.
and if it bugs you, just keep your head down and look for a better job. If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
The theory of relativity doesn't work right in Arkansas.
Continue to make good faith efforts to change the policy. However, if you keep getting stonewalled, then let it slide; you may start making enemies if you continue past that point. It won't be your ass on the line if something goes wrong, especially if you can document that you tried to solve the problem.
If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
I had a college roommate who had a similar problem when he pointed out an ethical issue at a brokerage firm. He got busted to the mailroom. A friend who was a senior broker at a different firm told him to get out before he gets fired for something he didn't do if he wanted to work in the industry. He decided to become a tech writer instead.
Remember, they will never forgive you for being right.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
As a proof of concept, steal as much money as you possibly can. As payment for this security evaluation, keep the money and retire to a country with no extradition to the United States.
One little implementation detail: don't get caught.
Extra credit: put the blame onto your criminally-negligent boss.
It sounds like you're getting account information to create an Electronic Funds Transfer (EFT) or electronic draft whereby the company authorizes a transaction for $50,000 or whatever and you "take" the money from their account. It is the same thing as having a company 1) write a check, 2) submit it to you, 3) you deposit it, only to 4) have the funds transferred to your account. Your company is simply performing step 1, skipping step 2, 3 happens electronically and 4 happens essentially overnight.
They are giving you the SAME information that you could obtain from a written paper check, no more, no less. Now, obviously these companies have millions of dollars at any given time in their accounts and this alone makes them targets for check fraud; people creating their own checks and trying to pass them. The solution to this problem came about many, many years ago and is what makes the EFT system more secure than any other form of payment.
I am the accounts payable rep for Massive Corp. I'm going to authorize a payment for $5mil to your company: Dark Fiber Telco. I give you the check number (or transaction number or transaction code) and my bank account number and routing code. I enter the details into my Accounts Payable system which every afternoon uploads a delimited text file to our bank providing them with a list of checks written and their dollar amount. This is very similar to how credit card terminals upload their batch at the end of business day.
Meanwhile, DFTelco enters the data into their Accounts Receivable system which initiates the electronic draft, (which along with any paper check, EFT or ACH is all generically referred to as an "item"). When the item clears the Federal Reserve and is presented to Massive Corp's bank, if the dollar amount of the item doesn't exactly match the check number and dollar amount that Massive Corp uploaded, it is rejected and returned non-paid to the sender.
Very simple, very secure, and presenting your biggest customers with an IVR HELL system will only piss them off. They expect, and deserve, to speak to a human being and that is what your company provides. I wouldn't sweat it.
As an aside, I had an insurance agent come out to my property for a claim. The agent wrote a check from his checkbook and handed it to me, and then he had to enter the dollar amount and check number into his computer, over a VPN connection to his corporate office, so that the check would clear the bank.
The US Postal Service also does the same thing for Money Orders. Law Enforcement can actually log in to a LE only site provided by the USPS and check the validity of any US Postal Money Order based upon the $ amt and item number so they can see if someone is trying to "wash" a money order to alter the dollar amount, or creating a downright fraudulent Money Order.
-joel
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I'm the sys-admin for my company I work for (when not coding). Only the boss and myself knew the password for the entire domain, and everyone was happy. One day, during a software demo I need to pull some files off my machine for the demo. Boss says "come back once the files are on the public share, and we'll re-test". I say "Not to worry; i'll go through the admin share" (\\machinename\c$ or such) - I'll just log you into my machine as network admin.
This worried my boss - "What? You can access any machine's drives if you're the network administrator?".
I try and explain that yes you could; it's by design; the admin being the super-power on the network - full access to everything, etc. This leads him to the next question of "What? Even you could access even my PC? I've got sensitive information on here?!". I reply "Yes, even yours if I really wanted to".
Unimpressed, he changes the network admin password.
Precisely 1 hour and 20 minutes later; I get an email saying "User xyz can't access a file YYY on the abc share - what's the problem?". I explain the permissions on the file probably got corrupted/lost and resetting the file-system permissions for the root directory structure should flush out the problem.
He gives me the new network admin password. Problem was fixed in 2 mins.
In conclusion, us geeks rule the world. On modern IT systems, someone, must have complete power over all. That is why we are geeks because we can do what others cannot.
And it's true what they say; being a sys-admin is a power-trip.
*evil laugh*
The machines! They're all miiiine! Aaaalll mine!!!!
throw new NoSignatureException();
....from your new beach house in the Caymen islands.
"Physics is to math as sex is to masturbation." -R. Feynman
What the law says and how it works are very different. Anyone who takes a hard stand based on being legally in the right is in for a firm reality check.
Depending on the size of the company, there is a very real possibility that the people in management got there by knowing the law well enough that they can violate it with plausable deniability. I work in a large bank where I see that happen all the time. I have pointed out numerous security problems and blatant violations of company policy, but management is willing to take those risks. We have people telling us what we need to do because sarbox has teeth, but there's absolutely no consequences for when we blatantly ignore them. The reality is that the worst that can happen is the offender gets transferred to another department, or in extreme cases, they could get fired.
Everyone has a potential security breech waiting to happen. The laws exist to point fingers after the fact. The law isn't going to help someone who is just pointing out a potential flaw. What's worse is that if someone exploits the hole this person identified, the law has good reason to consider him a suspect since he's obviously thought about it.
The sad thing is, his unlocked filing cabinet is probably more secure than having the information sit on some server where hackers from Bulgaria can steal it and blackmail the company.
Tsunami -- You can't bring a good wave down!
Better yet - move a large sum of money into your apathetic boss's account. You would be doing your employer a favor and killing two birds with one stone.