Su Tech Ennui: Stupid Company Tricks

Wednesday, October 10, 2007

Stupid Company Tricks

Back in the usenet days, I was a subscriber and occasional poster to a group called "risks digest" where we would highlight the stupid stuff that organisations and businesses would do which actually made things worse for their customers. Twenty years later I'm sad to see that corporate common sense has not improved in any way and people are still doing Really Dumb Things:
  • Take our cell phone company for example. ("Please!", as Rodney Dangerfield might add)... I forgot the account name associated with my phone so I went to their online page where you can ask for a reminder to be mailed to you. So far, so good. So I enter the phone number, and what do I see... "Your account information has been mailed to". Yup, they don't just mail it out, they tell you to whom it has been mailed. So anyone wanting to find out who owns a phone number with this company can just submit an account reminder request and immediately see what email account is associated with the phone number, from which it is usually trivial to work out the person associated with it.
  • Here's a big computer company that heavily touts the security of their products... they have a web system for users which is where you download their software as well as being a chat forum. If you go to their 'lost password' page and request a reminder, they don't just email you with your password - nope, that would be a security risk because they'd need to keep your password unencrypted, so they helpfully change your password and send you the new one. No, you read that correctly - they don't send you a link where you can change your password, they go ahead and change it immediately. Never heard of 'denial of service' attacks, guys? You can lock anyone out of their service by requesting a forgotten password (no ID required, just the email address) until they receive that email and log back in to change it back.
  • Here's the worst forgotten password story of all. I forgot the password to my online bank account. Because I'ld never entered any initial 'security questions' on the web site, I couldn't get an email reminder and had to call in. Again, so far so good. Unfortunately they asked me the same 'security questions' that the web site would have asked - which I had never entered so I couldn't give them answers. God knows what answers they expected to hear. So they used their fallback procedure - asking me questions about things they knew the answers to, like where did I stay when I lived in Ohio, or which of these three Ohio businesses did I ever work for. Just one problem, I've never been to Ohio. I'm reasonably sure that an illegal immigrant migrant farm worker got my SSN here in the valley and used it while working in the fields up there. Unfortunately this info has got into my credit file with the big three companies (Experian etc). Here's the rub - my bank trusts the data from the credit companies implicitly and would not believe me that all the info they were using to ID me was wrong. I finally convinced them I was me by telling them at which bank branch I opened my account. Well duh - there's only one for this bank in the town where I live, and anyone can find out where I live pretty damned easily (especially if they've already got a copy of my erroneous credit report, which apparently is all that is needed to spoof someone's ID at this idiotic bank).

It amazes me that these are huge companies with large staffs and presumably they hire information security professionals. Just what sorts of idiots are running the security in these companies? I despair at times.

1 comment:

Denny said...

Here is one, a fairly well known bank wants to save money and convinces customer to start using a "provided" system and scanner to process the check for the bank.

Banks sends hardware with XPSP2 (not fully patched) and TWO full blown Administrator accounts and one User account. Both the User and one of the Administrators have passwords provided that are straight plain-text and it is SUGGESTED that the passwords be changed. Bank wants this system dropped into clients existing network and I say NO. I set it up outside the internal domain but behind a firewall.

This is now where it gets even better. I hook everything up, and AFTER changing the passwords, for both the XP logins I check the security policy settings and yes of course NOTHING was set. I call the provided Help-Desk number and explain what I see and ask if this one was not setup fully and was informed no, this is the way they go out the door to the customers. I then tell them that I am setting security policies that I always set for any W2KXP+ system I work on and she tells that is fine. I then connect the patch cable, login into the bank software and proceed to set the strongest password it will allow me to- this is of course after finding out the the SSL Certificate for their site is out of date by ten months. I ask the Help-Desk about this and was told:

"You know, I see that all of the time and I just click on through."

I end the call there and proceed to create a non-admin account for processing the checks for the client and then see that under the administration page another companies users. Startled, I refresh the page and yup, information still there. Time to call the Help-Desk again and explain what I have found. I am told I should not be able to see this and I mentally scream to the heavens.

I tell the Help-Desk that this needs corrected.

I then explain to the client what I have found and make them promise that the system will ONLY be turned on when needed and NEVER left running when not in use.

Two days later I receive a call from the client and am told that they cannot login and a bank representative is there. I head over and explain that they had the passwords reversed. It is now time to hammer the bank rep about what I have found and ask for answers of whihc none were really forthcoming.

In fact, the rep tells me that I am the first who placed ANY security and even when companies inside our outside IT sets them up- they leave everything with the DEFAULT settings.

I then told him that if anything ever happens and this ever winds up in court, I would place the blame squarely with the bank as the send these systems out this way. He tells me that we ASK them to change passwords and that is where I cut him off. I explain to him that you do NOT ask you TELL them they will change passwords and that the crappy McAfee's security software is a joke and further the banks fault especially since they, the bank gave everyone a default plain-text password for the ADMINISTRATOR account and all it will take is one pissed off employee of a company or the bank itself and they are screwed.

He was rattled but felt secure but said he would discuss this with his superiors. I then pointed out to him that the check we had just processed was almost the full 100K insured by the FDIC- that is when he went white.

Yes, feeling safer already.