- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
So what's the WTF?
The socail engineering aspect of things??
That people are using FAX Machines???
I'm at a loss here
Admin
Is that a serious question!?
Hoping not, but just in case, the answer is that the website forces you to phone "for security purposes", but tech support adds zero security. They allow anyone at all to ring up, quote a fax number and choose which email address to send to, without any attempt at verifying that the person calling actually owns the fax number in question. So you could ring up and get your competitor's faxes sent to you.
Admin
The WTF = Exactly how was calling them more secure considering they didn't verify a damn thing?
Admin
The lack of any actual security in the method used 'for security purposes'?
Admin
Wasn't the phone number he used visible for the guy?
Admin
Clearly, you can't provide any personal information over the phone. What if someone else hears it and gets into your account illicitly?!
Admin
Clearly, the NSA was listening to that phone call.
Admin
I thought this article was a user story when I started reading it:
"As the IT Director at a Real Estate company, I want to securly change my fax-to-email email address, so that the ha><0rs can't steal all our monies".
Admin
Well, I suppose the tech center could've "verified" him by using caller id?
Admin
Caller ID can be spoofed.
Admin
My former employer was implementing an B2B eCommerce system and we had a lot of hot discussions about security and how to handle logins, lost passwords etc. When we asked customer service how they verify the customers are who they say they are, they kind of said they just know.
Needless to say security became a lot less important and we moved onto other things to fight about.
Admin
It may be that the phone number was generated from a large pool of phone numbers, and was only valid for 15 minutes after the page in the customer web site was displayed. So maybe it was no WTF.
Admin
This is like when I accidentally set off the alarm system in my home as I was leaving. I had to go in and wait for the monitor to call, to tell them it's a false alarm, or else they would send the cops out to investigate, and false alarms tend to piss the cops off, and you don't want to piss off your friendly neighborhood cops, because it's like the boy who cried wolf, and the next time might be real, so... I went back in, and waited... and waited... and about eight minutes later (how much damage could a burglar do in eight minutes, do you suppose?), they called.
Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?
Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.
Them: I called as soon as I got the signal, sir.
Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.
Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.
Me: You think maybe you ought to ask me for my password first?
Them: Okay, sir, what's your password?
Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.
Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.
Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)
Admin
for some reason this reminds me of my bank. Online I've got to know the speed of an unladen swallow, but on the phone, all I need is my address.
Admin
LOL @ "I seriously doubt you're a burglar."
What you guys fail to realize is that the person on the other end of the line is always a trained "personality profiler." They are able to detect whether or not you're up to something malicious purely by the tone of your voice and your choice of words. Formerly government agents, they have been forced to find new jobs since the dissolution of the MKULTRA project in the 1980's.
Well, it's either that or these guys just couldn't build a web interface to allow for this functionality so they force you to call up and claim it's for security reasons.
Admin
The real WTF is that this guy didn't see the WTF. WTF!
I think the irony here is that, assuming the web site had a logon for the customer, it would have been a far more secure way to change the e-mail address.
Admin
Admin
<obligatory>african or european?</obligatory>
Admin
What's the capital of Assyria?
Admin
I'm sure it added more safety to do the bussiness this way.
Also, I guess the email address remained in the company domain. No reason to annoy the client with additional checklists.
Admin
A
Admin
At HP, when your password gets reset, support isn't allowed to tell you the password over the phone. Even though you already gave your employee number and pin.
Why? Because it's not "secure".
What are the "secure" alternatives?
E-mail it to you -- this is a Paula Bean brillant solution.
E-mail your manager -- even my manager was unnerved to receive my password in his e-mail.
Leave it on your voice mail. Why is this secure? Because it's my voicemail, apparently.
I can sympathize with this story 100%. Annoying policies that aren't based in reason but were arbitrarily codified by some guy who didn't go to college, works less than I do, and makes more money.
Admin
This one, indeed, is a real WTF.
Admin
Assdamascus.
Admin
You know, for security purposes.
Admin
Call display. Cross-reference with fax number. Done.
Admin
Admin
Or maybe it was. I guess we'll never know...
Life sucks, doesn't it?
Admin
Let's see here: the #1 security problem is a disgruntled employee.
So, as an employee, I would be calling from my employer's place of business. However, even though I'm not authorized to do so, I could easily change the email address to pretty much anything I want. Thereby causing disruption for my employer.
Provided the email address was set up on a site like yahoo or hotmail, and that I set it up from one of the many internet cafe spots, it's damn well untraceable.
I wait a week or so after the problem is discovered before quitting. For those paying attention, this describes a social engineered DoS attack.
Basically, the phone number or any cross reference you do is worthless. The only thing that matters is if the person calling in has both the correct credentials AND the authorization to make a change. Which, btw, was better to vette from the website with SSL enabled. For numerous other reasons.
Admin
Could it be that they have the office number as a known number, like those high tech systems that pizza\Chinese food chains us when you call.
ie
I call Pizza place. Ring. h:"Hello, pizza place can I help you." m:"Can I order a delivery" h:"Yes is that 100 Another street" m:"Yep can I have a meat feast" h:"OK that will be 30-45 minutes" m:"Thanks"
Admin
See, what he was really worried about was the possibility that you might be trying to sell encyclopedias.
Admin
Hmmm... "x" means "9" on a phone... so the support number is 1-800-999-9999! Excellent! All your fax are belong to us...
Admin
It's so obvious! The WTF is that he is in Calgary. Flames suck! Booo!
Admin
That's assuming a lot, especially for this site.
Admin
Bruce Schneier would have a field day with this. Interesting dialog.
Admin
It is entirely possible that the tech support company used ANI (Automatic Number Identification), which is kind of like Caller ID, except that it cannot be spoofed nor blocked. Every toll free number has this. (Incidentally, so does every pay-per type number, like 900 numbers, etc).
If the caller's phone number was registered as an admin phone number with the tech support company, perhaps the support person simply saw the ANI matched an acceptable caller list, and so did whatever he asked.
Admin
Just a couple of months ago, one of the websites I maintain had to be restarted and I couldn't get on it from RDP. I called Tech Support, gave them the IP of the machine and asked them to restart it. I was expecting the person to ask me a security question, or at least who I was, but nope! Restarted commencing.
What is really funky about the whole situation is that we had just inherited the site 2 days prior and the client hadn't even had the opportunity of letting the provider know that we were authorized to speak on behalf of the servers!
Admin
It could be as simple as they have a contact number or e-mail address for the account and if a change is made they will either call that number or send an e-mail to confirm that a change has been made. That way you'd know right away if somebody else changed your account without your knowledge. I've seen several institutions that do that. Of course, in reality, that should be an extra layer of security, not the only layer of security.
Admin
Few months ago, i had the same discussion with my coworkers. We were all in one guy's office discussing about our software security for almost 1 hour, when I realized that the other guys (and me) have left their offices doors (opening on a public corridor) unlocked !
Needless to say that we left a little bit software security to concentrate on "hardware" security ;)
Addendum (2008-01-31 12:51): Oups, i was quoting:
Admin
Of course it was. I bet your mom thought it was hilarious.
Reminds me of the kid who went on a game company's forums to cry that his entry to a poster making contest was better than the winners', then cried some more when he was informed that his entry sucked something fierce. (It really did. It was a screenshot with a photoshop filter over it and some out-of-place text that was inexplicably in 3-D.)
Admin
I've set our alarm off a few times (both on accident by opening the door, and by sanding down drywall mud...it set off the smoke detector). Each time they called, they asked my security questions. Though I did have them make a note to ignore all fire alarm notices for the next 12 hours when I was doing the sanding as I kept setting the darn thing off ;)
Admin
Actually, the verification could be done by the call.
When you call a 1-800 number, the owner of that number gets your real phone number. It's called ANI (automatic number identification) It can't be spoofed like Caller ID - the phone number is sent out of band to the destination. So whenever you call a 1-800 number, your phone number is revealed to the callee, regardless of any blocks you may have. (Since they pay for the call, they're entitled to know who's calling them).
The tech support computer can do a simple check to make sure the person calling and the phone number on the account are the same. Companies use this all the time - they can use it to say "Hey XXXX, how can we help you today" by doing a lookup before the support guy gets the call routed.
(TRWTF is why Caller ID and ANI are two separate systems running in two different methods and not integrated with each other).
Admin
I had the same experience with a credit monitoring service. They're supposed to call anytime someone tries to do something like apply for a credit card, to verify it's actually me. My phone number changed and I realized months later I'd never moved it, so I called them. I couldn't even remember the old phone number it was on, and with nothing but my name they changed it to point to my new phone number. I'm glad I've got ironclad protection from identity thieves, they'll need to figure out my name before they can crack this.
Admin
Unfortunately, this is kinda common.. Security companies suck. But usually the biggest suckage is if your phone gets cut, no alarm. Or the thief has a cell phone jammer, same thing again. Of course 98% of the thieves don't do either so that is why the companies are still in business.. Plus just saying you have an alarm scares a number of bulgars aware.
Admin
Admin
I can see it now:
http://initechfax.com/cgi-bin/set_fax_email.cgi?phone=403-xxx-xxxx&[email protected]
Admin
You can't possibly stop that, and there's no point to doing so. The disgrunted employee could have the password, the user id, whatever. Besides, it's not the fax companies' problem that the wrong employee had access to the information to change the fax. If caller id couldn't be faked (and how many people can do that???) then it would be a decent method because anyone who has physical access to the place probably is known. And if they have a burglar or like, they have a bigger problem than just their fax number changing...
Admin
Admin
You're supposed to put a cover on it when you're doing something like that. Now you have a gummed up fire alarm that isn't going to work as quickly when there is a real fire... Drywall dust just covers everything and it's soo messy.
Admin
Exactly why I don't bother with a home security system. I have no faith in the companies that provide them, and frankly, any determined thief is bound to find a way around it.