- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Maybe the tech support person looked at caller ID to verify who it was? Still not secure though.
Admin
Admin
Admin
FYI, a cheap motel-style plastic shower cap fits nicely over most smoke detectors, and will prevent them from getting set off from stuff like dust in the air while working. You might also consider getting a dust mask next time you do that... gypsum dust is horrible on your lungs.
Admin
My most recent CO/Smoke detectors came with dust covers. Handy for the basement since I'm developing it.
Admin
Phone numbers are static and assigned by the phone company. I've never heard of any phone company that would let you treat phone numbers like DHCP assigned IP addresses that you can just aquire and release within 15 minutes. Also the company's phone system must know what those phone numbers are, so it's likely that calling an "expired" number would still be routed into the call queue.
Maybe this is a super-secret phone system from 50 years in the future where everyone is using Skype, or it was created by the CIA and I'm committing a serious security breach by even mentioning it.
So actually,...
Hold on. I'll finish my comments in a second. It sounds like someone is trying to get in my front door with a battering ram.
Admin
Maybe one too many S's, but that's funny!
Admin
Admin
I could perfectly imagine that the support person checked that the faxes already went to someotheraddress @xxxxxxx.ca, and concluded that this change was probably safe. Now, this check is not perfect, but far better than nothing. This might not be a WTF but a lack of understanding of the processes on the part of the submitter. Might, of course.
I also am not sure why you couldn't do that kind of check automatically, and if it fails, have support call the client by phone and ask for confirmation.
Admin
Very amusing story, I wholly enjoyed it. What I don't like about it is that everyone replies by quoting the whole story and taking up a lot more space than necessary. Thank you for writing and have a great day!
Admin
Their alarm system probably sends the alarm through the cheapest non-prioritized SMS provider they could find. The monitor company rep was probably telling the truth.
The main issue here is that the transport they use for alarm messages is probably slow and unreliable. Kinda like the Clippy of alarm systems: "I noticed that you are getting burglarized. Would you like to be hog-tied with non-allergenic duct tape?"
Admin
The Real WTF is that this isn't a featured comment.
Admin
Work telephone conversation I had with a caller once about my son, Mark:
She: (very bubbly, friendly voice) Hi, this is Tammy! I'm trying to get in touch with Mark and I'm hoping you can tell me his telephone number.
Me: This is who?
She: Oh, it's Tammy.
Me: Am I supposed to know you?
She: Oh, I don't think so... I'm just trying to get in touch with Mark.
Me: May I ask why?
She: Oh, I just want to talk to him, you know.
Me: I tell you what, Tammy: you give me your contact information, and I'll give it to Mark, and he can get in touch with you.
She: Oh, okay... (gives me a phone number)
Later when I spoke to Mark, he told me, "Dad, I was so proud of you. Tammy was the speaker at a class they sent us to at work. She was demonstrating how easy it is to get private information from people. She was on speakerphone during that call so we all could hear what you said. For each person in the class, she called someone they knew and asked for their phone number, and she got the numbers of all but two of them. People were just going, "Oh, sure, her number is blah blah blah," but when she called you, you totally stonewalled her."
Admin
That's probably more secure. The call back makes it more difficult to spoof, as the individual would have to be ready to intercept the call.
Admin
Admin
Not to boring or anything, but I believe the actual answer is "Nineveh". Very important city, back in its day.
Admin
I suppose it's just possible that tech support used caller ID - nah, I'm being too generous.
Admin
I would have just hung up on their sorry asses at "Don't you want my password?", but you, sir, took it to the next level, and for that I applaud you!
Admin
When I was in college, I had a checking account with $1000 worth of overdraft protection. The overdraft protection wasn't working properly and I bounced a check. When I called my bank, the lady asked several security questions, the last of which was "How much overdraft protection do you have on your account?" I answered "$1,000". Then I asked my question about the overdraft protection, and the lady says, "I don't see any overdraft protection on your account."
Admin
So all I have to know is what someone's registered phone numbetr is and I can redirect all their faxes? Cool.
Admin
You typically have a number of lines for your company; dialing out, you can use any of them. Alternately, you can just send false CallerID info.
Admin
Featured comments are a WTF in and of themselves. I've yet to see one that didn't seem to have been selected purely at random.
Admin
Joke's on you. Alarms aren't the real commodity here. The sign in your window that says you have an alarm system is. My father-in-law installed an alarm system, then called his insurance company for a discount. They sent out an "inspector" who only checked for "this house protected by..." signs. That's all he looked for.
So I got a great idea....I called my rep and asked what kind of discount I would get for displaying signs. The answer: nearly as much of a discount as actually having the service. Wouldn't you know that's exactly what I did.
Admin
Admin
It's not the best method. We can all agree on that. But sometimes, when true security measures aren't in place, dealing with a person IS more secure than dealing with a computer. Any script kiddie worth his salt could reroute every possible fax number to his ex-girlgriend's email address if the fax-to-email company used an unsecured web interface. That's not as easy to pull off when dealing with a real person.
“I need to change the delivery address on my fax-to-email account.”
“Sure. What’s your fax number?”
“It is 403-555-0001.”
"Sorry, that number is not in our database."
"Try 405-555-0002..."
Admin
I had similar from my credit card provider the first time I called them about something. They asked the limit on the card... I said, "I don't know... Maybe $1000 or $2000". They said, "yes, $2000".
Admin
WTF = you, for one...
Admin
You can't cross-reference if you don't have at least two inputs. (aka : ask for fax, have caller id, done)
Admin
Well more typically, the out-calling phone system will pick and out-going line at random. Though you can, if you know what you're doing, specify a line and with some more effort you can change its callerID.
But as far as where you are calling to, you have no control over how the call is received. So if you're calling one of the supposedly umpteen numbers that you get from the website, it's VERY unlikely it has "expired". That would require some pretty hefty programming in the PBX and a VERY flexible agreement with the phone company/companies.
Imagine what it would take to have a PBX dynamically assign and remove an incoming line from a call group. A PBX could reroute the call based on the number they dailed, but can you imagine what would be involved for a software package to do that? It would receive the number from the website, correctly route that number for the next 15 minutes to customer support and after 15 minutes hang up on that call.
If you know of a software package that does that correctly and consistently, I want to buy their stock. But I think based on what we've seen on this site, I'll just keep buying Goggle, Aaple, and Mykrosaft.
Admin
Hey do I get a prize for being the 100th person to say "maybe they just checked the caller ID" despite several posts explaining how that's not good enough?
It was clear to me that he meant when you try to use the online system, you enter your phone number and it tells you to call them. That phone number stays in their database for 15 minutes, and when you call, they look it up.Admin
Our Asterisk system (currently in acceptance testing) does this in a MUCH sexier manner. Instant update from a web interface directly living on the damned thing.
Presumably, if you were hell bent on providing a "temporary phone number" service, you could buy a wad of external lines, a wad of incoming numbers, plug them into a PBX, and just use the external forwarding features instead of connecting to an internal extension. Or connect to an internal extension that in turn has external forwarding applied, depending on your particular featureset.
Admin
Well I don't give a f#($ if noone is still reading this thread but that user is d@mn right. You shoulf be responding immediately to a possible emergency and you should make a person prove who they claim to be.
I'll never forget when my secuty professor (Prof Dykson @ MSU: very smart & nice guy) recalled when he had his MSU password reset. He was in a hurry, frustrated as hell that he locked himself out but still sensible enough to stop himself and thank the security staff when they said that they had no way to know that he really was who he claimed to be.
Remember, rigorous validation of those you hope to secure is the only way you can fulfill your duty to protect them. Make the system as easy as possible but ensure that the system is secure or you have betrayed their trust.
Admin
FYI: I forgot to include the home security conversation. The post I was responding to was the one where the security company waited 8 min.
Admin
I once had to reset a security card which allowed the to transfer up to half a million dollars to pretty much any bank account they liked. The card used an internal clock to generate a password that would be valid for 45 seconds.
I was the IT Guy, and seeing that it ran on electricity the card not generating valid passwords was deemed to be my problem. I had no authorization on the bank account but I called the help desk anyway. They where very helpfull. Within a few minutes I had the card re synchronized with the server clock and a new password issued.
I was not asked any questions to verify my identity or my right to use the card. All I can figure is that I must have sounded very honest.
No I didn't give myself a bonus :^)
Admin
Admin
I think the whole point of calling is that it is tracable. They record the call, and later, when the company calls that something is wrong, they replay the tape. Your boss will recognize your voice and identifies you as the culprit.
Unless you use a speech alteration device or so, but I doubt they will let you change the email address then. Or you'll need an accomplish. (Of course just making the change easier to trace is not enough to prevent this from being the WTF it is.)
Admin
Wouldn't it be more secure to simply do what most online things do... make a change request and the current email gets sent a "confirm new email address" message with some link/passcode?
Admin
Software security try to be "complete", and imposible to beat. Fisical security try to be "cheap" and enforce the security in hunting down the breaker and put then on jail.
Is "easy" to break fisical security, Is not designed to be perfect, but to punish the infringer.
Admin
Damascus.
Oh, I'm sorry, I thought you said "A Syria".
Admin
Admin
Hm, kind of like when I recently changed the address on my ID card:
This is Belgium here, an we have beautiful, but rather lo-tech cardboard IDs.. well, I went to the city council, said I would like to change the address.. the clerk didn't even check if I was actually registered there - he just put that ID card into his typewriter and happily typed away the new address (on the back side).
Well, that was it. Thank you.. - and handed it back to me.
Only when I mentioned that if that is so easy, I could do it myself next time I move to another address, he drew the card back, and put a stamp on top of the new address (making it illegible). With a grumpy face :-)
Well, that's Belgium.
Admin
This reminds me of the time I locked myself out of the house. I called a service that would help me open the door without damaging it, giving my name and address. The guy they sent told me they would require a letter from a bank or such with the name and address I provided on it for security purposes. So, after he jiggled the door open, I walked inside, grabbed a letter and showed it to him. He was happy, I paid and he left. Despite me asking when he arrived and again when I handed him the letter if he needed to see my ID, apparently just knowing who lives at a certain address and if they recently got a bank statement can get you inside for a reasonable price.
Admin
Would be entertaining if you can dig out the link :)
[/me asks for moon on stick]
Admin
When this happened to me, the locksmith didn't ask for anything, not even a bank statement. I tried to show them some ID (driving licence) but they weren't interested. They said we looked honest. Quite worrying.
Admin
The WTF is you, who can't see that obviously their efforts at being more secure (you can't do it via the web interface, but have to call in) are useless, since anyone could call in and redirect faxes to any email address. You know, like "Bryan's fax number is 1-213-555-1212; I want the new email address to be [email protected]".
Admin
Bzzt! You lose.
How would they go to the "fax machine" (which doesn't exist, since they're receiving their faxes via email) to call to change the address?
Admin
Still no good. That would only verify that the calling number was in the right building.
Presuming that the line used was the typical office line (one of several lines that roll as calls are made or received), all this would indicate that the caller is in the building.
So, I want to steal your faxes to get your corporate secrets. I visit the building as a repairman/delivery person/whatever, and ask to use a phone as I'm leaving. Boom! Your faxes are belong to us.
Admin
Heck, it would be "safer" had they asked to snail-mail your request in. At least you could always easily prosecute the fraudsters under mail fraud laws (in the US).
Cheers!
Admin
Admin