• Bryan (unregistered)

    So what's the WTF?

    The socail engineering aspect of things??

    That people are using FAX Machines???

    I'm at a loss here

  • (cs)
    So what's the WTF?

    Is that a serious question!?

    Hoping not, but just in case, the answer is that the website forces you to phone "for security purposes", but tech support adds zero security. They allow anyone at all to ring up, quote a fax number and choose which email address to send to, without any attempt at verifying that the person calling actually owns the fax number in question. So you could ring up and get your competitor's faxes sent to you.

  • Rene (unregistered) in reply to Bryan

    The WTF = Exactly how was calling them more secure considering they didn't verify a damn thing?

  • Ceiswyn (unregistered)

    The lack of any actual security in the method used 'for security purposes'?

  • Vollhorst (unregistered)

    Wasn't the phone number he used visible for the guy?

  • Benjamin Normoyle (unregistered)

    Clearly, you can't provide any personal information over the phone. What if someone else hears it and gets into your account illicitly?!

  • Theo (unregistered) in reply to Benjamin Normoyle

    Clearly, the NSA was listening to that phone call.

  • Mutant (unregistered)

    I thought this article was a user story when I started reading it:

    "As the IT Director at a Real Estate company, I want to securly change my fax-to-email email address, so that the ha><0rs can't steal all our monies".

  • TroelsL (unregistered)

    Well, I suppose the tech center could've "verified" him by using caller id?

  • IC (unregistered) in reply to TroelsL
    TroelsL:
    Well, I suppose the tech center could've "verified" him by using caller id?

    Caller ID can be spoofed.

  • Bill (unregistered)

    My former employer was implementing an B2B eCommerce system and we had a lot of hot discussions about security and how to handle logins, lost passwords etc. When we asked customer service how they verify the customers are who they say they are, they kind of said they just know.

    Needless to say security became a lot less important and we moved onto other things to fight about.

  • A. Friend (unregistered) in reply to Bryan

    It may be that the phone number was generated from a large pool of phone numbers, and was only valid for 15 minutes after the page in the customer web site was displayed. So maybe it was no WTF.

  • (cs)

    This is like when I accidentally set off the alarm system in my home as I was leaving. I had to go in and wait for the monitor to call, to tell them it's a false alarm, or else they would send the cops out to investigate, and false alarms tend to piss the cops off, and you don't want to piss off your friendly neighborhood cops, because it's like the boy who cried wolf, and the next time might be real, so... I went back in, and waited... and waited... and about eight minutes later (how much damage could a burglar do in eight minutes, do you suppose?), they called.

    Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?

    Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.

    Them: I called as soon as I got the signal, sir.

    Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.

    Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.

    Me: You think maybe you ought to ask me for my password first?

    Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

  • morry (unregistered)

    for some reason this reminds me of my bank. Online I've got to know the speed of an unladen swallow, but on the phone, all I need is my address.

  • (cs) in reply to FredSaw

    LOL @ "I seriously doubt you're a burglar."

    What you guys fail to realize is that the person on the other end of the line is always a trained "personality profiler." They are able to detect whether or not you're up to something malicious purely by the tone of your voice and your choice of words. Formerly government agents, they have been forced to find new jobs since the dissolution of the MKULTRA project in the 1980's.

    Well, it's either that or these guys just couldn't build a web interface to allow for this functionality so they force you to call up and claim it's for security reasons.

  • JohnFx (unregistered) in reply to Bryan
    Bryan:
    So what's the WTF?

    The socail engineering aspect of things??

    That people are using FAX Machines???

    I'm at a loss here

    The real WTF is that this guy didn't see the WTF. WTF!

    I think the irony here is that, assuming the web site had a logon for the customer, it would have been a far more secure way to change the e-mail address.

  • (cs)
    Brett:
    I sent my WTF story a month ago. It was better than this story and the most of the other stories this week.
    But since someone called and changed the e-mail address the faxes are send to, it ended up at a competitor instead. That's why you haven't seen it.
  • A Nonny Mouse (unregistered) in reply to morry
    morry:
    Online I've got to know the speed of an unladen swallow

    <obligatory>african or european?</obligatory>

  • Memomachine (unregistered) in reply to A Nonny Mouse
    A Nonny Mouse:
    morry:
    Online I've got to know the speed of an unladen swallow

    <obligatory>african or european?</obligatory>

    What's the capital of Assyria?

  • (cs)

    I'm sure it added more safety to do the bussiness this way.

    • Phone lines are easier to track, harder to fake than an IP address.
    • The recorded call has the biometric information of the caller, so he/she can be identified if needed in a prosecution.

    Also, I guess the email address remained in the company domain. No reason to annoy the client with additional checklists.

  • A (unregistered) in reply to Memomachine
    Memomachine:
    A Nonny Mouse:
    morry:
    Online I've got to know the speed of an unladen swallow

    <obligatory>african or european?</obligatory>

    What's the capital of Assyria?

    A

  • (cs) in reply to Ceiswyn
    Ceiswyn:
    The lack of any actual security in the method used 'for security purposes'?

    At HP, when your password gets reset, support isn't allowed to tell you the password over the phone. Even though you already gave your employee number and pin.

    Why? Because it's not "secure".

    What are the "secure" alternatives?

    1. E-mail it to you -- this is a Paula Bean brillant solution.

    2. E-mail your manager -- even my manager was unnerved to receive my password in his e-mail.

    3. Leave it on your voice mail. Why is this secure? Because it's my voicemail, apparently.

    I can sympathize with this story 100%. Annoying policies that aren't based in reason but were arbitrarily codified by some guy who didn't go to college, works less than I do, and makes more money.

  • Cloak (unregistered) in reply to FredSaw
    FredSaw:
    This is like when I accidentally set off the alarm system in my home as I was leaving. I had to go in and wait for the monitor to call, to tell them it's a false alarm, or else they would send the cops out to investigate, and false alarms tend to piss the cops off, and you don't want to piss off your friendly neighborhood cops, because it's like the boy who cried wolf, and the next time might be real, so... I went back in, and waited... and waited... and about eight minutes later (how much damage could a burglar do in eight minutes, do you suppose?), they called.

    Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?

    Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.

    Them: I called as soon as I got the signal, sir.

    Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.

    Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.

    Me: You think maybe you ought to ask me for my password first?

    Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

    This one, indeed, is a real WTF.

  • G Money (unregistered) in reply to Memomachine
    Memomachine:
    A Nonny Mouse:
    morry:
    Online I've got to know the speed of an unladen swallow

    <obligatory>african or european?</obligatory>

    What's the capital of Assyria?

    Assdamascus.

  • Dave (unregistered) in reply to FredSaw
    FredSaw:
    Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?

    Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.

    Them: I called as soon as I got the signal, sir.

    Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.

    Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.

    Me: You think maybe you ought to ask me for my password first?

    Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

    Sooooo... What's your address?

    You know, for security purposes.

  • G Money (unregistered) in reply to ThePants999
    ThePants999:
    So what's the WTF?

    Is that a serious question!?

    Hoping not, but just in case, the answer is that the website forces you to phone "for security purposes", but tech support adds zero security. They allow anyone at all to ring up, quote a fax number and choose which email address to send to, without any attempt at verifying that the person calling actually owns the fax number in question. So you could ring up and get your competitor's faxes sent to you.

    Call display. Cross-reference with fax number. Done.

  • (cs) in reply to G Money
    G Money:
    ThePants999:
    So what's the WTF?

    Is that a serious question!?

    Hoping not, but just in case, the answer is that the website forces you to phone "for security purposes", but tech support adds zero security. They allow anyone at all to ring up, quote a fax number and choose which email address to send to, without any attempt at verifying that the person calling actually owns the fax number in question. So you could ring up and get your competitor's faxes sent to you.

    Call display. Cross-reference with fax number. Done.

    If that were how they did it, they wouldn't have needed to ask for the fax number.

  • Vincent (unregistered) in reply to A. Friend
    A. Friend:
    It may be that the phone number was generated from a large pool of phone numbers, and was only valid for 15 minutes after the page in the customer web site was displayed. So maybe it was no WTF.

    Or maybe it was. I guess we'll never know...

    Life sucks, doesn't it?

  • (cs) in reply to G Money

    Let's see here: the #1 security problem is a disgruntled employee.

    So, as an employee, I would be calling from my employer's place of business. However, even though I'm not authorized to do so, I could easily change the email address to pretty much anything I want. Thereby causing disruption for my employer.

    Provided the email address was set up on a site like yahoo or hotmail, and that I set it up from one of the many internet cafe spots, it's damn well untraceable.

    I wait a week or so after the problem is discovered before quitting. For those paying attention, this describes a social engineered DoS attack.

    Basically, the phone number or any cross reference you do is worthless. The only thing that matters is if the person calling in has both the correct credentials AND the authorization to make a change. Which, btw, was better to vette from the website with SSL enabled. For numerous other reasons.


  • Mark B (unregistered) in reply to FredSaw

    Could it be that they have the office number as a known number, like those high tech systems that pizza\Chinese food chains us when you call.

    ie

    I call Pizza place. Ring. h:"Hello, pizza place can I help you." m:"Can I order a delivery" h:"Yes is that 100 Another street" m:"Yep can I have a meat feast" h:"OK that will be 30-45 minutes" m:"Thanks"

  • BadReferenceGuy (unregistered) in reply to FredSaw
    FredSaw:
    This is like when I accidentally set off the alarm system in my home as I was leaving. I had to go in and wait for the monitor to call, to tell them it's a false alarm, or else they would send the cops out to investigate, and false alarms tend to piss the cops off, and you don't want to piss off your friendly neighborhood cops, because it's like the boy who cried wolf, and the next time might be real, so... I went back in, and waited... and waited... and about eight minutes later (how much damage could a burglar do in eight minutes, do you suppose?), they called.

    Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?

    Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.

    Them: I called as soon as I got the signal, sir.

    Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.

    Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.

    Me: You think maybe you ought to ask me for my password first?

    Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

    See, what he was really worried about was the possibility that you might be trying to sell encyclopedias.

  • Brandon (unregistered) in reply to Vincent
    John Sadowski:
    ...please call 1-800-xxx-xxxx to speak to a representative.

    Hmmm... "x" means "9" on a phone... so the support number is 1-800-999-9999! Excellent! All your fax are belong to us...

  • (cs) in reply to Bryan
    Bryan:
    So what's the WTF?

    The socail engineering aspect of things??

    That people are using FAX Machines???

    I'm at a loss here

    It's so obvious! The WTF is that he is in Calgary. Flames suck! Booo!

  • No Comment (unregistered) in reply to JohnFx
    JohnFx:
    Bryan:
    So what's the WTF?

    The socail engineering aspect of things??

    That people are using FAX Machines???

    I'm at a loss here

    The real WTF is that this guy didn't see the WTF. WTF!

    I think the irony here is that, assuming the web site had a logon for the customer, it would have been a far more secure way to change the e-mail address.

    That's assuming a lot, especially for this site.

  • Spike (unregistered)

    Bruce Schneier would have a field day with this. Interesting dialog.

  • MeRp (unregistered)

    It is entirely possible that the tech support company used ANI (Automatic Number Identification), which is kind of like Caller ID, except that it cannot be spoofed nor blocked. Every toll free number has this. (Incidentally, so does every pay-per type number, like 900 numbers, etc).

    If the caller's phone number was registered as an admin phone number with the tech support company, perhaps the support person simply saw the ANI matched an acceptable caller list, and so did whatever he asked.

  • Ahoapap (unregistered) in reply to ThePants999

    Just a couple of months ago, one of the websites I maintain had to be restarted and I couldn't get on it from RDP. I called Tech Support, gave them the IP of the machine and asked them to restart it. I was expecting the person to ask me a security question, or at least who I was, but nope! Restarted commencing.

    What is really funky about the whole situation is that we had just inherited the site 2 days prior and the client hadn't even had the opportunity of letting the provider know that we were authorized to speak on behalf of the servers!

  • Anon (unregistered)

    It could be as simple as they have a contact number or e-mail address for the account and if a change is made they will either call that number or send an e-mail to confirm that a change has been made. That way you'd know right away if somebody else changed your account without your knowledge. I've seen several institutions that do that. Of course, in reality, that should be an extra layer of security, not the only layer of security.

  • (cs) in reply to Bill

    Few months ago, i had the same discussion with my coworkers. We were all in one guy's office discussing about our software security for almost 1 hour, when I realized that the other guys (and me) have left their offices doors (opening on a public corridor) unlocked !

    Needless to say that we left a little bit software security to concentrate on "hardware" security ;)

    Addendum (2008-01-31 12:51): Oups, i was quoting:

    Bill:
    My former employer was implementing an B2B eCommerce system and we had a lot of hot discussions about security and how to handle logins, lost passwords etc. When we asked customer service how they verify the customers are who they say they are, they kind of said they just know.

    Needless to say security became a lot less important and we moved onto other things to fight about.

  • Pat (unregistered) in reply to SQB
    Brett:
    I sent my WTF story a month ago. It was better than this story and the most of the other stories this week.

    Of course it was. I bet your mom thought it was hilarious.

    Reminds me of the kid who went on a game company's forums to cry that his entry to a poster making contest was better than the winners', then cried some more when he was informed that his entry sucked something fierce. (It really did. It was a screenshot with a photoshop filter over it and some out-of-place text that was inexplicably in 3-D.)

  • mjmcinto (unregistered) in reply to FredSaw
    FredSaw:
    This is like when I accidentally set off the alarm system in my home as I was leaving. I had to go in and wait for the monitor to call, to tell them it's a false alarm, or else they would send the cops out to investigate, and false alarms tend to piss the cops off, and you don't want to piss off your friendly neighborhood cops, because it's like the boy who cried wolf, and the next time might be real, so... I went back in, and waited... and waited... and about eight minutes later (how much damage could a burglar do in eight minutes, do you suppose?), they called.

    Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?

    Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.

    Them: I called as soon as I got the signal, sir.

    Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.

    Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.

    Me: You think maybe you ought to ask me for my password first?

    Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

    I've set our alarm off a few times (both on accident by opening the door, and by sanding down drywall mud...it set off the smoke detector). Each time they called, they asked my security questions. Though I did have them make a note to ignore all fire alarm notices for the next 12 hours when I was doing the sanding as I kept setting the darn thing off ;)

  • Worf (unregistered)

    Actually, the verification could be done by the call.

    When you call a 1-800 number, the owner of that number gets your real phone number. It's called ANI (automatic number identification) It can't be spoofed like Caller ID - the phone number is sent out of band to the destination. So whenever you call a 1-800 number, your phone number is revealed to the callee, regardless of any blocks you may have. (Since they pay for the call, they're entitled to know who's calling them).

    The tech support computer can do a simple check to make sure the person calling and the phone number on the account are the same. Companies use this all the time - they can use it to say "Hey XXXX, how can we help you today" by doing a lookup before the support guy gets the call routed.

    (TRWTF is why Caller ID and ANI are two separate systems running in two different methods and not integrated with each other).

  • Mike (unregistered)

    I had the same experience with a credit monitoring service. They're supposed to call anytime someone tries to do something like apply for a credit card, to verify it's actually me. My phone number changed and I realized months later I'd never moved it, so I called them. I couldn't even remember the old phone number it was on, and with nothing but my name they changed it to point to my new phone number. I'm glad I've got ironclad protection from identity thieves, they'll need to figure out my name before they can crack this.

  • Belcat (unregistered) in reply to FredSaw
    FredSaw:
    This is like when I accidentally set off the alarm system in my home as I was leaving. I had to go in and wait for the monitor to call, to tell them it's a false alarm, or else they would send the cops out to investigate, and false alarms tend to piss the cops off, and you don't want to piss off your friendly neighborhood cops, because it's like the boy who cried wolf, and the next time might be real, so... I went back in, and waited... and waited... and about eight minutes later (how much damage could a burglar do in eight minutes, do you suppose?), they called.

    Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?

    Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.

    Them: I called as soon as I got the signal, sir.

    Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.

    Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.

    Me: You think maybe you ought to ask me for my password first?

    Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

    Unfortunately, this is kinda common.. Security companies suck. But usually the biggest suckage is if your phone gets cut, no alarm. Or the thief has a cell phone jammer, same thing again. Of course 98% of the thieves don't do either so that is why the companies are still in business.. Plus just saying you have an alarm scares a number of bulgars aware.

  • (cs) in reply to Worf
    Worf:
    (TRWTF is why Caller ID and ANI are two separate systems running in two different methods and not integrated with each other).
    <off-topic>Caller ID is a Class 5 service. ANI is just part of routing.</off-topic>
  • Therac-25 (unregistered) in reply to JohnFx
    JohnFx:
    Bryan:
    So what's the WTF?

    The socail engineering aspect of things??

    That people are using FAX Machines???

    I'm at a loss here

    The real WTF is that this guy didn't see the WTF. WTF!

    I think the irony here is that, assuming the web site had a logon for the customer, it would have been a far more secure way to change the e-mail address.

    I can see it now:

    http://initechfax.com/cgi-bin/set_fax_email.cgi?phone=403-xxx-xxxx&[email protected]

  • Belcat (unregistered) in reply to clively
    clively:
    Let's see here: the #1 security problem is a disgruntled employee.

    So, as an employee, I would be calling from my employer's place of business. However, even though I'm not authorized to do so, I could easily change the email address to pretty much anything I want. Thereby causing disruption for my employer.

    Provided the email address was set up on a site like yahoo or hotmail, and that I set it up from one of the many internet cafe spots, it's damn well untraceable.

    I wait a week or so after the problem is discovered before quitting. For those paying attention, this describes a social engineered DoS attack.

    Basically, the phone number or any cross reference you do is worthless. The only thing that matters is if the person calling in has both the correct credentials AND the authorization to make a change. Which, btw, was better to vette from the website with SSL enabled. For numerous other reasons.


    You can't possibly stop that, and there's no point to doing so. The disgrunted employee could have the password, the user id, whatever. Besides, it's not the fax companies' problem that the wrong employee had access to the information to change the fax. If caller id couldn't be faked (and how many people can do that???) then it would be a decent method because anyone who has physical access to the place probably is known. And if they have a burglar or like, they have a bigger problem than just their fax number changing...

  • John Doe (unregistered) in reply to Belcat
    Belcat:
    Plus just saying you have an alarm scares a number of bulgars aware.
    I would strongly suggest you to avoid visiting Bulgaria for the next couple of months. That might be better for your health.
  • Belcat (unregistered) in reply to mjmcinto
    mjmcinto:
    FredSaw:
    This is like when I accidentally set off the alarm system in my home as I was leaving. I had to go in and wait for the monitor to call, to tell them it's a false alarm, or else they would send the cops out to investigate, and false alarms tend to piss the cops off, and you don't want to piss off your friendly neighborhood cops, because it's like the boy who cried wolf, and the next time might be real, so... I went back in, and waited... and waited... and about eight minutes later (how much damage could a burglar do in eight minutes, do you suppose?), they called.

    Them: Hi, this is WTF Security calling; we've got an alarm signal for your residence. Is everything okay there?

    Me: Yes, I just accidentally set the alarm off. It sure took you a long time to call.

    Them: I called as soon as I got the signal, sir.

    Me: When I set the alarm off I came back in to wait for your call. That was about eight minutes ago.

    Them: I called as soon as I got the signal, sir. I'll just mark this as accidental. You have a nice day.

    Me: You think maybe you ought to ask me for my password first?

    Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

    I've set our alarm off a few times (both on accident by opening the door, and by sanding down drywall mud...it set off the smoke detector). Each time they called, they asked my security questions. Though I did have them make a note to ignore all fire alarm notices for the next 12 hours when I was doing the sanding as I kept setting the darn thing off ;)

    You're supposed to put a cover on it when you're doing something like that. Now you have a gummed up fire alarm that isn't going to work as quickly when there is a real fire... Drywall dust just covers everything and it's soo messy.

  • Bob N Freely (unregistered) in reply to FredSaw
    FredSaw:
    ... Them: Okay, sir, what's your password?

    Me (getting really pissed now): I don't know what the damn password is, man, I'm a burglar.

    Them (getting about as pissed): Sir, I seriously doubt that you're a burglar.

    Me: Fine, whatever. Tell your boss I'll be replacing you guys with someone a little more dependable. (hang up)

    Exactly why I don't bother with a home security system. I have no faith in the companies that provide them, and frankly, any determined thief is bound to find a way around it.

Leave a comment on “For Security Purposes...”

Log In or post as a guest

Replying to comment #174476:

« Return to Article