Telling Your Superiors Their Financial Data Is At Risk? 100
alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"
Re:let it go. your boss doesn't care, and they don (Score:3, Informative)
I had a college roommate who had a similar problem when he pointed out an ethical issue at a brokerage firm. He got busted to the mailroom. A friend who was a senior broker at a different firm told him to get out before he gets fired for something he didn't do if he wanted to work in the industry. He decided to become a tech writer instead.
Start looking for work elsewhere... (Score:4, Informative)
You're probably witnessing a scam. (Score:3, Informative)
Remember Enron? WorldCom? Both had major telcom billing fraud components. You may be looking at a fraud.
If there's an internal audit department, they should know about this. They have Sarbanes-Oxley responsibilities [aicpa.org] to check that internal audit controls are sufficiently tight.
Sarbanes-Oxley has whistleblower protection [mofo.com]: "Sarbanes-Oxley creates severe criminal penalties (including substantial fines, and up to 10 years in prison) for retaliation against whistleblowers who raise concerns about violation of any federal criminal statute, not simply laws limited to financial fraud." So if your boss threatens you, you can threaten back.
Also, "Congress required corporate Audit Committees to create mechanisms for receiving anonymous employee concerns about financial improprieties." Find out how that channel works and make a report.
The burden of proof is on the employer in these cases. This law has real teeth.
Here's a lawyer who specializes in Sarbanes-Oxley whistleblower claims. [zuckermanlaw.com]
No big deal... It's more secure than you think. (Score:5, Informative)
They are giving you the SAME information that you could obtain from a written paper check, no more, no less. Now, obviously these companies have millions of dollars at any given time in their accounts and this alone makes them targets for check fraud; people creating their own checks and trying to pass them. The solution to this problem came about many, many years ago and is what makes the EFT system more secure than any other form of payment.
I am the accounts payable rep for Massive Corp. I'm going to authorize a payment for $5mil to your company: Dark Fiber Telco. I give you the check number (or transaction number or transaction code) and my bank account number and routing code. I enter the details into my Accounts Payable system which every afternoon uploads a delimited text file to our bank providing them with a list of checks written and their dollar amount. This is very similar to how credit card terminals upload their batch at the end of business day.
Meanwhile, DFTelco enters the data into their Accounts Receivable system which initiates the electronic draft, (which along with any paper check, EFT or ACH is all generically referred to as an "item"). When the item clears the Federal Reserve and is presented to Massive Corp's bank, if the dollar amount of the item doesn't exactly match the check number and dollar amount that Massive Corp uploaded, it is rejected and returned non-paid to the sender.
Very simple, very secure, and presenting your biggest customers with an IVR HELL system will only piss them off. They expect, and deserve, to speak to a human being and that is what your company provides. I wouldn't sweat it.
As an aside, I had an insurance agent come out to my property for a claim. The agent wrote a check from his checkbook and handed it to me, and then he had to enter the dollar amount and check number into his computer, over a VPN connection to his corporate office, so that the check would clear the bank.
The US Postal Service also does the same thing for Money Orders. Law Enforcement can actually log in to a LE only site provided by the USPS and check the validity of any US Postal Money Order based upon the $ amt and item number so they can see if someone is trying to "wash" a money order to alter the dollar amount, or creating a downright fraudulent Money Order.
-joel
Not credit card numbers. (Score:3, Informative)
Bank routing and account numbers are different from credit card numbers. There's very little you actually can do with a routing and account number because these two don't give you any authorization to do any withdrawals from that account (at least if the US system has some basic degree of sanity).
At least over here (Europe), giving your account numbers to other people and have them deposit money to your account is a very common way of receiving payments. They can deposit to your account, but they cannot withdraw from it.
Now, if you were talking about credit card numbers, that would be a different beast altogether.
Re:Not credit card numbers. (Score:2, Informative)
Right now, check fraud is more rampant than credit card fraud in the USA, at least among serious ID theft rings:
Example: http://www.usdoj.gov/usao/fls/PressReleases/05100
These folks cleared out over $4,000,000 before they were caught, using stolen checking account information. It wasn't until the reached the million-dollar mark did they get multi-agency multi-jurisdiction law enforcement cooperation to bring them in. The thieves have now learned to keep the dollar amounts smaller now.
When you use a paper check at most stores now, they take the check, scan it at the cash register, void it and hand it back to you. They simply run the "item" through as an electronic draft.
Make no mistake, for the criminal in the USA, having checking account information is MUCH MORE valuable than having a credit card if the desire is to obtain cash. Credit cards can be canceled. Checking accounts can be closed, but that doesn't stop criminals trying to pass the bad checks...
They print up fake checks, and get this... They go to the post office and buy stamps. Hundreds and often thousands of dollars in stamps... because stamps have a declared face value that can be sold for face value or at most a 5% loss...
I have a presentation and training class that I deliver on ID theft, one I developed to teach Law Enforcement and Magistrates, some info I came across i've written about on http://www.appiant.com/ [appiant.com] I think its under the EV SSL subject.
link: http://www.appiant.com/security_today/2007/01/ev_
-joel
Re:In a word: yes (Score:3, Informative)