Telling Your Superiors Their Financial Data Is At Risk? 100
alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"
let it go. your boss doesn't care, and they don't. (Score:4, Insightful)
translation: I'm looking for a creative way to get myself fired.
and if it bugs you, just keep your head down and look for a better job. If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
In a word: yes (Score:4, Insightful)
Consider your duties completed (Score:2, Insightful)
That said, if you are still worried for some reason then you should either find a way to express the problem to your superiors' superiors (if they have any) or possibly anonymously report it to the clients themselves (if you won't be endangering yourself in the process).
Good luck.
Re:let it go. your boss doesn't care, and they don (Score:2, Insightful)
All kidding aside, I feel kind of sorry for the people who post this kind of ask slashdot. As bad as it sounds, the best course of action most of the time is just to keep your mouth shut and continue with life as usual. Most entrenched management and executives do not want anyone to rock the boat and will make your life a living hell not only in your current job, but also possibly in the industry as a whole if you do rock the boat (and I don't care how big you think your industry is, most of the people at the upper levels know, or at least know of, each other).
Unless your job is specifically to do security audits, just let it go. Chances are they don't want to hear it and won't be happy if they *do* hear it.
I used to be bright-eyed, idealistic, and naieve with respect to this sort of thing. It lasted all of five minutes. Now I'm more of a hopeful cynic (expect the worst and hope it doesn't happen) lol
Offtopic: I think this makes you It again...
Yes and no... (Score:3, Insightful)
If you push it, you're quite likely to get stonewalled, destroy your future at the company, and possibly hasten the demise of your job.
If you plan a long future at this company and can live with the moral ambiguity, shut up and leave it until you're higher up in the chain.
If you can live with possibly losing career opportunities, make your complaints, but target the right person. Usually most companies will have someone who's actually supposed to make sure data is secure and privacy is assured. Find them and explain things to them.
If you really don't care about the job, make a good list of all the problems, written out and carefully phrased, and push it as far up the chain as you can. You'll get shit for it, maybe tossed, but with those concerns sitting on the CEOs desk, it's quite unlikely they'll get forgotten.
At the end of the day, it just depends on your personal moral standing.
Youve done your part (Score:2, Insightful)
Re:In a word: yes (Score:4, Insightful)
I told my boss on several occations that it also meant you could easily gain admin priviledge, but fixing it meant spending money so it wasn't. I made sure to document my warnings, because sooner or later someone would stumble across the sites admin interface and deface the site - which they did and when the boss wen't haywire I had documentation that he was warned.
Re:You're probably witnessing a scam. (Score:5, Insightful)
Depending on the size of the company, there is a very real possibility that the people in management got there by knowing the law well enough that they can violate it with plausable deniability. I work in a large bank where I see that happen all the time. I have pointed out numerous security problems and blatant violations of company policy, but management is willing to take those risks. We have people telling us what we need to do because sarbox has teeth, but there's absolutely no consequences for when we blatantly ignore them. The reality is that the worst that can happen is the offender gets transferred to another department, or in extreme cases, they could get fired.
Everyone has a potential security breech waiting to happen. The laws exist to point fingers after the fact. The law isn't going to help someone who is just pointing out a potential flaw. What's worse is that if someone exploits the hole this person identified, the law has good reason to consider him a suspect since he's obviously thought about it.
Re:let it go. your boss doesn't care, and they don (Score:4, Insightful)
Comment removed (Score:3, Insightful)
confidential? Three Stooges (Score:3, Insightful)
I like your analysis that this is a cryptosystem with the "routing + account" number standing in for both the public and private key. A proper crypto system would allow you to pay someone with some information and a public key, perhaps with a one-time use bit of some sort. This would prevent funds-extraction by 3rd parties (who bought your information on the internet after you paid the first 3rd party for something) because the information couldn't be used to extract money from your account without a new one-time thingy. Meanwhile, never provide your "routing + account" number to anyone (except your employer for auto-deposit... life is all about risk-reward trade-off). Instead, use credit cards to pay third parties so you have better consumer protection against fraud.
However, it's not completely clear that the problem in the original post would be solved by such a system without disrupting the "business process" that the customers probably think they need. An obvious approach would be something like a PKI system with a little card that generated a one-time tidbit on the fly, which the customer would provide to 3rd parties to authorize a payment, and presumably to a banker to authorize a fund transfer or wire or whatever over the phone. The bank's customers may view this as inconvenient and may switch to another bank (the key generator is yet another thing they need to carry around and keep physically secure). After all, the customers clearly want to be able to make a phone call and talk to a person to perform a transaction. In any case, the bank managers will fear this customer response.
Under the existing system, the bank employees are trusted and the customer will need to detect the missing funds and report them to the bank. Many other bank employees (any teller, any banker, any computer operator) already have access to the same sensitive information as is written to paper and placed in the drawer, which is why the bank managers are not really concerned about the drawer. They know, but perhaps haven't completely thought through that the funds will have been transferred to another account somewhere, and that will be traceable. The funds may not be recoverable but the money trail could be followed from account to account to the perpetraitor... right up to the point where the bank manager and the FBI agents are watching a grainy video of somebody in a wig and fake nose-mustache-glasses pull up to a drive through window in a car that was purchased with cash and uh, donated to a rural fire department for, uh, practice extinguishing gasoline fires shortly thereafter, close their account, and drive off with the cash.
Re:Take some money (Score:3, Insightful)