Telling Your Superiors Their Financial Data Is At Risk? 100
alterimage asks: "I'm a Computer Science major at night, working by day in Accounting for a major telecom provider, with clients consisting of most the entities on Fortune's Top 20 Most Admired Companies of 2006 list. Daily, I see customer payments in excess of $50,000 come and go. Strangely enough, rather than have these payments conducted by an IVR system or over the Internet, the majority of these payments are conducted over the phone with individuals such as myself, who are instructed to write down, document all the specific banking information, and to keep them on hard-copy in an unlocked file cabinet that is accessible to anyone. Having experience with social engineering and fraud, I've already advised my boss that it's probably not a good idea for those bank routing and account numbers to be laying around unsecured, and was told that I'm over-reacting. So I ask Slashdot: At what point should the human aspect of security be considered in the business environment? Should I just smile, nod, and play along in this situation?"
let it go. your boss doesn't care, and they don't. (Score:4, Insightful)
translation: I'm looking for a creative way to get myself fired.
and if it bugs you, just keep your head down and look for a better job. If you make a stink, the first time something goes wrong, you'll be the first guy they blame.
Re:let it go. your boss doesn't care, and they don (Score:3, Informative)
I had a college roommate who had a similar problem when he pointed out an ethical issue at a brokerage firm. He got busted to the mailroom. A friend who was a senior broker at a different firm told him to get out before he gets fired for something he didn't do if he wanted to work in the industry. He decided to become a tech writer instead.
Re: (Score:2, Insightful)
All kidding aside, I feel kind of sorry for the people who post this kind of ask slashdot. As bad as it sounds, the best course of action most of the time is just to keep your mouth shut and continue with life as usual. Most entrenched management and executives do not want anyone to rock the boat and will make your life a living hell not only in your current job, but also possibly in the industry as a whole if you do rock the boat (and I don't care how bi
Re:let it go. (Score:1)
Depends on your definition of "best", I believe. "Suck it up" and "lemming" do not describe what I view as "best" and certainly wouldn't describe what I want my "life as usual" to be.
I believe that one can be non-naieve (sic) and still Do The Right Thing. Yes, it could have negative immediate consequences, but the alternative could have significantly worse long term consequences...
Re: (Score:3, Insightful)
Re: (Score:2)
Still, the requester should likely change jobs before any major security breaks occur, and not mention anything further about security.
Re: (Score:2)
If following up on it is an absolute requirement, don't forget the CYA (cover your ass) email politely outlining the situation to your boss, with a BCC to yourself. At least if the shit hits the fan, there's proof you tried to a
Re:let it go. your boss doesn't care, and they don (Score:1)
There are ways to handle this. It does require a lot of tact and diplomacy to make it sound like your entire concern is for the wellbeing of the company and the manager especially, and that it was your boss's idea in the first place. Unfortunately, tact and diplomacy are traits that Computer Science Majors tend not to have a lot of practice in... Computer Science is a culture where if you do something wrong, y
Re: (Score:1)
Re:let it go. your boss doesn't care, and they don (Score:1)
Re:let it go. your boss doesn't care, and they don (Score:1)
Re:let it go. your boss doesn't care, and they don (Score:4, Insightful)
Re: (Score:2)
He's instructing you to perform a non SOX Compliant activity.
If it was the medical industry, it would also be non HIPAA compliant, as that is personally identifiable information.
I don't know whether the financial industry has a HIPAA like set of rules to follow. If they don't, they need one.
Wow. That's a bit unprofessional isn't it? (Score:2)
While the "look for a better job" part is probably sound advice at some point, I wouldn't say "keep your head down" is the best thing to do...not in the ethical sense in this situation and not as a means to success in general. People who always just "keep their heads down" don't stand out in a crowd, aren't recognised for their achievements (and achieve less overall) and don't advance very fast in their career.
If you make a stink, the first time something g
Re:let it go. your boss doesn't care, and they don (Score:2)
1. Say NOTHING to the boss about this matter from here on out.
2. Collect names and account numbers and contact information.
3. When you leave this job one day, and you will, and when you need money, and you will, contact the account holders *directly* and offer to tell them where you got your information for a fee.
Re: (Score:2, Funny)
1. Say NOTHING to the boss about this matter from here on out.
2. Collect names and account numbers and contact information.
3. When you leave this job one day, and you will, and when you need money, and you will, contact the account holders *directly* and offer to tell them where you got your information for a fee.
You must be new here.
There, fixed.
Re: (Score:2)
Re: (Score:2)
How does that make sense? (Score:2)
So, you're telling me it will go something like this:
Employee: You might be insecure!
Boss: You're overreacting. We're fine.
Some time later...
Boss: Well, shit, we got 0wned. Employee!
Employee: Yes?
Boss: You knew we were vulnerable?
Employee: Yeah...
Boss: And you didn't do anything?
Employee: I tried, but...
Boss: You're fired! You'll never work in this industry again!
How does this make sense, even to the b
Re: (Score:2)
Re:let it go. your boss doesn't care, and they don (Score:2)
In a word: yes (Score:4, Insightful)
Re:In a word: yes (Score:4, Insightful)
I told my boss on several occations that it also meant you could easily gain admin priviledge, but fixing it meant spending money so it wasn't. I made sure to document my warnings, because sooner or later someone would stumble across the sites admin interface and deface the site - which they did and when the boss wen't haywire I had documentation that he was warned.
Re: (Score:3, Informative)
Re: (Score:2)
There's always the "Oh! that's what you meant, you know where your job description says you need to be able to communicate clearly and professionally to non-technical folks? Yeah... you sure messed that one up, didn't you?"
Re: (Score:1)
Documenting that you at least tried would be in your best interest IF something happens and it ends up in court but only if you can prove that you didn't pen the documents the night before you took the witness stand. IANAL, but those are my best guesses as to what happens. There isn't justice in most workplaces, it's def
Re: (Score:1)
Funny, that's just what Enron and Martha Stewart said...
Take some money (Score:2)
To actually correct it? Wait for someone else to steal a bunch of money, it's bound to happen sooner or later. Problems don't get fixed unless it's obvious more money will be saved by fixing it than let
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Once there's someone who got fired for it they can change the practise and keep the money. Or they could keep stealing, have you disclose to someone else and get caught. Even if they stop an audit could reveal the sortcoming. Someone woul
Re: (Score:2)
Heh, this reminds me of Neil Gaiman's Anansi Boys [wikipedia.org] where the main character's boss keeps an incredibly high turnover rate at his company just so that nobody can figure out that all the rich clients are being embezzled from. As soon as the boss thinks his employee figured him out, the employ
Re: (Score:3, Insightful)
Consider your duties completed (Score:2, Insightful)
That said, if you are still worried for some reason then you should either find a way to express the problem to your superiors' superiors (if they have any) or possibly anonymously report it to the clients themselves (if you won't be endangering yourself in the process).
Good luck.
Re: (Score:2)
"
I know you've already stated that you don't wish to improve the security situation regarding our clients accounting records. So, please consider this my final attempt to improve this security
Is this really that confidential? (Score:2)
Account numbers and routing information aren't confidential, it's just a matter of convenience to put them on paper. It wouldn't be hard for anybody to obtain such information in legal ways.
Re: (Score:2)
Yes, they are. Many websites will let you debit purchases from a checking account with only this information plus the address on the account. Personal accounts often require a driver's license number as well, but these are businesses. Once again (like Social Security numbers) we have a "cryptosystem" where the "public key" and "private key" are the same thing.
confidential? Three Stooges (Score:3, Insightful)
Start looking for work elsewhere... (Score:4, Informative)
Re: (Score:1)
Frankly (Score:2)
Yes and no... (Score:3, Insightful)
If you push it, you're quite likely to get stonewalled, destroy your future at the company, and possibly hasten the demise of your job.
If you plan a long future at this company and can live with the moral ambiguity, shut up and leave it until you're higher up in the chain.
If you can live with possibly losing career opportunities, make your complaints, but target the right person. Usually most companies will have someone who's actually supposed to make sure data is secure and privacy is assured. Find them and explain things to them.
If you really don't care about the job, make a good list of all the problems, written out and carefully phrased, and push it as far up the chain as you can. You'll get shit for it, maybe tossed, but with those concerns sitting on the CEOs desk, it's quite unlikely they'll get forgotten.
At the end of the day, it just depends on your personal moral standing.
Youve done your part (Score:2, Insightful)
You're probably witnessing a scam. (Score:3, Informative)
Remember Enron? WorldCom? Both had major telcom billing fraud components. You may be looking at a fraud.
If there's an internal audit department, they should know about this. They have Sarbanes-Oxley responsibilities [aicpa.org] to check that internal audit controls are sufficiently tight.
Sarbanes-Oxley has whistleblower protection [mofo.com]: "Sarbanes-Oxley creates severe criminal penalties (including substantial fines, and up to 10 years in prison) for retaliation against whistleblowers who raise concerns about violation of any federal criminal statute, not simply laws limited to financial fraud." So if your boss threatens you, you can threaten back.
Also, "Congress required corporate Audit Committees to create mechanisms for receiving anonymous employee concerns about financial improprieties." Find out how that channel works and make a report.
The burden of proof is on the employer in these cases. This law has real teeth.
Here's a lawyer who specializes in Sarbanes-Oxley whistleblower claims. [zuckermanlaw.com]
Re: (Score:3, Interesting)
The question is, do you *want* to be a whistleblower? I just recently found myself in a similar situation where I was "asked to leave" because I insistently pointed out serious issu
Re:You're probably witnessing a scam. (Score:5, Insightful)
Depending on the size of the company, there is a very real possibility that the people in management got there by knowing the law well enough that they can violate it with plausable deniability. I work in a large bank where I see that happen all the time. I have pointed out numerous security problems and blatant violations of company policy, but management is willing to take those risks. We have people telling us what we need to do because sarbox has teeth, but there's absolutely no consequences for when we blatantly ignore them. The reality is that the worst that can happen is the offender gets transferred to another department, or in extreme cases, they could get fired.
Everyone has a potential security breech waiting to happen. The laws exist to point fingers after the fact. The law isn't going to help someone who is just pointing out a potential flaw. What's worse is that if someone exploits the hole this person identified, the law has good reason to consider him a suspect since he's obviously thought about it.
Re: (Score:1)
the plan! (Score:5, Funny)
One little implementation detail: don't get caught.
Extra credit: put the blame onto your criminally-negligent boss.
Re: (Score:2)
Don't Jump To Conclusions (Score:3, Interesting)
There is every likelihood that your employer has safeguards in place that you don't know about, and even that they don't want you to know about.
Re: (Score:2)
My cynicism comes from working for a major bank where I have to keep resetting my idea of "bare minimum" to include things like mailing unencrypted CD's of personal identifiable information and account numbers to third parties. At first I was disappointed to see this happening, unti
That's normal for the telecommunications industry (Score:1, Funny)
Good luck.
No big deal... It's more secure than you think. (Score:5, Informative)
They are giving you the SAME information that you could obtain from a written paper check, no more, no less. Now, obviously these companies have millions of dollars at any given time in their accounts and this alone makes them targets for check fraud; people creating their own checks and trying to pass them. The solution to this problem came about many, many years ago and is what makes the EFT system more secure than any other form of payment.
I am the accounts payable rep for Massive Corp. I'm going to authorize a payment for $5mil to your company: Dark Fiber Telco. I give you the check number (or transaction number or transaction code) and my bank account number and routing code. I enter the details into my Accounts Payable system which every afternoon uploads a delimited text file to our bank providing them with a list of checks written and their dollar amount. This is very similar to how credit card terminals upload their batch at the end of business day.
Meanwhile, DFTelco enters the data into their Accounts Receivable system which initiates the electronic draft, (which along with any paper check, EFT or ACH is all generically referred to as an "item"). When the item clears the Federal Reserve and is presented to Massive Corp's bank, if the dollar amount of the item doesn't exactly match the check number and dollar amount that Massive Corp uploaded, it is rejected and returned non-paid to the sender.
Very simple, very secure, and presenting your biggest customers with an IVR HELL system will only piss them off. They expect, and deserve, to speak to a human being and that is what your company provides. I wouldn't sweat it.
As an aside, I had an insurance agent come out to my property for a claim. The agent wrote a check from his checkbook and handed it to me, and then he had to enter the dollar amount and check number into his computer, over a VPN connection to his corporate office, so that the check would clear the bank.
The US Postal Service also does the same thing for Money Orders. Law Enforcement can actually log in to a LE only site provided by the USPS and check the validity of any US Postal Money Order based upon the $ amt and item number so they can see if someone is trying to "wash" a money order to alter the dollar amount, or creating a downright fraudulent Money Order.
-joel
Re: (Score:2)
The money stolen due to fraud on your consumer account is covered directly by the bank, they rarely turn to their FDIC insurance policy for coverage. Once your bank closes the account due to fraudulent access, the checks get returned to the merchants and the merchants take the loss - banks have 15 days from the date the
Not credit card numbers. (Score:3, Informative)
Bank routing and account numbers are different from credit card numbers. There's very little you actually can do with a routing and account number because these two don't give you any authorization to do any withdrawals from that account (at least if the US system has some basic degree of sanity).
At least over here (Europe), giving your account numbers to other people and have them deposit money to your account is a very common way of receiving payments. They can deposit to your account, but they cannot withdraw from it.
Now, if you were talking about credit card numbers, that would be a different beast altogether.
Re: (Score:2, Informative)
Right now, check fraud is more rampant than credit card fraud in the USA, at least among serious ID theft rings:
Example: http://www.usdoj.gov/usao/fls/PressReleases/051006 -01.html [usdoj.gov]
These folks cleared out over $4,000,000 before they were caught, using stolen checking account information. It wasn't until the reached t
Re: (Score:1)
Volunteering at a local non-profit community radio station, we have an annual funding drive. Listeners can submit their info online via secure form using a credit card, mail in a cheque, come by the station and drop off cash, or call in their credit card number over the phone. You have to understand that the last option *is* a very significant risk, since we don't have a touch-tone system to
Whistleblower protection (Score:1)
Re: (Score:1)
embarrassment (Score:2)
BTW It's never good to embarrass your boss anyway.
Its not worth loss of a job or jail time (Score:1)
Re: (Score:1)
That said: I'm not in a position to evaluate whether or not there is
Re: (Score:1)
Re: (Score:1)
Really? Friends? As in, this has happened to more than one person that you know well? How did these people go about "pointing to management"?
Trust is always a contentious point (Score:4, Funny)
This worried my boss - "What? You can access any machine's drives if you're the network administrator?".
I try and explain that yes you could; it's by design; the admin being the super-power on the network - full access to everything, etc. This leads him to the next question of "What? Even you could access even my PC? I've got sensitive information on here?!". I reply "Yes, even yours if I really wanted to".
Unimpressed, he changes the network admin password.
Precisely 1 hour and 20 minutes later; I get an email saying "User xyz can't access a file YYY on the abc share - what's the problem?". I explain the permissions on the file probably got corrupted/lost and resetting the file-system permissions for the root directory structure should flush out the problem.
He gives me the new network admin password. Problem was fixed in 2 mins.
In conclusion, us geeks rule the world. On modern IT systems, someone, must have complete power over all. That is why we are geeks because we can do what others cannot.
And it's true what they say; being a sys-admin is a power-trip.
*evil laugh*
The machines! They're all miiiine! Aaaalll mine!!!!
Re: (Score:2)
If you ruled the world, you wouldn't be babysitting the systems 24/7.
> And it's true what they say; being a sys-admin is a power-trip.
Speak for yourself. I code, mostly stuff I want to write, in whatever language I want, because it's stuff I thought of, designed, planned, and built (productivity tools, basically). It's like working for myself but with a W-2. And oh yeah, I don't wear a pager.
Tell him again.... (Score:4, Funny)
you need to store them encrypted (Score:2)
Make a Record (Score:2)
I would make a 5 slide presentation as to what your concerns are. Make it brief, but make the security concerns clear. Present this to your boss. If he still doesn't react... well
Re: (Score:2)
Judging from the rest of the thread, it's more likely that your superiors will wave your e-mail around saying "There's our prime suspect !".
This leaves you in a pretty strong position
Did you suggest a solution? (Score:1)
How about an introduction (Score:2)
Re: (Score:2)
Thanks for posting (Score:2)
I can't help you without a firm name and address. Any hopeless administrative or cleaning staff that could use some buttering up? What's the filing cabinet look like?
Time to be an Anonymous Coward (Score:1)
Re: (Score:1)
Check your local laws. (Score:2)
don't tell your boss (Score:2)
Wait until your bosses boss comes to visit. Present the report to your bosses boss.
Make sure you bypass your current boss. Your current boss won't do a thing about it while he has power over you... bosses aren't about the company/organisation/entity... they are all about themselves and having power over other people.
Seize power.
I hate to give the example of Hitler and the nazis... but... a soldier once wrote a letter to hitler telling him that his troop
Look at your check (Score:1)
Re: (Score:1)
Exactly. I wouldn't say routing + acct# is public; it is private, but not secret, and any time you make a payment by bank account (cheque or otherwise), it will be known by the recipient.
It's not as if just anyone off the street can walk to your bank, show them the routing number + account number of your account, and walk out with 50 grand plus a ship showing a withdrawl.
To cause payment from an account, you need written authorization, an actual check, or you need to be a bank.
Most people aren't