Tuesday, August 28, 2007

Home to roost

Our Bank bought another Bank and the integration is beginning. I received a call from a Tech who wanted a password reset for a user. He did not have the user on the line so I could not verify the user's identity (mother's maiden name and such like that). When I asked him to put the user on the line so that I could verify that information, he launched into a story that "he always does this." What he's always been doing is calling a conference line specifically set up for this sort of thing but, due to a scheduling mistake, the conference line was occupied by an unrelated meeting and he just wanted it taken care of and so called the Help Desk.

I refused to violate identity verification procedures and after some
dancing around with Team Leads and the Function Desk, I transferred him to the Function Desk who said that they would do it, which made me look like a complete moron.

I immediately went to the Tactical Manager to complain about these "exceptions" that we never hear about and are somehow expected to just do.

I learned that these calls should be going to the Function Desk, where they "just take care of it", but if they're busy, the calls roll out to the general queue. I commented that I always seem to get these calls.

Not two minutes later, the same tech calling for the same nonsense got through to me again. I immediately transferred him back to the Function Desk.

And just after that, we received a message that "If anyone gets a call from Tech_A or Tech_B to reset a password, you may perform the reset without security verification. This applies to today only!"

Geis: "Would it not be appropriate to verify the identities of Tech_A or Tech_B?"

Team Lead: "In most cases I would say yes - but this a pre-authorized process that falls under the Conversion."

Geis: So let me get this straight. . . the only way we will know that the person claiming to be Tech_A calling for a password reset is really Tech_A is that he will say that he's Tech_A. And Data Security's OK with that? And if it turns out that the person calling isn't who he claims to be, what then? Really, if we abandon the security procedures just because the techs are too busy to follow them, why do we have them at all?"

Team Lead: "What can I say? I see your point. I also see that Management made a decision on how to proceed."

Geis: There will come a day, hopefully not today, that these "exceptions of convenience" will burn us very badly. And on that day, as the people who made that decision are clearing out their desks, my only comfort will be in saying that I tried to warn you."

1 comment:

Mikey said...

i'm with ya. "transition" periods are when you should be MORE diligent with security, not less. A smart hacker knows that people tend to let their guards down when they are distracted or if they fall out of their regular routine.

statistics show that a large percentage of compromised systems are the direct result of someone happily giving their password out to someone else who they believe its OK to give it to.

we did a security breach test a couple years ago where they simply had someone call random people throughout the department and claimed they were the help desk and needed to reset their password due to a new "password policy" and needed their current password first. Over 80% of people gave it up without even batting an eye.