Insecure About The Security Process, Part 2

, , , , , , | Right | October 20, 2020

I work for a building society. They are notorious for having a high turnover when it comes to employees, but nevertheless, I stay as long as possible because I have just finished university and am trying to crawl my way out of my student overdraft.

We have something called “partial authentication.” If you enter a code, it means you only have to go through a bit of security instead of the full lot. It also means you can politely address the account holder by name, which I do because I’m that sort of British. It’s also my final day.

Me: “Good afternoon, [Caller]. You’re through to [Bank]; how can I help today?”

Customer: “I would like to go through a few transactions on my account and check the balance.”

Me: “Okay, then. Can you please just confirm for me [random security information]?”

Customer: “Why should I give you that?”

Me: “It’s just a bit of security so I can take a look at your account.”

Customer: “But you addressed me by name, so I’ve done security!”

Me: “Ah, sir, you have partial security enabled, so when you enter your code when the phone asks for it, it means I only need to do reduced security instead of full.”

Customer: “I shouldn’t have to do that. I want to look at my account.”

Me: “I cannot give you your balance without first confirming security with you. To do so would be a breach of security policy.”

Customer: “I’m not doing that.”

Me: “Okay, sir, is there anything else I can help you with?”

We can give out product advice and such or transfer to sales without much security, so we ask this just in case.

Customer: “Yes, you haven’t helped me. I want my balance and to check my direct debits have gone out.”

Me: “Yes; however, you have chosen to not complete security, and therefore, I cannot complete that request.”

Customer: “But you addressed me by name.”

This carries on ad nauseam. I explain partial security. He states that I addressed him by name so he should not have to do security. I explain that I cannot do anything with the account until he does. This goes on for thirty minutes.

Me: “Sir, if you will not proceed with security, then I cannot take this call any further.”

Customer: “That’s it. I want to talk to a supervisor.”

Me: “Sir, they will only reiterate what I have stated many times.”

Customer: “Supervisor. NOW!”

I grab my supervisor and explain the situation.

Supervisor: “I’m only going to tell him the same thing you said.”

Me: “Would you believe I’ve told him that?”

Supervisor: *To the customer* “Hello, I’m [Supervisor]. I hear you’ve asked to speak to a supervisor.”

She listens.

Supervisor: “Sir, if you are unwilling to do security, then I will have to end this call. We cannot proceed any further if you refuse to do so.”

She ended the call.

Insecure About The Security Process

1 Thumbs

Toy Crime Story

, , , , , , , | Right | September 9, 2020

I’m shopping for toys for our child in a famous London toy store. My husband is a few shops away doing something else. He is finished and I am nearly, as well. Instead of shopping baskets, the store supplies big, red, very visible, and branded bags to carry your purchases around. My husband calls me to try and find me.

Because the store is full of people, he goes into “husband panic mode,” saying he’ll never find me. In order to help him, I go to the entrance. Trying to locate him, I step out of the store with my big bag of stuff I have not paid for. I am literally standing still, not even an arm’s length from security, scanning people to find my husband.

Suddenly, I am grasped by a man who I realize is security. He thinks I tried to steal and is very upset about it. I find that pretty funny, considering my choice of standing right next to him with a big bag proclaiming the store name. Very quickly, a young man who is some sort of a manager arrives at the scene and also gives me a stern talking to.

I understand their initial interest in me but am really amused that they never stopped to consider the exact circumstances after they initially stopped me, so I ask them, “Do you really think this is what stealing looks like? Me standing stock still next to a security guy with a big, bulging bag provided and branded by your store?”

I had a pretty hard time convincing them that YES, I WOULD ACTUALLY buy all that stuff now, as if the register wasn’t three feet away, and as if they couldn’t quite easily check that I was going to buy it all. I honestly think people in security should have enough experience to know an honest mistake when they see it.

1 Thumbs

Gosh, We’ve Never Felt Safer

, , , , | Working | August 13, 2020

Our local bank announced a new security policy of “two-factor authentication”: you would enter your phone number, and it would send a text message to that number with a one-time code to log into your account. After several weeks of constantly entering my phone number and wondering why it didn’t just use the one associated with my account, a realization came to me.

During lunch, I entered the number for my work cell on a work computer, both of which the bank had no knowledge of previously. Sure enough, the bank sent a one-time code to the completely new phone and authenticated a completely new computer. It made absolutely no check that the phone number was valid.

Anyone could answer any phone number there and instantly have full access to anyone’s account.

I called the bank and told them how their supposedly two-factor authentication is actually zero-factor authentication, but they insisted it was working as designed. I finally moved my money to a different bank.

I recently learned that someone had hacked a whole bunch of accounts at the old bank, which they found odd, because they had recently moved to two-factor authentication in the month before, which was “more secure than a password.”

1 Thumbs

Don’t They Know What Security Is For?

, , , | Right | August 6, 2020

I work airport security, and as a rule, everyone must be screened to go from the public area to the secure area. While I am out maintaining the exit to make sure no one walks in, an older woman with her adult family approaches me.

Passenger: “Excuse me? How do we get to the other side without going through security?”

Me: “Um. You can’t.”

Passenger: “What do you mean, we can’t? We don’t want to go through security; we just want to get to the other side.”

Me: “Right. You can’t. Everyone has to go through security to get on the other end of it.”

Passenger: *Huffing away* “Well, that’s just ridiculous!”

1 Thumbs

An Alarming Lack Of Security

, , , , , , | Legal | July 22, 2020

I’ve shared this story in the comments of a few different NAR stories, so it may be familiar to some long-time readers.

About ten years ago, my hometown had a bit of a burglary problem. Several homes in the area are summer homes for rich people; they are not occupied year-round. Naturally, this made it easy for the burglar to avoid getting caught; they just broke into homes that they knew were empty. They also only stole routine items such as TVs, video game consoles, and power tools — stuff that was easy to sell in secondhand markets without drawing any significant attention.

Several of the rich homeowners had installed alarm systems through a local security/alarm company, but the company had not taken action in any of the burglaries, and law enforcement had never been sent to investigate an alarm. Naturally, the homeowners simply assumed that the alarm systems were faulty, but the company finally admitted that while each burglary had triggered the alarm, the automatic verification calls to the home had always come back as a false alarm report.

Law enforcement officers finally listened to the recordings of a few such calls to figure out what was going on. In each call, the company agent naturally went through an identity verification script to make sure they were talking to the actual homeowner. The only problem was that, instead of having the homeowner state the answers to the security questions, the company only required the homeowner to verify the information on file.

For example, instead of asking, “Who am I speaking with?”, the company would ask, “Is this [Homeowner]?” Instead of asking, “What is the address of this property?”, the company asked, “Is this the property at [address]?”

All the burglar had to do was answer yes to every question and the company recorded it as a false alarm.

Law enforcement seized the recordings of every such call and were able to use voice matching to prove that every burglary had been committed by the same man. When that man was finally caught trying to sell one of the stolen items online, he was arrested, tried, and convicted for every burglary. He spent a few years in state prison.

In the end, very few of the homeowners ever received compensation after being burgled. The alarm company declared bankruptcy and dissolved immediately after their negligent behavior was exposed, which somehow allowed them to avoid lawsuits from the homeowners. A few of the many stolen items were recovered from pawn shops and online markets, but most of the items were generic enough that they were never found again. And because the burglar didn’t have much going for him in terms of financial assets, any civil lawsuits filed against him would have earned such a small settlement that very few of the homeowners went ahead with such lawsuits.

1 Thumbs