home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud437a.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
4KB
|
76 lines
Date: Sun, 16 Aug 92 19:13:54 -0700
From: nelson@BOLYARD.WPD.SGI.COM(Nelson Bolyard)
Subject: File 1--Re: Cu Digest, #4.36
In article <1992Aug16.202305.16708@chinacat.unicom.com>
john@ZYGOT.ATI.COM(John Higdon) writes:
>After having eight of my residence phone numbers changed, I suddenly
>realized that my Pac*Bell Calling Card was invalid. I called the
>business office and explained that I wanted a new card. No problem. In
>fact, I could select my own PIN. And if I did so, the card would
>become usable almost immediately.
>Do you see where I am going with this? No effort was made to verify
>that I was who I claimed to be, even though my accounts are all
>flagged with a password. (When I reminded the rep that she forgot to
>ask for my password, she was highly embarrassed.) If I had been Joe
>Crook, I would have a nice new Calling Card, complete with PIN, of
>which the bill-paying sucker (me) would not have had any knowledge. By
>the time the smoke cleared, how many calls to the Dominican Republic
>could have been made?
To which jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) replies:
>All I can say is that we're trying. As I pointed out earlier in this
>conversation, it all comes down to people. A mistake was made, no
>doubt about it. Can be do a better job than we are doing? We're
>trying to. Is being Ok enough? As the current advertising slogan says
>"Good enough isn't". This slogan has to translate into real action.
What Rubbish! It doesn't "come down to people". At least, it need not.
The _computer_ should enforce the right password to modify the account,
not the customer rep, and the rep should never SEE the customer's password.
The way PACBELL's existing account "password" program apparently works,
(information gleaned entirely from public sources of information, including
postings to TELECOM-digest and the CU digest) the account holder's
password is displayed on a screen, and it is a human's job to verify that
the customer speaks the right value. This system was obviously designed
by someone who didn't have a CLUE about security.
The system should have been designed so that when an account has a
password, ANY attempt by a customer service representative to access or
modify the account will be blocked until the password is entered by the
rep (who presumably has just gotten it from the person on the phone, the
alleged customer). I suppose some "supervisor override" password might
exist so accounts could be managed when the real customer was dead, but
any transactions done using the override password would render the user of
that password (e.g. supervisor) _personally_ liable if the actions proved
fraudulent (not properly authorized).
One final note to all this whining about "we're trying". I'm reminded of
parents who teach their children that it's OK to fail "as long as you
tried your best". Not one of us who holds a job is ever held up to that
ridiculously low standard of performance. No business ever survives by
holding itself to that standard. It's galling that PacBell should expect
us to apply that standard to them, especially given their regulated
monopoly.
If PacBell had any competition as a LEC, and that competitor used
real (not pretend) password account security, they'd stop this whining
and do something about it pronto, while customers went to the competitor
in droves.
--
Nelson Bolyard MTS Advanced OS Lab Silicon Graphics, Inc.
nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson 415-390-1919
Disclaimer: I do not speak for my employer.
--
------------------------------
Downloaded From P-80 International Information Systems 304-744-2253
