home *** CD-ROM | disk | FTP | other *** search
- Date: Sun, 16 Aug 92 19:13:54 -0700
- From: nelson@BOLYARD.WPD.SGI.COM(Nelson Bolyard)
- Subject: File 1--Re: Cu Digest, #4.36
-
- In article <1992Aug16.202305.16708@chinacat.unicom.com>
- john@ZYGOT.ATI.COM(John Higdon) writes:
-
- >After having eight of my residence phone numbers changed, I suddenly
- >realized that my Pac*Bell Calling Card was invalid. I called the
- >business office and explained that I wanted a new card. No problem. In
- >fact, I could select my own PIN. And if I did so, the card would
- >become usable almost immediately.
-
- >Do you see where I am going with this? No effort was made to verify
- >that I was who I claimed to be, even though my accounts are all
- >flagged with a password. (When I reminded the rep that she forgot to
- >ask for my password, she was highly embarrassed.) If I had been Joe
- >Crook, I would have a nice new Calling Card, complete with PIN, of
- >which the bill-paying sucker (me) would not have had any knowledge. By
- >the time the smoke cleared, how many calls to the Dominican Republic
- >could have been made?
-
- To which jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) replies:
-
- >All I can say is that we're trying. As I pointed out earlier in this
- >conversation, it all comes down to people. A mistake was made, no
- >doubt about it. Can be do a better job than we are doing? We're
- >trying to. Is being Ok enough? As the current advertising slogan says
- >"Good enough isn't". This slogan has to translate into real action.
-
- What Rubbish! It doesn't "come down to people". At least, it need not.
- The _computer_ should enforce the right password to modify the account,
- not the customer rep, and the rep should never SEE the customer's password.
-
- The way PACBELL's existing account "password" program apparently works,
- (information gleaned entirely from public sources of information, including
- postings to TELECOM-digest and the CU digest) the account holder's
- password is displayed on a screen, and it is a human's job to verify that
- the customer speaks the right value. This system was obviously designed
- by someone who didn't have a CLUE about security.
-
- The system should have been designed so that when an account has a
- password, ANY attempt by a customer service representative to access or
- modify the account will be blocked until the password is entered by the
- rep (who presumably has just gotten it from the person on the phone, the
- alleged customer). I suppose some "supervisor override" password might
- exist so accounts could be managed when the real customer was dead, but
- any transactions done using the override password would render the user of
- that password (e.g. supervisor) _personally_ liable if the actions proved
- fraudulent (not properly authorized).
-
- One final note to all this whining about "we're trying". I'm reminded of
- parents who teach their children that it's OK to fail "as long as you
- tried your best". Not one of us who holds a job is ever held up to that
- ridiculously low standard of performance. No business ever survives by
- holding itself to that standard. It's galling that PacBell should expect
- us to apply that standard to them, especially given their regulated
- monopoly.
-
- If PacBell had any competition as a LEC, and that competitor used
- real (not pretend) password account security, they'd stop this whining
- and do something about it pronto, while customers went to the competitor
- in droves.
- --
- Nelson Bolyard MTS Advanced OS Lab Silicon Graphics, Inc.
- nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson 415-390-1919
- Disclaimer: I do not speak for my employer.
- --
-
-
-
- ------------------------------
-
-
- Downloaded From P-80 International Information Systems 304-744-2253
-
