BlueWolf's Howl

« DICE!! | Bluewolf's Howl | CISSP »

July 28, 2012

Asleep at the Front

So for all our work at scanning and patching and all the other things that we - as a collective field - do to make things safe for our companies and customers, we still have something that is counteracting all our work. It's people at the front who are asleep at the wheel.

It's probably a given that any bank or credit card would have a crackerjack team of security professionals who would be scanning the network. And they probably hire crackerjack network and server people who are keeping patches up-to-date ... or you would hope this to be true. So wouldn't it be nice if they could get timely information about any anomalies in the system?

This morning I got an "international transaction alert" from one of my cards. The alert was on a recurring transaction that I have been using for years. I click the secure chat button and talk to a agent. He checks and sees that it is a charge in US currency. "Oh, just must be some sort of mistake. Anything else I can help you with?"

He meant well and was good at what he normally does - helping people with their accounts. This was a little outside his realm. He made a note on my account for me. Great - but that doesn't alert the correct people and doesn't mean that this won't happen again. He said he will let his supervisor know. His supervisor probably doesn't know any more about attacks than he does. Really.

Now, at this point, I'm thinking Salami attack. Sure, the "major" portion of the charge - $X.99 - was in US currency and the "minor" part of the charge - perhaps $X.993947203 was in (or converted to) some type of foreign currency. This would trigger an international transaction alert, wouldn't it? Can anyone check that? No.

So after talking to the chat specialist, I am given a number to call. I dial it and it's the "main" number for the card. I listen to the options and press the button for the fraud department. The person I spoke to there _also_ didn't know what I was talking about and had to send me to her supervisor. The supervisor _again_ didn't know what I was talking about. WTF? And this is not some fly-by-night dinky credit card. This is a major player in that space. All the supervisor could tell me is that there is no country of origin on the transaction. Again, this is a transaction that has been charged to my account on a monthly basis for years that never before triggered an international transaction alert. Something is obviously wrong here. What changed?

In the end, my only option to report this correctly was to WRITE with pen and paper to a PO Box. Oh, I had another option to FAX my letter if I wanted, but I opted out of that one. Really? Is this the process that we want to use to get our information? I know they have a Security Operations Center. It's probably staffed 24x7. But they only know their systems are up and running - not what's happening within the running system. And when I write this letter to "the company" how is it ever going to get to the correct department? It won't. They gave me the address for General Correspondence. A receptionist is going to read and route my letter. Save the stamp. She won't know any more about this than the chat specialist.

Isn't this what a salami attack relies upon? Who is going to notice? And out of that small number, how many will report? And out of that smaller number, how many will be able to report it to someone who can understand it or do anything about it? Meanwhile, unknown amounts are siphoned off and the consumer is left to foot the bill as the company folds it into the cost of doing business. Shrinkage.

But I am not done yet. I will pursue this. And who knows where it will lead? I remember a time when I called my ISP to complain about a disjointed news feed. I ended up with a job there - and that was the start of my IT career. Maybe this is the start of something I can't even imagine or understand at this point. Or perhaps it's just another ignored warning from Cassandra.

Posted by BlueWolf on July 28, 2012 08:13 AM