Do you recognize a potential security problem when you see one?
How long it takes to report a problem and why people give up
Free Content on Jobs in Cybersecurity | Sign up for the Email List
One of my stories on cybersecurity testing.
This story is related to my story on mortgage industry security, but not exactly so putting it into a separate post and will reference it later.
How long does it take your staff to determine if a customer account is compromised or if some other problem exists?
Here’s an example of how long it took me to try to report a potential security issue or at least a bug to a bank. I’m not sure if it made any difference. An online banking system randomly shut off auto-pay on my credit card. I got hit with some fees, interest, and on top of that, when I logged in there was no way for me to set back up the auto-pay. I immediately made a payment and tried to call in to find out why the auto-pay got shut off and how I could turn it back on.
When I called, I did not want to only get my fee back but to get autopay set up. I also wanted to report the problem to the appropriate person because how does that happen? Is there a security issue or a bug that caused it to get shut off? I never shut off autopay. I used to work on back-office systems at a bank and this seemed like it had the potential to be a bigger issue.
I had to go through four people to figure out what was going on and the system hung up on me repeatedly — which also may be concerning. The first person gave me my fee back but I wanted to know how auto-pay got turned off and report the issues to someone who could fix a potential underlying problem. I also wanted it back on and the system wouldn’t allow me to set it up.
That person sent me to the online department who could not figure out why I could not set up autopay. He also told me I had no online banking payment history!? Then he told me my bank accounts were not authorized to make payments. What? I’ve been making payments from those accounts for at least 8 years and the history should be there. Four people that day validated the payment I just made from one of those bank accounts went through. So how can it be “unauthorized”? Then he said that bank in that transaction was listed as “unknown” — whatever that means.
None of this made me feel any more confident that my auto-payments would not get shut off again, not to mention I still couldn’t turn them back on.
Does your staff recognize a potential security bug or at least a system error?
When this person tried to brush it off, same as the last person, I asked, “Does this not set off any alarm bells as something odd going on when eight years of banking history is missing?” He escalated the question to a technical person who just said, “You have no history of online payments.”
The person in online banking apologized and couldn’t help me so he sent me to an “executive support” person after I said I would really like to know what happened to my data in the system. The executive support person said because my account was in “delinquent status”, I couldn’t set up an auto-payment. She apologized that none of the other four people I talked to could explain that. I was guessing that might be the issue, but why didn’t anyone in any other department know this?
Tangent: Does this make any sense at all? If a person is trying to pay a bill and has and wants to make sure it doesn’t happen again why would you block that? They are trying to pay you and make sure they are not late!
The executive support person said she could see my payment, all the payment history, and bank accounts no one else could see. Again, because my account was in a weird status they couldn’t see the payment history, and my bank accounts looked invalid to them. Seems odd to me again that support people couldn’t see my payment history, but perhaps this is somehow to prevent fraud which I am trying to figure out — but not trying too hard since I’m not getting paid for it.
And, the executive person could not explain how my auto-pay got turned off just like everyone else. She was looking into it — when the system hung up on me again. I gave up.
Does your staff shrug off system anomalies?
Later, I logged back into my account as directed to set up the auto-pay and my bank accounts that I used to pay my bill were gone, the same as when I called in before. I couldn’t make any payment let alone set up auto-pay because I couldn’t select a bank from the list to make the payment. It was empty and asked if I wanted to set up a bank from which to make a payment.
I called back and once again customer support tried to send me to online banking but I knew online banking wouldn’t be able to help me, like last time. I didn’t want to go in circles on the phone again. So I asked the person to get me back to that executive line. While I was on the phone clicking around in the portal — suddenly my bank accounts reappeared. Did that person do something to fix it? I don’t know. Why was the auto-pay turned off in the first place? No one can explain it.
It’s on now and I took a screenshot of the confirmation.
But as you can see, trying to report a weird system issue — which based on years of experience working in cybersecurity and with banking systems leads to some concern — was incredibly time-consuming. And no one on the front line could solve the problem or saw any of it as a potential cybersecurity risk or a system problem that they might want to look into and fix. At every step of the way I had to ask repeatedly to get to someone who could resolve the problem and answer the questions.
Could it be a larger problem?
Consider my explanation of how general bugs can be an indication of a security problem. Consider the story of The Cuckoos Egg, where a few cents off in a system led to an international spy ring. Maybe you’ve heard of the salami attack where someone slices off a few partial cents in a system and siphons it to their own bank account. I often wondered about this in systems I worked on for a bank that involved rounding and strange database code review processes. I also mention reconciliation errors in my cybersecurity book that led to millions of dollars stolen from financial institutions.
Take system issues and bugs seriously. Especially in any system hosting sensitive and financial information. When system problems occur — report them to the vendor or team that built the system and get them fixed. Don’t just shrug off anomalies. Train your staff to notice them. Provide an easy way to report them. Look into them. Be able to explain them. Fix them.
Consider getting a penetration test. Whenever I perform a penetration test or product security assessment I often find numerous bugs that are not security-related but impacting customer experience. These bugs could also be blocking me from finding other, more serious security problems during the test. Bugs of any kind are bad. They indicate a logic error, a system problem, and a lack of adequate testing and remediation, or inappropriate allocation of time, money, and resources to do it properly.
An organization may have many small anomalies across many customers that support teams are shrugging off that are indicative of a much larger issue or security incident. You also should be able to explain to customers what happened when there is a system glitch so they know their funds are safe.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2021
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab