11/22/2006

The future's ID fraud, the future's Orange

Channel 4 news tonight exposed Orange for allowing shared log-ins on their computer systems which would allow people to easily take customer account information without any ability to trace who had actually logged in and accessed the information.

The information they would have had access to could easily be used if someone wanted to steal your identity or access get your personal banking details.

As ever, the person who revealed this information to Orange managers was subsequently fired, yet Orange say they are investigating the matter.

If they are really investigating this matter properly, would they have fired the employee ?

Read all about it in more detail HERE.

This on the day that it was also revealed that laptops holding banking details for the metropolitan police have been stolen from a company sub contracted to run the Met Police's wages systems.

It's a bit of a worry, especially if you are an Orange customer. Luckily, I am not.

4 comments:

dizzy said...

Someone in Orange's call centre could steal your identity and access all your personal bank details anyway. All they need is a pen and piece of paper and to wait a couple of weeks and it would be totally untraceable.

Sure, there is an issue here that staff in an Orange call centre are playing loose and fast with information security policy, but let's not make out the potential of what they "could" do is any less than what they "could" do anyway, because it isn't.

As to the guy getting fired, I don't recall we were told why he was fired, for all we know he could be an ex-employee with a grudge. Admittedly, he has highlighted a failing in the call centre, but given the staff in the call centre could steal idenitities when being logged on in their own user account I hardly see what the story is in that respect.

All that has actually been "exposed2 is that human beings failed to follow a security policy. That sort of thing happens every day in every company because most people at keyboards are idiots who think having their childs name followed by the year they were born is a good password.

I am an Orange customer, and I'm no more worried than I am about calling any call centre where my personal information is recorded.

Nich Starling said...

Channel 4 implied quite strongly that Orange's procedures were not standard within the industry and were not suitably robust so as to be able to trace who was doing what. I appreciate this is a problem across the UK, which would then lead me on to my concerns about Indian calls centres where the FSA is not applicable, but don't get me stared on Indian calls centres !!!

dizzy said...

I don't care what Channel 4 implied, I happen to work in the industry and Orange's procedural policy is bog standard. As to the non-traceability aspect there was absolutely ZERO detail in the piece regarding that so I would strongly advise, speaking as an IT/Security professional in the Telecom and Internet industry, that you err on the side of caution when making assumptions about what actually was accessed using shared logons and the level of tracability. It would certainly be traceable to specifc machine and desk. Basic process of time and elimination could factor who was responsible.

However, the issue that's actually arisen here is one relating to the weak link in all security models, human beings. Orange clearly have a policy that says users should not share passwords or usernames. That policy is predicated _entirely_ on human beings adhering to it. It got broken. That happens. By the sound of things it was reported too (and I saw no evidence the guy who reported it was actually fired for doing so).

At the end of the day though, Channel 4 were making an inference that somehow this breach of policy put customer data more at risk than at other times. That is simply not the case. As I said, anyone with a pencil and piece of paper could lift information and walk out at any time irrespective of the login he or she was using. If that person waiting for a while, or even sold the information on, there really wouldn't be anyway of Orange tracing it, in fact Orange would probably never know they were the source of the info leak.

I'm not quite what the FSA has to do with anything mind you. They have no regulatory power over that sort of minutiae of policy. The only place where such regulations do exist is under Sarbannes-Oxley, which is a classic example of where politicians get involved in technology they do not understand and thus create bad legislation.

You're welcome to take the line that Channel 4 fed to you on this of course Nich. However, I'm merely pointing out that it was light on technical detail, and lacked any real gravity on matters of information security any greater than that which exists in a normal functioning call centre.

Nich Starling said...

Your comments are always enlightening and well informed. Thanks.

Pages