"The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over."
That's why nothing will change if these estimates are even in the right universe. Nobody wants to inconvenience the vast majority of customers to prevent a minuscule number of issues.
Came here to say just that. I did general customer support for a telco for a few months a while back, and most of the general public can't really deal with high security for personal information. If you were as strict with security as you should be, you'd be locking half of your subscribers out of their accounts eventually. This would create a phenomenal amount of follow-up paperwork for your company, meaning higher costs on your end and greater resentment on the customer's end - costs go up for you and customers head elsewhere.
It's why banks still use laughably short and simple PIN codes.
While that's true, and perhaps even needs to be "the default", there really needs to be a way to say "Hey, I'm concerned, and am prepared to take responsibility for my own access credentials. I demand you categorically _do not_ disclose any of my personal information to anyone without a warrant or court order." And for that sort of demand to have appropriate legal teeth to ensure people collecting that data are sufficiently motivated to act properly on it.
Startup idea: Whitehat Social Engineering (as a service). You authorise a whitehat team to attempt to social engineer all your discoverable internet presence/accounts to see what personal information their systems and/or customer service will disclose based on existing publicly available data. (I suspect legally that'd at least be on the white-ish side of grey rather than blackhat...)
I wonder how long it'll be before (or how long ago it became) sensible to register a shell company as the holder of any public record you're legally required to make public? It's probably much easier to roll your shell companies "registered address" if you discover it's been compromised than it is to move house every time Amazon's customer service goes "above and beyond" on your behalf to your attackers...
> Startup idea: Whitehat Social Engineering (as a service). You authorise a whitehat team to attempt to social engineer all your discoverable internet presence/accounts to see what personal information their systems and/or customer service will disclose based on existing publicly available data. (I suspect legally that'd at least be on the white-ish side of grey rather than blackhat...)
You'd need to take care to avoid getting people locked out of their accounts, but otherwise that sounds like a useful service for the small fraction of people who have a high enough profile that others may actively target them. I don't know if that represents a large enough target market for a sustainable business, but it might.
> I wonder how long it'll be before (or how long ago it became) sensible to register a shell company as the holder of any public record you're legally required to make public? It's probably much easier to roll your shell companies "registered address" if you discover it's been compromised than it is to move house every time Amazon's customer service goes "above and beyond" on your behalf to your attackers...
Depends on how easily you can register a shell company that doesn't itself have easily traceable public records of ownership. Little point in the indirection if you can then look up the shell company and its official owners and legal contacts.
Whitehat Social Engineering won't be "a unicorn", so don't expect Sandhill Rd to invest, but it's not like whitehat pentesting is a unicorn type idea either, and there's lots of people running successful and profitable <sneer type="SV Startup DoucheBro">lifestyle businesses</sneer> doing that.
Unfortunately, far more people think they want that than can take full personal responsibility for it.
See also: people who don't understand that full-disk encryption means they lose their data if they forget their passphrase. That doesn't make full-disk encryption in any way bad, but if you train people to think that all accounts have a "forgotten password" option, they might get a nasty surprise.
Sure - it needs to be somewhat difficult to turn on, and turning it on needs to very clearly include an "I accept all responsibility for this" declaration.
Most of "us" already deal with these things though - there's no "forgot password" for my ssh keys or my ssl keys or my topt seeds - there's no "forgot password: for my 1Password and Keypass safes. We occasionally get to laugh at out less diligent colleagues and peers who belatedly reveal the time they "lost" the ssl private key or the production webserver ssh key, but it's not like we see critical infrastructure falling apart regularly because of forgotten-but-unretrievable passphrases.
But I suspect you're right, there'd probably be a whole lot of "Hold my beer and watch me turn on full personal responsibility here! Oh, hang on - shit. Oooops..." if Ama-Face-Goo-Yah-stagram allowed this...
very clearly include an "I accept all responsibility for this"
It can't be a simple checkbox, or an Agree button. Make someone type, exactly:
I accept all responsibility for this
Even then, the majority of the general public (as opposed to computer nerds) would be awfully upset at being locked out.
You're exactly right: there'd probably be a whole lot of "Hold my beer and watch me turn on full personal responsibility here! Oh, hang on - shit. Oooops..."
While ago I setup FDE on a new drive, put the passphrase in my encrypted password file, put the new copy of the password file on the encrypted drive, and then proceeded to wipe machine that had the only other copy of that password file (well at least the up-to-date version with that passphrase). A nasty surprise indeed. Thankfully I only lost a month's worth of files (mostly photos).
Heh. In the spirit of it being my turn to ' … belatedly reveal the time … " I mentioned upthread…
One time I had my carefully encrypted secrets thoughtfully spread across my laptop drive, my iPod as backup #1, and an external hard drive as backup #2. All of which I had in my backpack one night - which I proceeded to leave at a restaurant where I'd been sitting outside on the sidewalk tables, and I didn't notice until _way_ after they'd closed for the night. (I used up a _great_ deal of luck that night - we went to that restaurant enough to be "regulars", and the waitstaff found it and knew it was one of ours, and it was waiting for me when they opened the next day...)
Then again, in this case it might be salvageable by having an option of turning up with an ID in person. Could still be faked, but it would be a lot more work at least.
Until/unless we can find and implement a workable way to make this a problem Amazon is financially on-the-hook for, instead of Amazon (et al) customers.
I wonder what the PCI implications are if it's true that Amazon gave away his last four cc digits over the phone?
I wonder if there are applicable PII laws in his jurisdiction that'd have Amazon able to be held liable for disclosing his address? (I think there are here in Australia(1), but that doesn't mean regular Amazon customers have any chance of prevailing in court against Amazon's in-house legal team...)
In the US, the relation Legal Name ~ Home Phone Number ~ Address is emphatically not private. It's in the phone book, it's in directories published by local school districts, it's on public property ownership records, in some cases voter registrations are subject to FOIA, it's on corporate registrations, amateur radio licenses, FAA pilot licensing (including small drones), all kinds of professional certifications and business licensing which is published on the internet, etc.
> I wonder what the PCI implications are if it's true that Amazon gave away his last four cc digits over the phone?
Absolutely none, unfortunately. Merchants are specifically allowed to store the first six and last four digits of a credit card number in any form they like.
Minuscule number of issues that can lead to identity theft. I'm fairly sure that most countries have laws stating companies must prevent this to a reasonable extend, even if it means being inconvient to 99.99% users calling. This is after all a simple way to teorists to get a new identity. At the very least they should be able to flag accounts are high risk, and special procedures and senior staff handling such cases.
That said, the author have a very good point. If you cannot log into your account, they should not assist you. MS Support/Store does something similar. They send an email with a code to the address they have on record. If you cannot tell them the code they send, they will not help you. So if you cannot log into your account, they can assist you in password recovery, and take it from there.
I'm probably going against the flow here, but I value convenience over security.
I had my identity stolen once, and it sure was annoying... if also a little fun. A credit was opened in my name, that I had to fight to close, and I was even interrogated by police because false me was associated with shady characters (surprise!) but in the end it wasn't the end of the world.
Security "features" however, are usually so annoying they destroy the will to live. They would be tolerable once, but they're constant, and constantly remind you that you are, in fact, a suspect. They pretend to "protect" you but actually dehumanize you and every interaction you have with other humans (not to mention security theater, where the features don't increase security in any way but are simply there to make you "feel" safe).
Being alive is to be at risk, and at the mercy of bad guys. We should accept it and enjoy life before we all die in the end anyway.
Except if they became reliable for the damage caused by the infromation they released of course. They would then have a financial incencitive to have better security checks.
That's why nothing will change if these estimates are even in the right universe. Nobody wants to inconvenience the vast majority of customers to prevent a minuscule number of issues.