Date: Sun, 16 Aug 92 19:13:54 -0700 From: nelson@BOLYARD.WPD.SGI.COM(Nelson Bolyard) Subject: File 1--Re: Cu Digest, #4.36 In article <1992Aug16.202305.16708@chinacat.unicom.com> john@ZYGOT.ATI.COM(John Higdon) writes: >After having eight of my residence phone numbers changed, I suddenly >realized that my Pac*Bell Calling Card was invalid. I called the >business office and explained that I wanted a new card. No problem. In >fact, I could select my own PIN. And if I did so, the card would >become usable almost immediately. >Do you see where I am going with this? No effort was made to verify >that I was who I claimed to be, even though my accounts are all >flagged with a password. (When I reminded the rep that she forgot to >ask for my password, she was highly embarrassed.) If I had been Joe >Crook, I would have a nice new Calling Card, complete with PIN, of >which the bill-paying sucker (me) would not have had any knowledge. By >the time the smoke cleared, how many calls to the Dominican Republic >could have been made? To which jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) replies: >All I can say is that we're trying. As I pointed out earlier in this >conversation, it all comes down to people. A mistake was made, no >doubt about it. Can be do a better job than we are doing? We're >trying to. Is being Ok enough? As the current advertising slogan says >"Good enough isn't". This slogan has to translate into real action. What Rubbish! It doesn't "come down to people". At least, it need not. The _computer_ should enforce the right password to modify the account, not the customer rep, and the rep should never SEE the customer's password. The way PACBELL's existing account "password" program apparently works, (information gleaned entirely from public sources of information, including postings to TELECOM-digest and the CU digest) the account holder's password is displayed on a screen, and it is a human's job to verify that the customer speaks the right value. This system was obviously designed by someone who didn't have a CLUE about security. The system should have been designed so that when an account has a password, ANY attempt by a customer service representative to access or modify the account will be blocked until the password is entered by the rep (who presumably has just gotten it from the person on the phone, the alleged customer). I suppose some "supervisor override" password might exist so accounts could be managed when the real customer was dead, but any transactions done using the override password would render the user of that password (e.g. supervisor) _personally_ liable if the actions proved fraudulent (not properly authorized). One final note to all this whining about "we're trying". I'm reminded of parents who teach their children that it's OK to fail "as long as you tried your best". Not one of us who holds a job is ever held up to that ridiculously low standard of performance. No business ever survives by holding itself to that standard. It's galling that PacBell should expect us to apply that standard to them, especially given their regulated monopoly. If PacBell had any competition as a LEC, and that competitor used real (not pretend) password account security, they'd stop this whining and do something about it pronto, while customers went to the competitor in droves. -- Nelson Bolyard MTS Advanced OS Lab Silicon Graphics, Inc. nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson 415-390-1919 Disclaimer: I do not speak for my employer. -- ------------------------------ Downloaded From P-80 International Information Systems 304-744-2253