Information Security: The Problem is us, People.
We hear daily the increasing pitch and fervour of the cyber-security market reminding us how critically important on-line risk exposure and mitigation is in business and (especially) in our personal digital lives. Australia is one of the hardest hit countries in the world for active efforts such as ransom-ware; in Australia, Queensland is one of the worst affected states on that list. A sobering thought. Why?
Probably because culturally Aussies are a pretty friendly bunch that are far too trusting, most of us wandering through our Facebook and Netflix laden lives believing no one in the world could possibly want to do us harm.
I digress, however with that in mind I’d like to share an experience I had earlier this week at a bank. A big bank. One of those really big ones that holds the financial present and future of millions of Australian families and companies within its tightly wound, secure platforms.
My problem was that I couldn't log on. Pretty common issue really, so I thought I would call the helpline and seek assistance. It turned out my issue was that the on-line platform (which is pretty good frankly) now required a token to be issued as a compulsory additional layer of security. This was explained as a being a result of increased security for the on-line business banking platforms, and had to be combined with the existing USB key and username / password to access to the accounts. They would be happy to get one shipped if I could validate my identity?
Sure! However I couldn't remember the answers to all my security questions, so off to a branch I had to go. No big deal, happy to do it.
It was a great experience actually. No lines, a beautiful fit out with self-service kiosks, and friendly staff who really knew what they were doing. As a business customer, I was ushered to a funky dedicated kiosk that was staffed – no self-service here – by a very helpful, knowledgeable and friendly-to-the-point-of-almost-effusive team member. 10 out 10 for service so far.
I explained my situation, and after presenting my USB device and answering a few questions - “what is the company name” and “how many accounts to you have with us?” and “what is the company address” and “what is your date of birth?” - we were away. I should mention that I got the second question wrong; the other answers would be easy enough to find out.
This was where I thought it might be interesting to see where this might go, given that I hadn't had to present any ID and had already effectively failed two layers of bank identification. I’ll take pains at this point to state that my query was absolutely legitimate: I had no intent other than to order a new token. At no time did I ask or direct the team member to do anything - I just wanted to see what might be possible just by being slightly clueless, nice and presentable.
I said first that I was pretty sure my credentials were right. The team member suggested it might be good to try logging in again and see what error I received. At this point she opened a business banking login page, and moved out from behind the terminal. I could now see it was a Windows ‘xxx’ machine, with several apps open, some minimised, and multiple browser tabs open. I tried my credentials and got the same error as the night previous, but also an additional error that said I needed the USB key.
I said it says that I needed the USB to login - I always had in the past so no surprise there. I also said that I was pretty certain it was working – it seemed to be OK but you know, I'm no expert, so maybe we should just order the token thingy and see how we go? The team member said that it would be a good idea to check the key first, took it from me, and plugged it in to the terminal.
So I had walked in off the street, told a story about chatting to the help-desk last night and being told to come in to a branch; the next thing I knew, someone has not only given me access to their logged in terminal complete with open applications and browser sessions, but then plugged a USB key into it that had a bank logo on it. At the business banking service desk. And they had asked my permission to do it.
Thankfully at this point, a ‘hardware installation’ warning message came up so it was good to know there was a hardware policy out there somewhere there on the job. That said, it was powered up and plugged in. Literally at the same time, another customer wandered up to the business kiosk.
Here’s where it got interesting: the team member excused themselves ‘for a moment’, turned to the customer, took a few steps away from the kiosk and started chatting. I was left unaccompanied and unobserved at the terminal, logged in as a bank employee, apps and browser open, with a USB key I had supplied plugged into the terminal.
At that point, I took a step back from the terminal, crossed my arms and waited.
A couple of minutes later the team member came back. I said that I thought it was definitely a new token needed and we ordered one. We won’t go into how it was ordered on the phone but I would also have been able to obtain an employee name (business card on the desk), matching employee number and employee authorising code were I so inclined.
All sorted – token ordered! I thanked the team member and turned to leave. I took a few steps then turned back and said “oh – I think I've left my USB key here”. Yep – I was about to be allowed to walk out and leave it, still plugged into the terminal.
It doesn't matter how inscrutable your security stance or platforms or systems or protocols are: people are a critical weak spot, and most don't even know it.
See you on the swings!