Comment On Security by Letterhead

Do we give them at least an A for effort?

Same for phone companies.
You need to submit some personal data of the owner or the one that made that was registered to be able to make changes.
If you have the personal data, but are not one of those persons, you can`t request a cancelation of the service.
But then, if you call them and tell them you the one in charge, pass the data, you get to cancel it.
As if they could check by voice recognition system or see through the phone if you are the one you saying you are.
Really silly this kind of stuff....

TRWTF is that they're using fax machines.

Wasn't there a similar submission involving letterheads sent in a long time ago?

Edit: Turns out I was the one who submitted it :)
http://worsethanfailure.com/Comments/The_Fully_Automated_Manual_System.aspx#92779

*sigh*

How many security WTFs are we going to see?

This isn't a complaint about security WTF stories but rather exasperation that people are so stupid when it comes to security. Why, God, why????

Keep em coming Alex. The best medicine for these people is ridicule.

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

Franz Kafka:

how much stupid is there in the world?

Don't ask questions that you don't want answered.

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

More than you can shake a fist at...

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

That's a koan to meditate on, but I suspect that it may not be constant...

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

More than enough .... I blame public shcools and parents that don't hit their kids

I had to do this exact same thing to purchase an ssl cert from GeoTrust ...

The stupidity rate, much like the death rate, has remained constant at 100% for as long as it has been recorded.

A student in my department used to work on a telephone helpline, and told me about one call he had wanting to update the details on file for a woman named Linda. Since the caller had an extremely deep, gravelly voice, he said "I'm sorry, Linda will have to call in person to make this change". When the reply came back "this IS Linda", he thought for a moment and went ahead - since it wasn't a bank or anything secure, there was no authentication anyway.

Hm - I wonder if simultaneously domain-jacking Microsoft, Amazon, Ebay and Google would be enough to make these clowns re-think the "letterhead as authentication" policy? Maybe if google.com etc all redirected to this page, they'd get the hint. Or the perpetrator would get free accommodation for life in Gitmo for "cyberterrorism"...

Captcha: Darwin. Somehow, this seems appropriate.

JD:

The stupidity rate, much like the death rate, has remained constant at 100% for as long as it has been recorded.

That's a pretty stupid thing to say...

diaphanein:

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

More than you can shake a fist at...

I think we should put that theory to a test.

FireJayPa:

Franz Kafka:

how much stupid is there in the world?

More than enough .... I blame public shcools and parents that don't hit their kids

Oh, sweet irony.

FireJayPa:

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

More than enough .... I blame public shcools and parents that don't hit their kids

It appears your private tutelage and parental abuse still were not able to correct your spelling.

Awesome - this stuff is priceless: I had a similar situation once... Even though mine actually involved getting some HTML from a browser and saving some images to disk...

Captcha: sanitarium - I think those people need one.. .:P

Zylon:

FireJayPa:

Franz Kafka:

how much stupid is there in the world?

More than enough .... I blame public shcools and parents that don't hit their kids

Oh, sweet irony.

I went to public school
My parents never hit me

I'm quite the idiot.

Just sayin

I don't know about in the US, but in Australia and the UK many places require an official company letter to do a domain transfer. And the law in the UK and in Au defines an offical company letter as one printed with company letterhead, with strict rules as to what constitutes a company letterhead (eg. business registration number, names of directors, etc.).

So this isn't an issue of security, it's really an issue of legality.

Maybe a WTF in the US, but almost certainly not in Europe and Australia.

matt:

I don't know about in the US, but in Australia and the UK many places require an official company letter to do a domain transfer. And the law in the UK and in Au defines an offical company letter as one printed with company letterhead, with strict rules as to what constitutes a company letterhead (eg. business registration number, names of directors, etc.).

So this isn't an issue of security, it's really an issue of legality.

Maybe a WTF in the US, but almost certainly not in Europe and Australia.

Allow me to point out that the UK is NOT Europe. It's ONLY ONE member of Europe.

A domain transfer in Belgium only requires you to click one or two buttons.

Applying your same logic: this certainly is a WTF in Europe.

The signature line on my work email is:

Two things are infinite: the universe and human stupidity, even though I'm not yet sure about the universe.
- A. Einstein

Reminds me of an antivirus vendor I used to deal with...

Them: Thanks for calling Acme AV. My name is Billy, how may I help you?
Me: Hello I'm calling on behalf of my client, Bob Smith, to have his Enterprise AV license transferred to a different server.
Them: I'm sorry, only Mr. Smith can authorize that.
Me: I just told you I'm calling on his behalf. He's out golfing today.
Them: I'm sorry, our polic</click>

Me: <dials/>
Them: Thanks for calling Acme AV. My name is Suzie, how may I help you?
Me: Hi, my name is Bob Smith...

halber_mensch:

It appears your private tutelage and parental abuse still were not able to correct your spelling.

grammar police are back!!

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

Wait: do we measure it in football stadiums, or libraries of congress?

Eh, not so much a WTF. Requiring that serious communication come down on company letterhead was *the* means of identifying you as a bona fide representative of the company back in the 70's and 80's. It's kind of like when Wal-Mart won't accept a personal check if the check number is under 500. Quaint and anachronistic.

Lanth:

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

Wait: do we measure it in football stadiums, or libraries of congress?

Planets.

When I read all this about company-style faxes, faked or not, I get the strong feeling, that a Wooden Table should also become part of the game in some way or other.

FireJayPa :

My parents never hit me

I'm quite the idiot.

That's why. READING HARD!!

Reminds me a quote from the movie Analyze This:

Vitti: Is he any good?

Jelly: Yeah, he seemed like a smart guy. He had a business card and everything.

Vitti: He had a card? That's a real f*ckin' achievement.

Requiring company letterhead isn't really a WTF. Do a Google search on "Company letterhead" and "forgery" and you'll see that while it doesn't prevent someone from sending in false information, it really increases the penalties.

I know this is off topic, but can anybody remember the post that had the link to women with nice asses (It was some middle aged women riding donkeys) ? I told somebody at work about it and they wanted to see

$|i(3_x:

Reminds me of an antivirus vendor I used to deal with...

Them: Thanks for calling Acme AV. My name is Billy, how may I help you?
Me: Hello I'm calling on behalf of my client, Bob Smith, to have his Enterprise AV license transferred to a different server.
Them: I'm sorry, only Mr. Smith can authorize that.
Me: I just told you I'm calling on his behalf. He's out golfing today.
Them: I'm sorry, our polic</click>

Me: <dials/>
Them: Thanks for calling Acme AV. My name is Suzie, how may I help you?
Me: Hi, my name is Bob Smith...

I am the backup for the DBA where I work. When he's on vacation, I do tape rotations (we actually have offsite backup!). His instructions when I need to retrieve old tapes (for example, to recycle them for next month) are "call the storage place, tell them you're me, give them the security code, and say you need whichever tapes back." I needed this once, and sure enough, what I was afraid of happened: after giving all the info, the woman on the other line said I didn't sound like who I claimed to be. Crap. Well, at least I know they take their jobs seriously.

matt:

I don't know about in the US, but in Australia and the UK many places require an official company letter to do a domain transfer. And the law in the UK and in Au defines an offical company letter as one printed with company letterhead, with strict rules as to what constitutes a company letterhead (eg. business registration number, names of directors, etc.).

So this isn't an issue of security, it's really an issue of legality.

Maybe a WTF in the US, but almost certainly not in Europe and Australia.

That would prevent private persons to initiate a domain transfer. It would? Wouldn't it?
And being self-employed (and not calling myself director) I'd also be pretty much out of luck...

matt:

Maybe a WTF in the US, but almost certainly not in Europe and Australia.

Yep, it is still a WTF in Aussie. A little company letterhead goes a long way. I did exactly this in Australia to transfer the ownership of domains for companies we'd bought - small companies with no extant letterhead, so copy & paste their web site logo and away you go. In particular, it's the only effective way of dealing with NetRegistry - who are a giant steaming WTF all by themselves.

Franz Kafka:

SomeCoder:

*sigh*

How many security WTFs are we going to see?

how much stupid is there in the world?

So far - looks like about a full page or so.

CAPTCHA = dubya (need I say more)?

I did the same thing once to cancel the account. I had to do it on the account owner's behalf. So before I called the company I asked him for the information that I knew they'd ask for for verification. Oh, it wasn't a him, it was a woman. All the funnier.

So the whole time I'm going through the process of cancellation claiming I'm Suzy Smith the guy keeps asking me to prove it with his questions and I had all the answers. It was funny as hell because he kept sounding like he thought I'd trip up at some point but I had my bases covered. It was amusing to say the least. In the end, I got the account cancelled and all was well.

Ah yes, reminds me of trying to get approved for a car loan after graduating from college.
"We need to see a phone bill to prove your address."
"Erm, I don't have a landline, and just moved into the apartment this month, so I don't have a cell phone bill yet showing the current address.... But I do have electricity and cable TV bills, as well as a copy of my apartment lease with me."
"No, it has to be a phone bill."
OK, I go to Verizon's website, print out the latest bill and bring it back to them. "See, it has my current address."
"Oh, but this doesn't 'say Verizon' on it. It was printed with your computer's printer. How do we know it's authentic?"
"Well, I've signed up for paperless billing, so you're not going to get anything that wasn't printed on my inkjet..."
Had to get the phone company people on a three way call with the bank to finally verify that was my correct address.

Franz Kafka:

how much stupid is there in the world?

Just remember sites like this are biased. Even in America the amount of people who use a real computer on a daily basis is probably around 60 percent.

Then realize that we're one of the most industrialized nations. Imagine if everyone in Africa had a computer.

Believe me, there's a lot more stupid out there. A lot! And who knows maybe they'll soon be on our "interwebs"

vt_mruhlin:

Ah yes, reminds me of trying to get approved for a car loan after graduating from college.
"We need to see a phone bill to prove your address."
"Erm, I don't have a landline, and just moved into the apartment this month, so I don't have a cell phone bill yet showing the current address.... But I do have electricity and cable TV bills, as well as a copy of my apartment lease with me."
"No, it has to be a phone bill."
OK, I go to Verizon's website, print out the latest bill and bring it back to them. "See, it has my current address."
"Oh, but this doesn't 'say Verizon' on it. It was printed with your computer's printer. How do we know it's authentic?"
"Well, I've signed up for paperless billing, so you're not going to get anything that wasn't printed on my inkjet..."
Had to get the phone company people on a three way call with the bank to finally verify that was my correct address.

Alot of existing systems have problems with the younger generation. I have the problem all the time. Whats your home phone number.... umm I don't have one and I'm damn sure not giving you my cell phone number... The systems are old and it's going to take them a while to catch up. The good news is they want our business so they will adapt after they lose a few sales.

Anthony:

vt_mruhlin:

Ah yes, reminds me of trying to get approved for a car loan after graduating from college.
"We need to see a phone bill to prove your address."
"Erm, I don't have a landline, and just moved into the apartment this month, so I don't have a cell phone bill yet showing the current address.... But I do have electricity and cable TV bills, as well as a copy of my apartment lease with me."
"No, it has to be a phone bill."
OK, I go to Verizon's website, print out the latest bill and bring it back to them. "See, it has my current address."
"Oh, but this doesn't 'say Verizon' on it. It was printed with your computer's printer. How do we know it's authentic?"
"Well, I've signed up for paperless billing, so you're not going to get anything that wasn't printed on my inkjet..."
Had to get the phone company people on a three way call with the bank to finally verify that was my correct address.

Alot of existing systems have problems with the younger generation. I have the problem all the time. Whats your home phone number.... umm I don't have one and I'm damn sure not giving you my cell phone number... The systems are old and it's going to take them a while to catch up. The good news is they want our business so they will adapt after they lose a few sales.

Try explaining to some of those systems that you don't have a landline AND you don't have a cellphone. I don't have a landline, because I only sleep at my house. Also, I don't have a cellphone because a) I hate the things and b) I'm connected 99.9% of the day (I'd make a great ISP).

For some reason or other, they always want to talk to you. Email won't do. Lousy system(s).

This is a legal dodge. If you've really got a letterhead and someone maliciously submits a fake letterhead then the ISP is covered.

I've had to create a letterhead for a company that was in this situation. The boss and I both thought it was stupid and insecure.

The Database Elf:

This is a legal dodge. If you've really got a letterhead and someone maliciously submits a fake letterhead then the ISP is covered.

True, and it increases the penalty on it from something along the lines of "Minor act of malicious intent" to "forgery of official documents"

(note, i'm not a lawyer, nor am I brittish. this is how it works over here.)

JD:

The stupidity rate, much like the death rate, has remained constant at 100% for as long as it has been recorded.

That would include you, then.

Lanth:

Wait: do we measure it in football stadiums, or libraries of congress?

If we associate it with holes in the head, maybe we can use the Albert Hall.

Bob Kaufman:

Eh, not so much a WTF. Requiring that serious communication come down on company letterhead was *the* means of identifying you as a bona fide representative of the company back in the 70's and 80's. It's kind of like when Wal-Mart won't accept a personal check if the check number is under 500. Quaint and anachronistic.

When I opened up a checking account about 2 years ago, we got to the part where I placed my order for checks. The lady at the bank pretty much made me start my check numbers at 1000 to avoid this problem. I thought it was pretty funny, but I guess she had dealt with it before and knew what she was talking about.

Digitalbath:

Bob Kaufman:

Eh, not so much a WTF. Requiring that serious communication come down on company letterhead was *the* means of identifying you as a bona fide representative of the company back in the 70's and 80's. It's kind of like when Wal-Mart won't accept a personal check if the check number is under 500. Quaint and anachronistic.

When I opened up a checking account about 2 years ago, we got to the part where I placed my order for checks. The lady at the bank pretty much made me start my check numbers at 1000 to avoid this problem. I thought it was pretty funny, but I guess she had dealt with it before and knew what she was talking about.

You guys still write checks? Bet you've got a typewriter, too.

If you ever lived in Russia... it was always like this. I had a stack of stamped letterhead paper, on which I wrote all kinds of requests. The most frequent one was to the customs, to let me "export" a cd with the software. Of course a private person has no right to take any piece of software out of the country. The fact that I could as well zip it and send it with my email meant nothing (and connections were slow those days).

JD:

The stupidity rate, much like the death rate, has remained constant at 100% for as long as it has been recorded.

Actually it's not the stupidity that's constant, it's the sum total of mankind's intelligence that's constant. Unfortunately, the population is growing, so the members of each generation have fewer brain cells than their parents.

Pap:

TRWTF is that they're using fax machines.

You don't see it mentioned in the write-up, but they also allow you to print it out on company letterhead, take a picture of that on a wooden table, and email the photo in. They're very much into this whole "technology" thing.

Doug#1:

halber_mensch:

It appears your private tutelage and parental abuse still were not able to correct your spelling.

grammar police are back!!

When did they leave?