Top tier support
Posted by Thulak@reddit | talesfromtechsupport | View on Reddit | 10 comments
In this story I wasnt tech support, but rather the supported.
Back during the corona times I worked in a PCR Lab. My job was to evaluate the lab results and assign positive / negative / unclear and sent the results to patiants. We did roughly 80.000 samples a day and I had access to all of that data. The reason this information is important is as follows:
After having to change my password a classic Layer 8 error occoured on the next day and I couldnt log on anymore. So as you do, I called our helpdesk... from my private phone since the mobile from my office was stolen days earlier. The guy from helpdesk (which was in another country) asked me for my 4 digit ID (which was printed on our ID badges) and decided that was enough to reset my password and quite literally spell it out to me over the phone. Bless him for this mich trust, but had I been anyone that picked up a lost badge, I could have logged into our systems and wreaked havoc.
The company was pretty bad with security in all aspects. We had a reporter just walk in through the front door and browse an unlocked laptop as well. It was a weird time.
Tl;Dr: Make sure you give login information to people that should have access to them.
glenmarshall@reddit
If you are in the US, simply blow the whistle. Call up the federal Health & Human Services Office of Civil Rights (OCR), which is where HIPAA violations are reported. Your employer will get into deep trouble.
Thulak@reddit (OP)
Not US. Honestly that company had so much shit stuck to them already it hardly mattered anymore. Like that one time when they hired 200 workers from another company that were trafficed from ukraine, held in prisonlike conditions like slaves and as it later turned out werent registered as workers resulting in millions in taxfraud. Or that other time a few months later when it happened again.
LupercaniusAB@reddit
They are not in the US. “80.000” is a European notation, we use “80,000”. It might be other regions as well, but I know it from Germany.
Ahielia@reddit
Hardly "top tier", this is shit tier support for not authenticating properly.
Frekavichk@reddit
Are you sure they didn't give you a temporary password and forced a change on next login? I do that sometimes if someone just can't grasp the online tool we have.
Taulath_Jaeger@reddit
Irrelevant. They gave access (whether temporary or not) to someone they did not properly authenticate. This would be somewhat understandable in an environment small enough for the support guy to recognise the caller's voice and just ask for the ID as a second identifier, but this was a (probably) 3rd party support agent in another country. That temporary access would be all that's needed to exfiltrate a ton of extremely sensitive data.
Frekavichk@reddit
Oh yeah I see i glazed over that part. What would be the other way of verifying the person? If you are locked out of your account, the only thing I could think of would be to force a password reset link to a registered external email.
Naturage@reddit
In our company, if you lock yourself out of enough things, the next step would be to use a vouch of someone you work with - most likely, the line manager - or get into the office in person.
AndiArbyte@reddit
you never used your private mobile to open a ticket?
Supporter didnt told your boss about?
little critical indeed.
beerbellybegone@reddit
If that happened where I work, heads would have rolled, but not necessarily the right heads