Blockbuster Video cards, rude waiters, and e-commerce web sites
My friend John recently sold his trendy East Side apartment overlooking Manhattan, and moved into a small apartment near me until he moves to France. As is typical of many small apartments, there are two locked doors to get through before you are in the hallway of the building.
As it happens, the building doors swing in, and they use cheap locks on the doors, and, while they did mount angle-irons, they didn’t quite understand their function, and mounted them on the door, not the jamb. This means that, using my Blockbuster Video card, I can not only get the most current videos, but I can also ‘loid John’s door and get into his apartment building faster than when I use the set of emergency “help: I’m locked out” keys he prudently gave me.
Does the fact that virtually anyone interested in being able to rent videos has access to his building make it less safe? In theory, yes. In practice, most casual burglars merely note the two locked doors and the angle iron, and, in fact, there have been no robberies. Thus, justified or not, most residents have some feeling that security is adequate in the building. Does the building face potential liability for failing to exercise due diligence in protecting the building? Probably.
Much along the same lines, I heard a story about someone in the alarm business going to lunch with his foreman, and getting bad service from the waiter. He complained to the waiter, who didn’t care, and then to the manager, who also didn’t care. On the way out, he noticed the keypad of the alarm system. Assuming, correctly as it turned out, that whoever installed the keypad probably left all the factory default passwords in place (something we never do!), he had his foreman distract everyone with a slight commotion, and quickly reprogrammed the system to reduce the arm-time from 1 minute to 5 seconds. This meant that the manager would not be able to arm the alarm and exit, but would set the alarm off, and would have the choice of either leaving the restaurant unprotected or waiting several hours until someone from the company showed up to reprogram the system.
Putting aside the fact that this trick was mean-spirited and unprofessional, the truth is that on many site surveys we have done, we have found there to be default passwords left in place. Which means that any knowledgeable alarm profession would be able to break in, turn off the alarm, rob the place, and turn the alarm system back on.
Does the fact that virtually any alarm professional has access to a wide variety of protected buildings make them less safe? In theory, yes. In practice, most alarm installers are honest, and, in fact, rarely commit robberies. Thus, justified or not, most people and businesses protected by alarm systems have some feeling that security is adequate. Do those responsible for the alarm system installation — and possibly the facility owners — face potential liability for failing to exercise due diligence in changing the default codes? Probably.
Along much the same line, part of what The LUBRINCO Group does includes security audits of web sites. Many people with web sites that deal with sales and customer data make some effort to secure the site. However, the prime rule of data processing is “Never time to do it right. Always time to do it over,” and security is generally very much a second thought.
Because of this, and because of the confidence in the security measures taken, few shops go to the seemingly-needless expense of installing software which pre-checks requests before the web site acts on them. Why bother, after all: The web site security is designed to handle these issues.
The people we use to check the sites do so using an ordinary browser with ordinary access via an ordinary internet connection. They do not come in as systems users, nor do they use any of the sophisticated tools of the hacker and cracker community. As a rule of thumb, in a secure web site we expect them to be able to order any product sold at a substantial discount, get all the user data they want, and to transfer funds freely from one account to another.
How successful are they? So far their success rate is 100%, and if you think that your web site is actually secure, you might consider bringing us in to test it. On the one hand, we’d love to finally find a secure site. On the other hand, you might be in for a very rude surprise; one which will induce you to ask us to recommend software to protect your site.
Does the fact that many sites offer virtually unlimited online access to sensitive transactions make them less safe? In theory, yes. In practice, most users are honest, and, in fact, rarely steal from web sites. Thus, justified or not, most people and businesses running e-commerce web sites have some feeling that security is adequate. Do the companies running these sites face potential liability for failing to exercise due diligence in protecting customer data and transactions? Probably.
