Dale "Woody" Wooden illustrates security concepts through stories. His past posts discussed how attackers mine employees' social media accounts for information and how social media can be used against you. This story is about companies asking for way too much information about your business.
Would you give up all your itemized bank statements to a third party? Hand over information about everything you spend your money on and what you do with what your company buys? Imagine a company having enough information to be able to reverse engineer and track what your company is working on. Think it could never happen? Read on.
I recently started a training and consulting business. Until recently, my clients paid with a check. Then one of my government clients needed to pay with a credit card. It was time to obtain a...let's call it a Polygon (the real name isn't relevant to this story)...so that I could process card payments. I was a bit hesitant, but the majority of my work is done while I am traveling, so obtaining a Polygon seemed necessary. And so began my journey...
The choice seemed obvious since Polygon (I don't want to name the company because it isn't the only company doing this) dominated the market. The process seemed fairly simple. I emailed the service, registered for an account, and got the device in the mail. After linking the device to the account, we processed a $1.00 transaction to ensure everything was set up correctly.
I was a little troubled that the only way to get a human being on the phone while setting up the account was to send an email, receive a "secret code" over email, and then dial a phone number with the secret code. Nevertheless, I completed setup and received confirmation that everything was ready to go. I warned the company beforehand that transactions would be large (rough dollar amounts) and got the go-ahead to process our first payment.
As a new company in the technology space, we do not always have a huge surplus. The fact that Polygon appeared to have quick payment turnaround was one of the reasons I chose Polygon. The length of time it takes to actually get paid would affect how quickly we can schedule the next course. We purchase equipment and research material before the course. We have other expenses such as hotels and travel.
On the day I wanted to accept my first payment, I made a second $1.00 transaction to ensure Polygon was still working. I even called to make sure it was all ready. I completed the course and swiped the card. The client's card was accepted, and the money was taken from my government client. The money should have hit my account within the next 24 to 48 hours. Should have. The next step left me speechless.
Almost immediately, I received an email informing me the funds were not coming to my account until I provided more documents to verify there wasn't any fraudulent activity. Polygon wanted my last three bank statements. When I tried to contact Polygon by phone, I learned I needed to email and get another secret code as I'd already used the code previously sent me. Once I finally got an agent on the line, I was told the funds were in my Polygon account, but I needed to provide information about my business before I could touch it.
The agent wanted a detailed description of my clients and what I teach, along with a detailed curriculum outline. I teach corporations, law enforcement authorities, and members of the military. There was no way I was giving out detailed information about my clients. My courses are proprietary, and not something I was going to share...for free.
Since I wasn't going to give details about my client list or specifics about my courses, I offered to provide a monthly summary showing total deposits and expenditures. Polygon refused to accept this and asked for line-by-line transactions for my bank account. Line-by-line transactions. Detailed description of clients and courses. All valuable to me.
"What if I don't share all that?" I asked.
The Polygon agent's answer baffled me, as she said I would not be able to get the money out of the account. Remember, this money was from a government entity, not a private individual.
I asked for a supervisor, but apparently Polygon doesn't allow customers to talk directly to supervisors. I could either send an email, and the agents would decide whether or not to escalate the query up to supervisors, or suck it up. When I asked why it was so difficult to talk to someone directly, the agent said the company preferred to use social media to do business.
Yes, social media! You know I hesitate to discuss anything remotely private on social media, let alone the ins and outs of my business. I talk about cybersecurity. I'd fallen into the wood chipper of irony.
I was willing to compromise but Polygon's offer didn't make sense. The company promised to review whatever I sent and decide whether I would receive the full amount the client had paid. I had already delivered the product—my course. It would be Polygon's decision if—and when—the funds would be released. I also did not know who makes that decision, and how.
We spent hours trying to get a real person on the line to figure this out. The last person I spoke with said I could have Polygon return the money to the customer and I could find another way to get paid if I didn't want to wait for Polygon to review the account. I asked how long it would take to return the money, and was told it could take weeks.
We were at an impasse. I emailed multiple times but never received any responses other than auto-replies. Since the company had the upper hand, we finally submitted our bank statements and rough overview of the training classes. We didn't submit a client list or details about the course materials. I also told the company I planned to write this article and would give them a chance to comment. No response.
The company ultimately released the funds. One of the agents I spoke with during this whole ordeal warned this could happen again anytime. As soon as I had the money, I cancelled my Polygon account.
Why is this story so troubling?
Let's look at what the company wanted: The detailed client list and information about my product. First of all, my client list is another company's potential client list. Competitors may not even be aware that a specific company was purchasing a particular product. That information is valuable to other companies. I am not implying Polygon uses the information it asks for (remember I said the company name is not relevant). I am just saying the information can be used this way.
Secondly, attackers—criminals, hackers, and terrorists—can combine the client list with information about the product as part of their reconnaissance activties. Say Company X pays Company Y for a weeks-long course on new security software for SCADA systems. Perhaps Company Y has to fly to a specific city to run the training. Attackers can learn a lot about a company or government entity's employees, the equipment being used, and what software is running.
Finally, detailed line-by-line bank statements can show what types of books and materials are being used as well as travel history. Someone looking at this information can look for patterns to figure out the company's plans, such as a potential merger discussion or expansion. It would be easy to figure out what kind of training the company's employees are receiving.
No Fortune 500 company would ever release this level of detail to a third-party without demanding an NDA. They also would not tolerate being held hostage by the other company and be forced to hand this information over.
The amount of information which can be mined is astounding. The most alarming part for me was the fact that none of the people I spoke with knew how the information—valuable pieces of information—would be stored or who would have access.
Our story has an ending. We now use our company bank to process credit card payments, which as no problem with large transactions. We just call ahead and let them know it's coming. And we can call whenever we want!
Please be aware that information, in the wrong hands, can be used as a weapon.