I confess: I am not cool enough to have a smart phone. My mobile phone is not smart at all. It’s a touch-screen LG model with a slide-out keyboard, and I can use it for calls, text messaging and very limited web browsing.
But as not-smart as it is, it may be smarter than the provider I use, Virgin Mobile. I say this because this morning I received a text message alerting me that my secret security question has expired. It directed me to go to the Virgin Mobile website and update it … and then helpfully provided my secret personal identification number.
Get that? The verbatim text is, “Your Secret Question has expired. Please update it at virginmobileusa.com with acct PIN … " and then my actual PIN, right there in plain view.
Was it a phishing attempt? Unlikely, for two reasons. First, the site MyCallBot.com verifies the number it came from is one Virgin uses. Secondly, whoever sent it already has my phone number and PIN. They don’t need to phish for anything else.
Now as it happened, I had my phone with me and saw the message. But what if I had lost it, or it had been stolen? If that had happened, Virgin would have just handed a stranger the key to unlock my account.
And why? Virgin’s customers should keep up with their PINs and not need the company to provide them, especially not without some security measures to ensure the person getting the message is the one authorized to access the account. That the company would do that at all is surprising; that they would do it on their own initiative, without the customer requesting it, is mind-boggling.
As you implement your own mobile device security policies, that should be one to include: Don’t send people their own passcodes in plain text, especially if you have no reason to think they need it.
Posted by Michael Hardy on Jan 11, 2012 at 7:26 PM11 comments
Out in the commercial world, the rhetoric of the Occupy Wall Street movement has gained some traction: The terms "the 99 percent" and "the 1 percent" are understood by nearly everyone.
So who are the 1 percent in government? An Internet start-up called WikiOrgCharts has just released a list of the 1,000 highest-paid federal employees. No doubt, the list will add fuel to the fire in the argument over whether feds are overpaid. Those who say they are can truthfully point to a few federal employees who earn upward of $300,000 per year, while defenders of federal employees can point out that the highly paid feds are doctors, executives and other professionals who are highly paid in the private sector as well.
In fact, the first 30 names on the list -- the highest paid of the top 1,000 -- are mostly medical officers working for the National Institutes of Health or the Indian Health Service, as are many of the lower ranked people. The first position not tied to health care in some way is Robert Fenner, a general attorney with the National Credit Union Administration, who ranks 60th with an annual salary of $265,559.
Posted by Michael Hardy on Dec 16, 2011 at 7:26 PM29 comments
Will the release of Amazon's Kindle Fire start a new round of feds bringing personal devices to work?
The Fire is a pretty nifty gadget. The Insider is not always an early adopter, but he bought one of these the first day it was available. At $199, it serves as an Amazon content delivery tool and an Android apps-running tablet PC. It's not as fully featured as the iPad, but it's affordable to a wider range of customers, and therefore likely to become more plentiful over the next few months.
The Fire connects to WiFi, which means it's probable that at least some feds are going to ask to connect to an agency network. That, and the upcoming gift-giving season, make this a good time to revisit the issue of hooking personal devices into agency networks, a security challenge counterbalanced by demand. Is your agency reconsidering its approach to the question?
Posted by Michael Hardy on Nov 29, 2011 at 7:26 PM3 comments