I’ve spent two hours today trying to do two things: Renew a security credential at work, and sign up for an online service provided by the USPS.
Denied. Neither works.
Here are the myriad problems I’ve had:
Incorrect instructions posted on the web site
Click on the link, it logs you out
Having just signed up for an account, now we need to verify your identity by sending a code to your cel phone. Haha, no… Your phone number doesn’t work for that, and we won’t tell you why.
Help desk person asks if can send screenshots. Sure… The address they gave me bounced them back, possibly because their system thought it was spam.
After setting new passwords (and struggling with all the nonsense: a capital letter, a number, a special fucking character and not more than two characters repeated consecutively), now there’s a CAPTCHA to complete. When it fails, there’s no way to tell if it was a problem with the password or the CAPTCHA.
And to have any chance of any of this working, I have to disable all the security features on my browser, which I’m told are absolutely necessary to prevent viruses and hacking.
How have we let it get to this point? What I’ve attempted today was an onerous process at the least, and literally impossible at the worst. And I’m experiencing this crap more and more often. But here’s what really bothers me. In my job, which is flying airplanes, I’m expected to be… perfect. I can’t make any mistakes, even minor ones without filing a report of some kind (for which I need endless fucking login credentials, security questions and passwords too!).
I am so fed up of having precision demanded from me, and yet there’s all this sloppiness and Catch-22s in web site coding and security.
I have to have my internal network and (externally hosted) website scanned once a month for PCI Compliance. For years, everything went smoothly, passed every scan and never gave it a second thought. Then a few years back, the people that do the scan (PCI Rapid Comply, I think) changed one of their requirements such that it’s an automatic fail if they can’t get past your firewall. Their reasoning is if they can’t scan your network, they can’t pass it.
The entire rest of the industry (end users) tried to explain that if they can’t get past the firewall, then the network is safe, right?
Then, to ‘help’ us out, they gave us a list of IP address that the scan would originate from and the ports it would use. Perfect, we thought, we’ll whitelist those IPs, open those ports or set up port forwards to watch for those IP/ports and send them to the parts of the network they need to see.
Nope, we’re explicitly told we can’t do any of that. So, last I checked, we’re all sort of stuck trying to find a balance between blocking everything and letting their scanners in. I think a lot of people just found ways to whitelist them/what they need to do and just don’t tell them.
And, on top of all that, if you fail, they’ll give you reasons. For many of those reasons, you can dispute them and explain the issue and then you’ll pass. Lather, rinse, repeat next month. I eventually learned that once I could write everything they need to know to successfully dispute something in one try, to save it so I can C&P it each month.
For some reason, when the security people disabled our working reporting system, they didn’t tell anyone. So for a while we wondered why no one was replying.
I recently tried to arrange a Hold Mail with USPS, which I have done many times before. Denied. New security measures in place require you to register (i.e., give them your valuable data), and be verified. You can be verified via cell phone… but it wouldn’t accept my cell# as acceptable for verification, and there was no available information to be found on why a cell# might be unacceptable.
As an alternative, you can request a code be mailed to you within 10 working days, with which you can set up your Hold Mail. Of course, I was out of town by the time it arrived, so that was a big help.
Couple weeks after I got the code in the mail, USPS sent me a helpful email because I’d used Hold Mail before, explaining that they were changing how it works. :eyeroll:
My husband is a physician. As such he needs to access patient records. The local nursing home instituted a new ‘security’ system for their inmates medical records. Those records are available to the attending doctors, the nurses and the pharmacist. I suppose the inmates could break into the office and mess about but… really? So he does a drug review at this home every week. Last week he entered the wrong password on the authorization screen three times and was locked out until… whothefuckknows (until IT support from new security company could physically drive down to reset the password - did I mention the nursing home is in southeast bumfuck?). So… no drug review. Too bad, so sad.
He is also on-call at the hospital for his (and a number of other patients in his on-call group) every couple of weeks. He used to have a beeper which morphed into an automated call to his cell phone over the years. Or if the call didn’t go through, the switchboard would call the home phone and transfer the call to whomever. No problem. Call the hospital switchboard back or a direct line to the ER or the nurse’s station and deal with whatever; med change for a patient, a new admission, request to call in a specialist… New system sends him a text. Whereupon he has to enter his password to access it. Yep, not him but one of his colleagues did the ‘three times and you’re out’ thing while he was on-call. Locked out until he presented himself at the hospital with multiple forms of ID. To bad, so sad for any calls from nurses or doctors until he did that.
Oh, and due to the whole ‘southeast bumfuck’ issue the cell service here sucks. So texts often can take hours to sometimes a day to arrive.
“you have 5 urgent messages from xyz123 - date/time: 6 hours ago” :eek::smack:
One of my pet peeves is security systems that only work via a text sent to your cell phone. In Panama, cell phones have eight numbers instead of seven, so most US automatic systems don’t seem to be able to dial them.
When I want to post a travel notice for my credit cards to my banks, most of them have an option to send a code to your email rather than your phone. One doesn’t, and can’t call my phone, so I always have to call them, which can take 20 minutes of going through phone trees and answering verbal security questions instead of literally 1 minute on the other sites. And once I was required to punch in my date of birth on Skype, but their system wouldn’t accept it. I was told that I couldn’t file a travel notice even though I was speaking directly to an agent.:smack: I’m actually not so much worried about the security risk of using my card overseas, but having my card blocked if I try to use it overseas, and then having to go through the same rigmarole to get it unblocked.
I used to be able to access my work email remotely, but now they’ve started requiring an authentication code sent to my phone. So I just ended up having all my mail forwarded to my Gmail account and never log into my work account at all.
It used to be simple to buy a new data package from my cell phone provided here in Panama. Then they started sending an authentication text message, which is good for maybe a minute or two. But it takes so long for them to send it and key it in that it’s usually expired before I can use it. Sometimes it’s taken four or five tries before I get the code fast enough to use it.:smack::smack::smack:
At my last job, I would send weekly status reports to my boss via email. Suddenly he stopped receiving them - I was naming them “Myname_status_date.doc”, and it turned out IT had added an anti-phishing filter that blocked any email with an attachment with the word “status” in the name. No email back to the sender, no notice to the recipient that an email had been blocked. Nothing to check sender address and let through emails that originated from within the company. I complained to IT, and their only suggestion was to not use the word “status”. I wonder how many messages from vendors or customers were lost to this stupidity.
And I’ve decided that I refuse to work with any phone app which requires me to enter a password, but refuses to give me a way to actually see what i entered. Yes, password security is important, but please credit me with the intelligence to know if I’m in a place where I have to worry about shoulder surfing.
I can help there at least. Instead of thinking about a password, it’s more helpful to think of a passphrase that is easy to remember (or hard to forget), such as 1953MarilynMonroewasdeadgorgeous! or 4:20Isweedo’clockeverywhere
Longer passwords are more difficult to brute force so the length of a short phrase is better security although of course it’ll take a bit longer to type in which might become annoying if you have to log in and out often. In case your security system has a max pwd length and your preferred passphrase doesn’t fit, or if you simply don’t want to type more than strictly necessary you can use initial or final letters : 1953MMwdg! and 4:20Sdke are both relatively secure passwords that will at the very least resist any dictionary attack while still being much easier to remember than e.g. a random chain of letters and characters provided by a pwd generator, since you know the simple algo behind their generation.
I used to use hummingbird genera that started with the same letter as the website (with prefixes and suffixes that satisfied the other criteria), but pretty soon I ran out of genera for the more common letters.
The post office seems to be quite enthusiastic about the new change to mail holding as they’ve emailed me three times about it so far. Fortunately, as a user of Informed Delivery (inbound logistics for your mailbox) I’m already vetted and registered.
As for all of these bone-headed security schemes, the dorks who concocted them have all forgotten that the foundational tenet of information security is something called the CIA Triad: Confidentiality - Integrity - Availability. By blocking proper users, they’re screwing up on availability. Deep-sixing emails with “status”? Insane. Although… I probably get ten emails a day with references to status, so that would lighten up my work a bit.
I’m IT support at my work. We’re a state government agency. At one point we started getting reports that file sharing sites were tripping our web filters. We have auditors and investigators and consultants that need to get documents from the public on a regular basis, sometimes huge documents. We can’t accept them via email because they often exceed the size limit.
I am spending a lot of time troubleshooting the issue, sending tickets to other parts of our agency including the security office. Finally after a few weeks the security office appears at one of our agency-wide IT meetings and informs us that they’ve intentionally blocked all cloud file sharing sites. Google Docs, Dropbox, you name it, it’s blocked. They hadn’t gotten around to telling us yet. Those shitheads. It wasn’t even anything written into our policies, they’d decided on their own to do that and cause massive work stoppages across the agency.
I tell people at work all the time that as IT support my job is to do all I can to ensure that you can do your job, and the security office’s job is to ensure you can’t. I’m quite vocal about that. They have no concept of anything outside their paranoid little bubble. I keep waiting for the day that I go to work and find that we have no internet connection because the outside world is too scary.
I recall one time that we got a report that a computer on one of our field office’s network was infected with some kind of malware that was sending info to a remote site. It was only connected for an hour or so. The computer’s name did not even come close to our naming conventions so it’s obvious to me that it wasn’t one of ours. We have a guest WiFi for the public to use so the computer was probably hooked up to it. The security office calls me up to grill me about what this machine is and where it came from. It had connected to our network briefly a few weeks prior. I told them that it wasn’t an agency machine and there is no way to know what it was and they’ll never know, plus it didn’t do damage, so why are they hunting it? Then they asked about a person in the office about an hour after it closed who was on security footage, they could only describe him as a male who walked across the lobby with dark clothes and light hair. I asked if I could see the footage to see for myself and they refused. So I told them that was generic enough to describe me. It took them days to drop it.
Seriously, I don’t know how my agency functions at all with people in security who are probably insane.
I support this Pitting! Especially annoying is that some of the most stringent password/captcha stuff is for entries of little value, e.g. to join a free library. Some captcha images are impossible — only a computer might guess them! Others are easy, but fail inexplicably. On occasion I’ve failed 8 consecutive captchas before giving up.
Just two days ago I needed a password for some worthless account. I used one of my standard passwords: lower-case AND upper-case AND digit AND special symbol AND 12 characters long. It was rejected as too easy to guess! (Well yeah, I made it very easy to remember.)
Fortunately I’ve had no trouble getting text codes from 3 or 4 U.S. sites. Thailand cell-phone numbers are 9[sup][/sup] digits (11 counting the country code). [ 10 digits counting leading 0]
:smack: I remember reading about a “specialist” who was losing email. Filters caught it as “spe CIALIS t”
This isn’t entirely new - back in the 1990’s when the company I worked at was using the internet more and more the IT department put a porn filter on the web brower/e-mail/etc.
The problem? My department was medical research doing a project on breast cancer. Yep, EVERYTHING blocked. Howls from the researchers. Management meetings.
The IT department’s answer? “Can’t you use words other than “breast” and “mammary”?”
Uh, no, not really, not when you’re searching for information on breast cancer in the published literature where literally all the titles and keywords were things like “breast” and “mammary”.
Eventually something was sorted out so our department, at least, could search on terms like “breast” (and other “naughty” body parts).
But doesn’t just about every system lock you out after about 5 tries anyway? So why is brute-forcing even a concern?
On another topic, I was once singing into a government system and one of the requirements was that your password had to be EXACTLY 12 characters. I can sort of understand a minimum, but making an exact requirement seems counterproductive. At least the hacker knows what length he needs to guess!
