First off, they send me an urgent notice which is a PDF attachment. This means that I need to open an attachment with no way to verify the sender. Well that violates my concepts of first line of defense against malware. The notice was about my past due bill (7 days late) and advising of termination. I submitted a response on the Sprint website pointing out that the bill I received stated my account was set for auto-pay. That should have been the end of it as I went ahead and manually paid the bill since it was clear their accounting system is a bit wacky and was not going to process the auto-pay.

A couple of days later I get a call from Sprint. They said they were calling about my complaint, but that they needed to verify my identity before they could talk to me about it. They asked for my PIN. I advised that security requires that I never give this information to somebody who initiates contact. The caller suggested I could take his employee ID, but he had no way for me to verify the number until after the call. He then asked for my date of birth. I gave the same response. He then asked for my secret question. Huh?

Now most companies are very explicit that they say they will never contact you and ask you for this type of information. Sprint on the other hand asked for 3 different pieces of this information. When I would not provide it, the rep then played the game of trying to put words in my mouth by saying “So, you’re refusing to provide the information I am requesting?” I advised that he was violating all security rules by calling and asking the questions and that Sprint was making their customers very susceptible to identity theft by getting them used to answering these questions on the phone.

Imagine what happens when the Sprint customer who is used to this behavior by Sprint gets a similar call from a bad guy. The bad guy says he is from Sprint and that there is an issue on the account. He then asks for this private information. The customer who is used to,when dealing with Sprint, going against all common sense in regards to security ends up giving out his PIN, date of birth and answer to the secret question to an unknown caller.

Sprint should be ashamed that encourage such sloppy security. Rather than try to force me to give the information, they should have listened to my response and reconsidered the security hole they are creating for each of their customers.

The name of the game is keeping the bad guys from getting close enough to make your anti-virus systems kick in. How is this accomplished? The first way is user behavior. Following these rules will keep the bad guys at bay:

• Never click on links in emails stating they are from business you interact with such as a bank or mail provider.
  • They will usually want you to download an update or update your customer files
  • These links almost never are from the company they claim to be from
• Never download unsolicited software updates
  • Recently there was a concerted attempt to get people to download new server setting to comply with changes made by your mail provider. Right. This email spam was sent out to millions of mail accounts to get the users download malware. I had a customer ask if he should install the update. Needless to say my answer was no.
  • Web sites will pop up messages that your machine has been infected. Your machine has not been infected and if it has been, the solution is not going to come from soem random web site.
• Don’t open unexpected attachments.
  • Sending attachments is a common way to get the end user to install malware.
  • Service providers should not encourage the idea of opening attachments by sending them. Billing info etc should either be imbedded in the email or you should be advised to go to the providers web site for more information.

The second way is when the bad guys have gotten a little closer. This is reflected in the setup of your machine. Users should not be administrators when on the internet. The user should only go into administrative mode when there is a specific need. Nobody likes this and the hate that end users had for the Vista UAC relfects this. Unfortunately this is one of the stronest layers of defense and it is the one most often violated by the home user. If you are not an administrator then even if you accidiently download something you shouldn’t the odds are that the install of the malware will fail. When our customers allow us to set up their systems the way we would like it is extremely rare that there are any problems. Most issues arise when a spcific user is granted administrative rights and with those rights accidentlay installs malware. While the end user is occasionally bothered by not being able to download and install the newest version of Flash or something like that at least they don’t get bothered by the inconvenience of having to rebuild an entire machine.