Identifying customer fraud based on ticket purchase and address location
Team Technologies Security Policy Regarding Exchange of Passwords
We've recently contacted some of our customers and third parties to raise an issue concerning the sharing of GoldSTAR passwords in plain text emails, as we have experienced a number of occasions where this has happened.
Whilst we understand that different organisations have differing views on keeping credentials safe, it is generally agreed that passwords should never be included in the same communication as the data to which they relate. For example, one should never share a login ID and its password in the same message, or send a password in the same message as the data file it protects.
In addition, it's our view that passwords should not be sent in an unencrypted form, in plain text emails. Our information security policy dictates that we are not allowed to send passwords to anyone in email, and we should not receive passwords by email. Our preferred method of sending and receiving passwords is via SMS text messages. These use a different technology, take a different route and are better protected than email. While not foolproof, using different technologies for sending the password from that used to send the rest of the credentials puts a significant hurdle in the way of hackers.
If we do receive passwords in email, this constitutes a security incident according to our policy, and we will raise an incident report, investigate the issue and its potential impact on the Confidentiality, Integrity and Availability of personal data. We will then decide what, if any, action needs to be taken. Often this will only be that we will inform you that the incident has occurred, and advise you on our view of the risk to the personal data, leaving you (as the Data Controller) to apply your own Information Security and Data Protection processes as needed; but could include recommending that the disclosed password is changed, or other action be taken to ensure the continued security of the personal data. In line with our philosophy of continuous improvement we'll also be looking for any failure in our own processes that could have led to the incident occurring, and how to prevent that in future.
What process should I follow if I need to send a password to Team Technologies ?
1. Email our esupport address and request a mobile phone number to send the password to. Don't rely on this being the same as on a previous occasion : often it will be the same, but to avoid the possibility of a password being sent to an unknown number or to someone who is not available on the day, you should have the number confirmed on each occasion.
2. If the password relates to a particular file of encrypted data that you're sending, that file can be included in the email.
3. If the password relates to a particular login ID, that ID can be included in the email, but it must not include the url, IP address or other means of identifying the system that the ID relates to.
4. Once we confirm the phone number, send the password via SMS to that number. Do not include any text to identify the system or file that it applies to. Please add your name and / or a support reference number.
5. We will confirm to you that we have received the password.
What process will Team Technologies follow to send a password to me ?
1. Our support team will email you with confirmation of the ID that you are to use for the requested purpose, or containing the file of data that we are sending to you. This email will also ask for a suitable mobile phone number to which we can send the associated password. Please respond to this email with a phone number that is available to you.
2. We will text the password to you as soon as possible after receiving the phone number. We will not give any details of the specific file or system that the password applies to, but we will include the name of the person that you have been dealing with.
3. Please acknowledge receipt of the password via email.
Why we believe that email is insecure.
There are some bad people out there ! Sophisticated and in some case state sponsored cyber attacks are on the increase and many organisations are being targetted, particularly if involved in infrastructure or communications. Email sniffing is one method used to seek out information which can be used as a 'key' to get access to networks, systems and data. Putting log in credentials, or an encrypted file, in the same email as the password hands the data to the sniffer on a plate. Even sending information in two separate emails doesn't protect you, as both of the emails could be intercepted and the information put together. Emails between organisations typically travel across the public internet so they are unlikely to be protected from start to finish and neither you nor we are in control of the route the emails take over the internet. You simply do not know who can or has read your email(s). Until internet based email supports end to end encryption, it is our belief that you shouldn't send anything sensitive via email without a strong 2nd level of security in place, such as that described above for protecting passwords.