Firewall fail: A tale both funny and sad

Call center's attempt to keep employees off the Internet had one problem

citi

After assuring me in an email that this episode really did happen - six or seven years ago at a call center in India contracted at that time by Citibank - the teller of the rapidly spreading tale got cold feet and deleted it from his Google+ page. (That never works.)

"I'm kind of having a panic attack," said the fellow, an artist who authors Web comics. "I'm not used to having close to 1 million people reading and reacting to my posts." (I know that agreeing to leave his name out here won't matter, but neither is his name vital to the story and I don't want to add to a man's panic.) Here's what he wrote:

Several years ago, I was working as a trainer in a Citibank call center. At least that was my job on paper. In reality, the employees were far too busy to attend training, so I just hung around and killed time.

The building was locked down. No phones, no email, no paper coming in or out of the building, no ports on the computers, and (most unfortunately for a guy stuck with nothing to do) no Internet.

It made sense, since every computer in the building had access to the complete financial history of every single person who'd ever done business with Citibank. Social security numbers. Passwords. The works.

But then one day, I saw one of the employees goofing off in some random chatroom. He explained that he had found it in the history tab after moving to a new computer. It was the site for a random radio station called Cities FM. I went to my own computer, and found many other sites I could access. The Center for Information Technology Integration. Cities Restaurant. The Cape IT Initiative. Random websites that had one thing in common. They started with the letters CITI.

See, the employees needed to access the sites for the company they worked at. CitiBank, CitiMortgage, CitiFinancial... but since the company was constantly expanding, their IT department had decided that rather than keep updating the firewall, they would simply allow any site that started with the letters CITI, assuming that they would probably own it.

That night, I registered citi.MyName.com.

I of course, not being a criminal mastermind, used it pretty much like I use Google Plus. I made it so my coworkers could read my comics while they were bored. After I left the company, I added an e-mail form so that I could post pictures of the places I traveled and they could e-mail me back.

Of course if I had been criminal mastermind, at any point any of them could have hit copy/paste and I would have had enough information to steal the identities of a large percentage of the American public.

I didn't. But that my friends, is the illusion of security.

Before he removed the post, it had been widely shared on Google+ and sparked more than a hundred comments, some of which suggested our man might have bought himself legal trouble.  He noted in the comment string that his bosses knew about what he had discovered and that the call center no longer does business with Citibank.

His first email to me also noted that he had edited his Google+ post to remove mention of Citibank. "The imagined super-villain scenario I presented would actually be the WORST identity theft scheme in the world ...and, I shouldn't have framed it as such an expose."

His second e-mail went further: "I've deleted said post, though I know it's still floating out there in (Google+) reshares. Thinking back I know there were many other safeguards that would have caught anyone doing anything illegal with the flaw."

As for those call-center workers, who, like our storyteller, were just looking to kill time, they were indeed free to visit any website they'd like ... as long as it began with Citi.

Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.

Join the discussion
Be the first to comment on this article. Our Commenting Policies