Some weeks ago, I posted to the group about a certain other school in the area and how they wanted me to put my SSN through a insecure connection. Well, with my last stub, nothing had changed, so I wrote and email to a couple of invovled parties. I thought some of you who know much more about security than I might get a good laugh. Enjoy.
---------- Forwarded Message ---------- Subject: Re: Message to IT Date: Tuesday 15 March 2005 05:52 pm From: "Information Technology" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] We are glad for your concern about security and identity theft and this issue. We hope you will continue to email us on issues and feedback that are important to you. Regarding the tool that you wrote about. This tool is not Banner. This tool was created at the request of payroll and users and for the conversion time period that we are currently involved with as a convenience to users. No one has to use this tool. Once you have your Banner ID you never again need to go to that website/link. We would have preferred that every user would have memorize their UV ID last summer during the conversion process when it was sent out to them securely but due to the large number of calls and requests by users this tools was requested by the business office. The SSL certificate on it has been problematic to keep it installed with a trusted certificate and not an internal one and we are still in the process of solving that. If you want to go to a secure site to get your Banner ID it is currently available at https://nsn.uvsc.edu/nsn/BIT/IDVERIFY.BAS. (Note the https address). This site unfortunately has not always been up due to the problem with the certificate but it is currently up. If it remains up, it will be published in the next check email instead of the non-SSL site. However, the sites are secured with other means and it is on a monitored, switched network. Yes, it is possible for someone to sniff the clear text on the non-SSL site but they would have to be on the same network subnet as you and watching it at the exact time that you entered your SS number. It is a risk that we were told was acceptable for this situation while we worked on the SSL site issues. One of the reasons for going to Banner is the security issues like the one that you mentioned. The Banner ID will replace the SS number as the identifier for all on-campus transactions. Currently that is not possible in the current system. Banner has much much more security than other similar systems that have been available. The new ID referred to as the UV ID will become more and more important as time goes on being the only ID number needed and the user name for almost all systems. I am not sure about where your understanding or opinions of Banner come from but it sounds like you have received misinformation regarding what Banner is, does, and about its security. If you have questions or have heard complaints or rumors regarding Banner, please pass them on to us so that we can address them. IT >>> "Jacob Albretsen" <[EMAIL PROTECTED]> 3/15/2005 11:52 AM >>> For the last few weeks, I have been recieving the following email with my pay stubs: Attached is your Direct Deposit Advice. The password to open the file is your Banner ID number. If you do not know your Banner ID click on the following link and follow the instructions: http://nsn.uvsc.edu/nsn/BIT/IDVERIFY.BAS Doesn't this seem like a really bad thing to you? You want me to enter my SSN into a form on the internet that is unencrypted and insecure? The form is not even tied to a secure script: FORM NAME='FORM1' ACTION='http://nsn.uvsc.edu/nsn/BIT/GETID.BAS' METHOD='POST' Maybe you are aware of it, but maybe you are not. But it seems silly to go through all this trouble to lock up a PDF file with sensitive information only to have you get the password to unlock it by passing your SSN through an insecure connection. I just thought I would let you know and say I'm not going anywhere near Banner until things like this are cleared up. The last thing I need is for my identiy to be stolen.
We are glad for your concern about security and identity theft and this issue. We hope you will continue to email us on issues and feedback that are important to you. Regarding the tool that you wrote about. This tool is = not Banner. This tool was created at the request of payroll= and users and for the conversion time period that we are = currently involved with as a convenience to users. No one has = to use this tool. Once you have your Banner ID you never again need = to go to that website/link. We would have preferred that every user = would have memorize their UV ID last summer during the conversion = process when it was sent out to them securely but due to the large = number of calls and requests by users this tools was requested by the = business office. The SSL certificate on it has been problematic to = keep it installed with a trusted certificate and not an internal = one and we are still in the process of solving that. = If you want to go to a secure site to get your Banner ID it is = currently available at [1]https://nsn.uvsc.edu/nsn/BIT/IDVERIFY.BAS. (Note the https address).&= nbsp; This site unfortunately has not always been up due to the problem with the certificate but it is currently = up. If it remains up, it will be published in the next check = email instead of the non-SSL site. However, the sites are secured with other means and it is = on a monitored, switched network. Yes, it is possible for someone to sniff the clear text on the non-SSL site but they would have to be on = the same network subnet as you and watching it at the exact time that you = entered your SS number. It is a risk that we were told was acceptable= for this situation while we worked on the SSL site issues. One of the reasons for going to Banner is the security issues like the one that you mentioned. The Banner ID will replace the SS number = as the identifier for all on-campus transactions. Currently that is = not possible in the current system. Banner has much much more security than other similar systems that have been available. The new ID referred to as the UV ID will become more and more important as time goes on being the only ID number needed and the user= name for almost all systems. I am not sure about where your = understanding or opinions of Banner come from but it sounds like you have = received misinformation regarding what Banner is, does, and about its = security. If you have questions or have heard complaints or rumors = regarding Banner, please pass them on to us so that we can address = them. IT >>> "Jacob Albretsen" <[EMAIL PROTECTED]> = 3/15/2005 11:52 AM >>> For the last few weeks, I have been = recieving the following email with my pay stubs: Attached is = your Direct Deposit Advice. The password to open the file is your = Banner ID number. If you do not know your Banner ID click on the followi= ng link and follow the instructions: [2]http://nsn.uvsc.edu/nsn/BIT/IDVERIFY.BAS Doesn= 't this seem like a really bad thing to you? You want me to enter my = SSN into a form on the internet that is unencrypted and insecure? = The form is not even tied to a secure script: FORM NAME='FORM= 1' ACTION='[3]http://nsn. uvsc.edu/nsn/BIT/GETID.BAS' METHOD='POST' Maybe you are aware = of it, but maybe you are not. But it seems silly to go through = all this trouble to lock up a PDF file with sensitive information only = to have you get the password to unlock it by passing your SSN through an insecure connection. I just thought I would let you know and = say I'm not going anywhere near Banner until things like this are = cleared up. The last thing I need is for my identiy to be = stolen. -- Jacob Albretsen References 1. 3D"https://nsn.uvsc.edu/nsn/BIT/IDVERIFY.BAS 2. 3D"http://nsn.uvsc.edu/nsn/ 3. 3D"http://nsn.uvsc.edu/nsn/BIT/GETID.BAS'"
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
