• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Friend got "robbed" of shifts from company's database? How could this have happened?

 
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry I've come to this board over what might be a sensitive issue. I really am frustrated right now on my friend's behalf and trying to figure out what to do.

I have a female friend (we will call her Anna) who works in a large industry that does customer service for higher clientele. She is one of thousands of workers across three continents and they all trade shifts via an online exchange. One day she came to me in tears because she randomly "lost" a high-paying $1200 shift at her workplace. It randomly disappeared from her online board and got assigned to a guy we will call "Carl", who got a reputation for "snatching" shifts via some alleged hack he composed. She was devastated because she needed that money, and she emailed Carl and begged for him to give the shift back and wouldn't ask any questions. He then basically taunted her and reacted belligerently . She looked at his board, and the shifts he had were virtually impossible to acquire. He gets paid double because of his seniority, and he had $2400 several times a week. Again, virtually impossible to obtain this kind of financially-maximized streak with only the highest-paying shifts. When Anna called him out on that, he made his board private so nobody could see.

Anna showed me several emails from colleagues who also lost shifts to this guy. What is really crazy is the alleged hack makes it look like the owner of the shift legitimately traded it to Carl, and that is why the IT executive over the system keeps dismissing the complaints. But I think he is being jaded and lazy, because I see lots of red flags. One really shocking email had one worker showing a screenshot of her board history, and the shift she lost was traded by her on LINUX!!! She said she had a Mac and never used Linux in her life.

I'm a programming professional, but I'm not a security expert. I am guessing a SQL injection attack could have been in order. Is that possible? I just want to know if this can be done by a supposedly "non-techie" customer service worker, because I'm about to suggest Anna go to the police and file an identity theft report, but I don't want her to look stupid if it is unfeasible to pull off.



 
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The first thing your friend should probably do is to make her board private as well, so there will be less likelihood of someone viewing the page source and trawling for information that can be used to exploit the system. You'd be surprised at how much sensitive information lies just below the surface of a web page and it only takes a little patience and motivation to spend the time and effort needed to find it. A number of attacks could have been perpetrated, including SQL injection. I wouldn't worry too much about looking stupid -- if she has a legitimate complaint, I would think the police would at least refer her to the appropriate department, if they have it, that handles cyber crimes. Also consider consulting a lawyer to get advice on the proper legal actions she can take, if any. Good luck.
 
Bartender
Posts: 1845
10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Of course it is possible that the guy has found a "feature" of this online exchange to exploit trades.
I wouldn't get hung up on sql injection, there are any number of ways it could be done.
If he is senior enough, he (or someone) might have the permissions to do 'force' a trade. Or perhaps he has just found a way to give himself the credentials of another user.
90% of the time things like this don't require hacking, just admin access to the system.
Without knowing the details of the system, it would be impossible to tell.

Going to the police sounds extreme though.

Vague ideas running through my head
- is there any difference between a 'legit' trade and a 'dodgy' one in the records?
- is it possible to keep a log of 'lost' shifts
- is there a pattern to them if you compare notes with friends?
- if you make your own board private it might prevent 'theft' of shifts in the future...
- on the Mac vs Linux thing, MacOS is unix based, so might potentially show up as linux in some cases (don't know details, but the possibility is there)


 
Tom Nielson
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Junilu Lacar wrote:The first thing your friend should probably do is to make her board private as well, so there will be less likelihood of someone viewing the page source and trawling for information that can be used to exploit the system. You'd be surprised at how much sensitive information lies just below the surface of a web page and it only takes a little patience and motivation to spend the time and effort needed to find it. A number of attacks could have been perpetrated, including SQL injection. I wouldn't worry too much about looking stupid -- if she has a legitimate complaint, I would think the police would at least refer her to the appropriate department, if they have it, that handles cyber crimes. Also consider consulting a lawyer to get advice on the proper legal actions she can take, if any. Good luck.




Huh, ditto on privatizing the board. That makes sense; my understanding is most penetration work involves trying to just find the target, not executing the attack against it. I'll go ahead and let her know. I also just talked to a family friend who is a labor judge. I think i've got a lot to run with. Thanks for your help!
 
Tom Nielson
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stefan Evans wrote:Of course it is possible that the guy has found a "feature" of this online exchange to exploit trades.
I wouldn't get hung up on sql injection, there are any number of ways it could be done.
If he is senior enough, he (or someone) might have the permissions to do 'force' a trade. Or perhaps he has just found a way to give himself the credentials of another user.
90% of the time things like this don't require hacking, just admin access to the system.
Without knowing the details of the system, it would be impossible to tell.

Going to the police sounds extreme though.

Vague ideas running through my head
- is there any difference between a 'legit' trade and a 'dodgy' one in the records?
- is it possible to keep a log of 'lost' shifts
- is there a pattern to them if you compare notes with friends?
- if you make your own board private it might prevent 'theft' of shifts in the future...
- on the Mac vs Linux thing, MacOS is unix based, so might potentially show up as linux in some cases (don't know details, but the possibility is there)




I don't know the architecture and can't give details about logging and all of that. But I do know the web site is pretty shoddy and not even vendor-quality. She does have a large volume of documents, emails, and lists of people who lost shifts to this guy. She's going to try and escalate those to her union. But the pattern is simple... they have a high-paying shift, he takes it and puts it under his employee ID. I know for a fact there is no "power-user" privileges for the workers that allows them to arbitrarily take a shift legitimately. For a trade to be legitimate, they have to voluntarily put it up for grabs so someone else can volunteer to take it.

Fair point on the Linux/Mac OS thing, although wouldn't it be UNIX for Mac? Then again, as a programmer I know that they could have lumped up UNIX to be rolled up into LINUX, just to consolidate the possible outputs.
 
Tom Nielson
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
And I know the police report may seem extreme, but how would you feel if $1200 was taken out of your paycheck because your coworker found a way to take it away from you? It's the exact same thing here. Hopefully her union, which is also confused by the growing number of complaints, will get some momentum and lawyers to deal with this.
 
Bartender
Posts: 2407
36
Scala Python Oracle Postgres Database Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tom Nielson wrote:What is really crazy is the alleged hack makes it look like the owner of the shift legitimately traded it to Carl, and that is why the IT executive over the system keeps dismissing the complaints. But I think he is being jaded and lazy, because I see lots of red flags. One really shocking email had one worker showing a screenshot of her board history, and the shift she lost was traded by her on LINUX!!! She said she had a Mac and never used Linux in her life.


If you're going the legal route, your friend and her lawyer should request full copies of the relevant system logs for the bad trade, including the IP addresses and timestamps. These transactions have a financial impact and - hopefully - should be logged properly, just like banking transactions. This may help to prove your friend didn't make the trade and, possibly, that "Carl" did. If the trades are not being logged properly, then there would probably be unpleasant implications for the company in terms of financial accounting and tax reporting, for example.

But I suspect it's probably going to cost your friend a lot more than $1200 to pursue this, and many companies prefer to fire the person who reports a problem, rather than deal with the problem.
 
Tom Nielson
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

chris webster wrote:

Tom Nielson wrote:What is really crazy is the alleged hack makes it look like the owner of the shift legitimately traded it to Carl, and that is why the IT executive over the system keeps dismissing the complaints. But I think he is being jaded and lazy, because I see lots of red flags. One really shocking email had one worker showing a screenshot of her board history, and the shift she lost was traded by her on LINUX!!! She said she had a Mac and never used Linux in her life.


If you're going the legal route, your friend and her lawyer should request full copies of the relevant system logs for the bad trade, including the IP addresses and timestamps. These transactions have a financial impact and - hopefully - should be logged properly, just like banking transactions. This may help to prove your friend didn't make the trade and, possibly, that "Carl" did. If the trades are not being logged properly, then there would probably be unpleasant implications for the company in terms of financial accounting and tax reporting, for example.

But I suspect it's probably going to cost your friend a lot more than $1200 to pursue this, and many companies prefer to fire the person who reports a problem, rather than deal with the problem.



Very good point. I talked to Anna today though fortunately and it looks like the union may pony up the lawyers.
 
Ranch Hand
Posts: 789
Python C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What industry is this? I've never heard of this kind of business.
 
Tom Nielson
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Guillermo Ishi wrote:What industry is this? I've never heard of this kind of business.



I was deliberately vague for a reason. This is a discussion board on security after all.
 
Guillermo Ishi
Ranch Hand
Posts: 789
Python C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tom Nielson wrote:

Guillermo Ishi wrote:What industry is this? I've never heard of this kind of business.



I was deliberately vague for a reason. This is a discussion board on security after all.



LOL well, you have a union so it's not a criminal enterprise, maybe.

Tell me the name of a similar business, then. I'm just interested because it's something I've never heard of.
 
Tom Nielson
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Guillermo Ishi wrote:

Tom Nielson wrote:

Guillermo Ishi wrote:What industry is this? I've never heard of this kind of business.



I was deliberately vague for a reason. This is a discussion board on security after all.



LOL well, you have a union so it's not a criminal enterprise, maybe.

Tell me the name of a similar business, then. I'm just interested because it's something I've never heard of.



lol it is not criminal in the least. Do not get hung up on my description of "the industry", because I changed some of its details to maintain its anonymity. It does not serve higher-end clientele; I made that part up. The media and public would definitely eat this up if they found out, hence my attempts to keep this vague. Compare this to any job that requires you to be gone 4-9 days at a time, such as working on an oil rig.
 
Guillermo Ishi
Ranch Hand
Posts: 789
Python C++ Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tom Nielson wrote: Compare this to any job that requires you to be gone 4-9 days at a time, such as working on an oil rig.



I worked on a rig up in N. Dakota. Nowhere near as captivating as this...
 
Tom Nielson
Ranch Hand
Posts: 53
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Guillermo Ishi wrote:

Tom Nielson wrote: Compare this to any job that requires you to be gone 4-9 days at a time, such as working on an oil rig.



I worked on a rig up in N. Dakota. Nowhere near as captivating as this...



I'm glad you appreciate my storytelling. Did not mean for it to sound sexy, exciting or cool. But I'm still in disbelief in how this escalated, and for the sake of conversation I wish I could say more. A hacker cartel in this kind of workforce? It still leaves me in awe.

Anna told me several senior directors are cracking down on this now, and put the fire under that tech executive. That is the problem with business silos nowadays. An executive over one department has no visibility and cannot see the negligence of another department. When he does, he worries about stepping on toes and telling another executive how to do his job. That is when accountability breaks down and outrageous things start to happen.
 
Guillermo Ishi
Ranch Hand
Posts: 789
Python C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I see what it was. Shifts are scheduled electronically, and Carlito schedules your vacations. Since he had a reputation it seems like he would have been out a long time ago, unless he's the boss. If the sysadmin ever changed his password then it might well be a hack. Personal pages on sites are sometimes easy to get control of. If he's not boss, I don't see why not an identity theft report and let the authorities decide if it applies. At least he will might get hassled. If he is boss, use your own discretion. But since he's so blatant it sounds like he's must be the boss and has technical authority to do what he's doing. Thus the union interest.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic