Forget two-factor authentication. Forget storing crucial data using a SHA-256 hashing algorithm. Videoconferencing provider RingCentral has decided to go analog, and keep users’ credit card information in a big pile of papers next to their 1990 Brother fax machine, probably nar a half-empty box of those Entenmann donuts that look like they have rabbit droppings on them.
RingCentral’s cybersecurity firewall.
Recently, a client of mine sent me an invite for an upcoming web meeting. Instead of using Teams or Zoom, this client uses RingCentral. In the invite, I was prompted to create a RingCentral account so I could access the meeting. Fortunately, I already had a RingCentral account, since another client of mine used it — back in 2005 or so.
As expected, my login didn’t work, when I tried to use the old password. So, I clicked “forgot password,” and RingCentral sent me a link to reset my password. Clicking that, I was sent to the original “login” page… without any ability to enter a new password. Dead end.
I tried different browsers, just to be sure, but no luck. I also tried with and without VPN, just to be sure my non-US IP wasn’t causing problems. Nope.
So I used a different email address to create account, but that also left me in a loop. I just couldn’t get this to work. But I tend to have my security settings cranked up pretty high here, so that is known to cause issues with some websites.
Suddenly, though, I received an email from RingCentral, but to the address I used to create the original account from years ago. It said my account “required attention” because they were unable to verify my financial information. I don’t know why they needed my credit card info to join a free RingCentral meeting hosted by my client, but whatever. And yeah, sure, whatever credit card they had on file years ago was, no doubt, long since expired.
No, You’re Not Dreaming This
Now, before you read this next sentence, I want you to remember you are reading this in the year 2023, when AI and quantum computers already exist.
In its email, RingCentral asked me to send photocopies of my driver’s license along with scanned copies of the front and back of my credit card to them … by fax machine.
Did I mention we currently live in 2023, and that we now have commercial drones and electric cars and fully-automated 3D printers?
I know you don’t believe me, so here it is:
And, yes, I verified it wasn’t a phishing scam. This was legitimate.
The idiots had the balls to say that “credit card fraud accounts for $2 billion annually,” and this was all necessary to ensure RingCentral could “do our part to help reduce this figure and create a safe environment for you.”
OH.
MY.
GOD.
Think about what this means. Somewhere over in their San Francisco office (area code 650), there is a stack of faxed credit card authorization forms sitting there, entirely unprotected and available for viewing by any schlub who walks past the 1990s fax machine.
So unprotected, in fact, that not only is your credit card information at risk of being seen by anyone, it’s at risk of getting coffee spilled on it. And worse, NIST just updated 800-171 and didn’t even address proper cybersecurity controls for coffee spills.
You Knew There Was an ISO Certificate Here Somewhere
Oh, we’re not done yet. Not by a long shot.
RingCentral holds ISO 27001 information security management certification issued by none other than Coalfire. Because of course they fucking do.
You might recognize the name Coalfire as being one of the noisiest CMMC C3PAO assessors polluting your LinkedIn feed with their incessant droning.
Now, I’m no ISO 27001 expert — I only help set up ISO 27001 certification bodies like Coalfire against ISO 17011 — but I’m pretty sure none of the controls listed in 27006 allow for printed data sitting on fax machines.
In response to my calling him out on LinkedIn, RingCentral’s CISO Michael Armer promised that his “team is looking into this.”
Hey, want to know how your team can look into it? WALK DOWN THE FUCKING HALLWAY AND LOOK FOR THE FAX MACHINE WITH THE PILES OF CREDIT CARD FORMS SPITTING OUT OF IT.
Sometimes I can’t believe I actually live on this planet.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
