This doesn't sound right - 3rd-Party "Deduction Management Firm"
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
So, apparently we hired some "deduction management firm" to go through and try to find issues with over payments, charge backs and invalid deductions from our wholesale customers and EDI.
They said they needed me to do something with email and then when I asked for documentation, they sent me this-
"*This should help.
Email Correspondence
Harvest Revenue Group reviews all information that would also be available to the retailer’s auditors. To do this effectively, with maximum benefit to your company, HRG needs to review all correspondence between the company and your retail customer(s).
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "First thought is : wtf???
Why would someone need to harvest emails at the firewall to see all correspondence between company and retail customers??
-
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
-
Also maybe in violation of data security and privacy concerns.
Google Harvest Revenue Group.... it's weird to say the least that the website concentrates on the President having a Bachelor's degree and multiple master's degrees related to theology..... and no formal education listed with regards to business, finance or litigation..... Does he pray the bills away?
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
-
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
Lol
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
Lol
Things like this bring out the BOFH in all of us...
For anyone that isn't familiar with the term: https://en.wikipedia.org/wiki/Bastard_Operator_From_Hell
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
Lol
For real, that's what they requested. Give them exactly what they asked for then if they complain ask why they were so specific if they didn't want exactly what they requested, and why they would presume to tell you how best to collect emails if they don't know how email works.
-
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Well obviously, but that seems to solidly fall under "whoever hired them's" problem.
-
This sounds like a really sketchy firm. Sharing client data with them would worry me, at least a little. If they don't know how a firewall works, and they are asking you to expose customer data, you've got big things to worry about. Because their security understanding is about to become your problem.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Their lack of knowledge is not your problem :angry_face_with_horns:
-
@notverypunny said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Their lack of knowledge is not your problem :angry_face_with_horns:
Exactly. They made a VERY specific technical request. Not your place to question that since it isn't a security concern since they will get the binary dump only.
-
@notverypunny said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Their lack of knowledge is not your problem :angry_face_with_horns:
Wasn't there a movie that said :
"you can't fix stupid, no matter how big a hammer you use."Seems fitting.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
-
@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
Right, and those people present a security concern.
And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.
-
If you are going to do this, I would make sure that every employee and customer clearly understands that their private communications will be turned over to a third party. California has allowed employers to read employee emails when properly notified before hand. But that's way different than sharing with a third party, you'll need a really good employee handbook signed off by everyone before doing this.
-
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
Right, and those people present a security concern.
And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.
Do you have anything to reference for the legal issue? I mean, I am not a lawyer and don't want to be, but if I know it isn't legal, I will certainly not do it and explain why.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
Right, and those people present a security concern.
And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.
Do you have anything to reference for the legal issue? I mean, I am not a lawyer and don't want to be, but if I know it isn't legal, I will certainly not do it and explain why.
Not directly because this is so dangerous and so risky that it would never come up. But basically this third party is requesting access normally limited to requiring a court order.
https://www.employees-lawyer.com/can-my-boss-read-my-e-mail/
Unfortunately, the law on e-mail surveillance is not well-settled. The federal Electronic Communications Privacy Act of 1986 (ECPA) prohibits the unauthorized access to electronic communications.[7] The phrase “electronic communication” includes the transfer of any writing or data, but it does not include oral communications.[8] Several courts have found that the ECPA covers e-mail messages.[9] People that violate the ECPA could be subject to fines or prison time.[10]
The problem for employees, however, is the definition of “without authorization” under the ECPA. If an employee checks their e-mail from a work computer, have they authorized their employer to access it as well? The phrase “without authorization” is not clearly defined.
There is, however, at least some argument that an employer is not authorized to access employees’ personal e-mail accounts. So, even if the employee accesses their personal e-mail from a work computer, this would not seem to create an implied authorization for the employer to snoop in their e-mail further.
This argument is significantly diminished by the use of employer-issued e-mail accounts. Because the ultimate ownership of the domain and the e-mail account itself remains with the employer, it is likely that the employer can authorize itself to access the e-mail account.
-
@wrx7m basically here are the issues that I see:
- Assuming that there are strong policies in place in regards to the employer being allowed to read the employee's email as a given starting point, that doesn't cover the situation here. That's "normally legal" if handled properly, but risky enough to generally be advisable to avoid. Even if the employee legally can do nothing, it can damage the company's reputation. And that's best case, worst case it goes to court and the company can't prove that it had the right to do it.
- The request is to capture all traffic, not just email. Maybe we want to ignore this, but the request is for this and would risk crossing into "social engineering" grounds by trying to convince you to do so. This would include bank transactions and all kinds of things. Claiming that they are just incompetent might work, but not likely. Bottom line, they are asking for the keys to absolutely everything, using email as an excuse to breach the firewall / network security.
- Even if we ignore #2, the request is for all email, regardless of sender or recipient, or system. This means that not just proper business transactions with clients, but also the CEO talking to the company lawyer, the HR team discussing employee issues, and other matters of HR, legal, or attorney / client privilege or possibly SEC trading (if you are public) are exposed to a third party without anyone's permission or knowledge (presumably.) Even telling people that this could happen appears to mean nothing.
- We have to assume that the Harvest company has no legal framework around it making it have to do any due diligence to protect the confidentiality of the emails that it receives. Honestly it sounds like a scam business, but even if it isn't, this seems like a huge problem to know that they have major security gaps in their understanding and let them have data of unlimited sensitivity.
Sharing specifically targeted client / sales conversations, once the sales team is made aware, and the emails are verified by some process seems fine. Everyone knows what the contents are ahead of time. But anything that does a "grab all" from the network or the email system would be grabbing data of unknown origin and destination and purpose.
It would be super, duper hard to defend in court if an employee's private conversation with HR, a boss, a doctor, a bank, a family member, etc. was intentionally shared with a third party how that would be legal as it serves no business purpose.