Shipping a Repair

[Erick]

I do simple break/fix work.
Had a customer come in with a laptop for repair three months ago with a BIOS-level password that he swears was intermittent and was unable to provide me with
Tried to do the pull-the-battery trick but it's a newer model that holds a charge. Customer agreed to retrieve the data from the hard drive to a usb stick and call it a day.
Customer has been flaky about picking it up ever since. As I was wrapping it up he said he was heading out of town but would pick it up when he gets back.
A few days ago I get an email from him stating that he would like for me to ship the laptop and USB stick to him.
Something about this is sending up red flags in my mind, between him not having the password to the BIOS to just kind of dropping off the face of the Earth....it just seems too out of sorts. He hasn't racked up a massive bill but I have put in some time on this. It isn't about getting paid in full, it's more about the liability of shipping something that has personal information.

What would y'all do in this scenario?

 

[Larry Sabo]

I would ask for him to prove he owns it by telling you some of the data that's on it, and by providing a copy of his drivers license. If he balks, tell him he'll just have to pick it up himself or have someone else do so on his behalf but they will have to provide the same information and ID.

 

[timeshifter]

Wow, that puts you in a really tough spot. I don't look through customer's data when working on their machines other than to spot check a file or two to make sure it works. I was going to suggest you research the guy online and see what you might learn about him. But you could also peek into a few files and may be able to easily tell if they're really his or not.

Also, what is intermittent about the BIOS level password? Maybe it's Windows 10 in Fast Start up mode so you don't get asked?

 

[frase]

Sounds like a job for...



Though I would have a signed document on initial client dropoff. Has the laptop been with you for three months?
Is a bit hard to request ID now as you have already done what was requested and bit hard to ask after the fact.

Make sure you are paid in full, then ask if customer wants shipping insurance @ x amount. If so get transaction details to pay via your end or from customer and prepay the shipping on their end.

 

[Erick]

Also, what is intermittent about the BIOS level password? Maybe it's Windows 10 in Fast Start up mode so you don't get asked?

It's not Fast Startup mode. I can remove the hard drive and the system still asks me for the password.
When the laptop was dropped off to me the customer claimed it was doing it "intermittently" and said that if it asked for the password just to shut it off and start it again that eventually it wouldn't ask. I didn't find this to be the case so I asked for a password. The password he provided did not work, nor did any of the other 25 or so words he said would work.

It's just the UEFI version of the old BIOS password.

 

[Markverhyden]

Sounds like he isn't the owner. All the classic flags.

Make and model?
Picture of the password request?

Many, if not most machines, have two different types of BIOS password. One will be admin password so when you try to enter BIOS, say hitting F1, it'll prompt. The other is a power up password which must be cleared before you can do anything. Either entering BIOS or powering up the computer's OS.

Either way it's a difficult situation.

 

[nlinecomputers]

You are not the police it’s not your job to judge the honesty of the “owner”. For Password resets you should collect the money upfront. If you are going to ship it back to him get the money upfront. If the client isn’t concerned about the security of the data why should you be? Otherwise tell him he has 30 days to pick it up or it will be sold for scrap to pay his bill.

 

[Blues]

Have you done any checks to see if this laptop was reported stolen? I would do that first if not already done or do a 2nd check if there are no finding then I would tell the "customer" the laptop cannot be turned over or shipped w/o a copy of their ID and payment in full of any balance + any shipping charges. Give them a time line typically is 30 days but go out as far as you like or is legally necessary in your local after which it becomes property of your shop.

 

[sapphirescales]

I've had to ship repairs to clients who suddenly moved on several occasions but I've never had to do it with a BIOS password reset. I would definitely require he send a picture of his ID before shipping the computer. So long as it matches whatever name you have on file, there's not much else you could have done. Whether it's stolen or not is not your concern. Just keep his ID on file just in case the police ever get in contact with you about a stolen laptop (very unlikely).

 

[Blues]

I would tend to say any equipment brought in with security bypass requires a photo ID copy as part of the process.

 

[nlinecomputers]

I would tend to say any equipment brought in with security bypass requires a photo ID copy as part of the process.

This and requiring suddenly after the fact is at best unethical and worst illegal. You have already taken in the device too late to wonder about it now.

 

[NviGate Systems]

At this point, the best you can do ethically is require in person pickup and dispose of after Z days.

When I was younger and not in the industry in any way but a techie, I found some hard disks discarded in a box by my buildings garbage bins. Being the frugal geek I am, I figure hey free drives. I plug them in and they have data. I called the number from a resume I found to find out if it was a mistake or if they wanted the drive back.

Turns out it wasn't that person's but a friend, who had actually paid someone to dispose of all the company drives. Gonna say he wasn't happy was an understatement.

 

[britechguy]

Turns out it wasn't that person's but a friend, who had actually paid someone to dispose of all the company drives.

I would have been mighty unhappy, too. This does point out why it needs to be in writing what "proper disposal" constitutes. And there is definitely multiple options as far as making data unreadable, some physically destructive and others not.

 

[Markverhyden]

At this point, the best you can do ethically is require in person pickup and dispose of after Z days.

When I was younger and not in the industry in any way but a techie, I found some hard disks discarded in a box by my buildings garbage bins. Being the frugal geek I am, I figure hey free drives. I plug them in and they have data. I called the number from a resume I found to find out if it was a mistake or if they wanted the drive back.

Turns out it wasn't that person's but a friend, who had actually paid someone to dispose of all the company drives. Gonna say he wasn't happy was an understatement.

This has been a known issue for many years. When I was in MA in the late 90's at CompUSA there was a piece that made it onto the public radar. An MIT IT Prof gathered several students and sent them on buying expeditions at yards sales in the Greater Boston area. Mind you this was kind of like pre Industrial Age in the Computer Era. Something like 80% of the drives purchased had recoverable data simply by mounting it in a Linux box. With a majority having personal data any thief/hacker would be thrilled to get their hands on.

I can remember receiving drives from a local company who had just started providing us with parts for extended warranty repairs. The first several months the drives untouched. As in they didn't even bother doing an fdisk.

At any rate trying to be a junior gman with next to no evidence is not a good game plan. You can explain you logic of a in person pickup with ID required. But in many States in the US is not legal to just ask for an ID unless there is a statutory requirement. Like buying booze or some other regulated task.