This article discusses attacks on Xbox Live accounts. The key point is that of social engineering of helpdesk/support employees. Call up the helpdesk of the target, pretend to be the account owner, request password reset, et voila.
Same thing in IT security of course. Fundamentally it's an authentication issue. Or lack of one. You want to use a something-you-have, or more commonly, a something-you-know (and-others-don't) aka a secret.
I've set an optional password on bank accounts where they ask it before they can make any changes over the phone or even in person. Simple. Effective. We've all run into the common "please verify your mailing address for me" verification, usually following entry of an account number. If attackers know your name there's that little detail of online white pages to get them the info. In a previous incarnation, the company I worked for would verify you by your SecurID using a website. That's solid. But kind of a pain.
Once again it's a balance. Don't forget when looking at the risk of social engineering that there is also the risk of time lost to a cumbersome password reset process. You want optimal security, not ultimate security.
If your company's helpdesk isn't doing some reasonable authentication before doing password resets, then it's probably about time work with 'em to develop a new, simple process. With a priority based on risk analysis, obviously... but with this being an easy, common attack, I bet the risk ranks fairly high on the list.
You do have a risk list, don't you?
Saturday, January 12, 2008
Helpdesk Social Engineering
Subscribe to:
Post Comments (Atom)
In our company we had a security incident when some guy called to our helpdesk with password reset request and our helpdesk specialist did it without any extra authentication. As a result we lost some sensitive data.
ReplyDeleteSince that time we implemented an automated solution for password reset - desktop authority password self service.
This tool enables users to reset their passwords securely by answering a set of secret questions.
In addition it can reduce the amount of password related calls to helpdesk improving efficency.