Security at the Helpdesk

IT departments have always invested heavily in making sure that their systems are able to positively confirm user identities prior to granting users access to sensitive resources. Not surprisingly, there are any number of mechanisms available for authenticating users. Some of these mechanisms include passwords, PINs, or biometrics.

Because these and other authentication mechanisms are so effective, hackers often look for easier ways to gain access to the system. One especially common stunt involves a hacker placing a phone call to an organization’s helpdesk, pretending to be an end user, and asking for a password reset. If the hacker is able to convince the helpdesk technician to reset the user’s password, then the hacker is able to gain access to the now compromised account.

So how can an organization’s helpdesk staff positively confirm a caller’s identity? Many organizations have historically relied on the use of security questions. A couple of examples might include: what was your first pet’s name, or what city was your mother born in.

While these types of security questions can sometimes act as a deterrent to end users, they aren’t perfect. There are two significant issues with using security questions to verify a caller’s identity.

First, security questions have become so commonly used that it is relatively easy for a hacker to anticipate the types of questions that might be asked, and to research the answers to those questions before contacting the helpdesk.

The other problem with using security questions is that when a helpdesk technician asks the caller for the answer to their security question, the helpdesk technician learns the answer. At that point, there is nothing stopping a rogue helpdesk employee from using the user’s security question for nefarious purposes. Therefore, organizations must question how they can best confirm a user’s identity over the phone, without exposing the user’s sensitive personal information to the helpdesk in the process?

Historically, there has not been a good solution to this problem. The Windows operating system does not include features designed to authenticate callers, nor does it natively provide helpdesk staff with access to security questions.

Perhaps the best way to help the helpdesk staff to avoid social engineering schemes is to adopt Specops Secure Service Desk. The solution eliminates the risk of social engineering by giving helpdesk a variety of tools that they can use to positively verify a caller’s identity before resetting a password.

If the user has enrolled a mobile device for instance, then the helpdesk can send a code to the user’s mobile device and then ask the user to read back the code. This proves that the caller is in possession of the user’s mobile device. Similarly, if the user has registered a personal email address with the organization, the helpdesk technician can send a code to the user’s personal email address, and require the caller to read back the code.

As an alternative, Specops Secure Service Desk is also able to require the caller’s manager (as defined in Active Directory) to confirm the user’s identity. The software also has the ability to interface with third-party systems such as Duo, Okta, and Symantec VIP.

Regardless of which authentication method, the helpdesk staff won’t be able to unlock a user’s account, or to reset the user’s password, until the user’s identity has been positively confirmed. At that point, the console displays the Reset Password and Unlock User options, and the helpdesk technician is able to service the user’s request.