Social engineering warning: watch out for that password reset call
(Last updated on February 6, 2020)
Fake password reset calls are the new hack
Service desk staff are trained to help users with password related issues gain access to their account. This makes them popular targets for hackers. According to the 2018 Verizon Data Breach Investigations Report, social engineering, a way to trick users to divulge confidential information, has spiked in Q2 2018 and remains one of the most successful tactics used against service desks.
A classic social engineering technique is calling the service desk for password resets by pretending to be someone else in order to gain access to organization’s sensitive data. Hackers take full advantage of the chaos rampant on service desk personnel trying to keep up with the high volume of calls. The reality is that the service desk barely has time to reset passwords, let alone verify each caller’s identity carefully. Therefore, it is a comparatively easy hacking method as the hacker only needs to convince a service desk staff to provide them with the new password, as opposed to trying to guess or crack the password.
The human OS needs a social engineering patch
Organizations can sometimes be too focused on technological security controls and neglect the weakest link – people. There needs to be on-going training to educate employees on the latest security threats and what they could do to prevent security attacks. Security-aware employees are better at recognizing threats and taking responsibility in defending threats.
Software can go a long way in strengthening your defense
Many organizations still rely on manual password resets which are more susceptible to social engineering. To confirm the caller’s identity in order to reset passwords, the service desk staff asks the caller verification questions which are typically about an employee’s name, location, email address, or employee ID. Such questions are easy to extract. Once identity is confirmed, new passwords are handed out. To eliminate possible service desk errors associated with manual password resets, implement a self-service password reset solution and give employees direct control over their own accounts. The automated process removes human interaction and lowers the opportunity for user impersonation.
Another effective way to increase security is to enable multi-factor authentication in password reset. Multi-factor authentication requires the user to not only have one form of authentication such as a password, but also one or more forms of authentication such as challenge questions, mobile verification code, personal identity services, manager authentication, and Smart Cards. By requiring the user to provide multiple forms of authentication, you are creating a layered defense and further fortify against various types of attacks.
Specops uReset is a self-service password reset solution that supports multi-factor authentication. It goes beyond two-factor authentication by supporting a broad range of identity services that can be used to increase password reset security and flexibility. Not only are common authenticators available, such as questions and answers, and mobile verification codes, but also various digital identity services ranging from personal identity services (e.g. LinkedIn) to company identity services (e.g. salesforce.com), in addition to higher trust methods such as Smart Cards.