If it wasn’t for people, some wag once said, IT systems would be secure.
Proof is in the number of data breaches caused by staff who use insecure passwords on their desktop PCs and mobile devices and who carelessly click on email attachments. There are also contact centre employees who are too forgiving to callers asking for password resets.
That’s what CSO Online writer Steve Ragan found when he allowed a security consultant to try and take over his account at domain registrar GoDaddy.
Like most organizations that allow external and internal customers to reset settings, GoDaddy has a set of procedures to authenticate users, including phone verification and, if necessary, having the caller fax a copy of an ID. Here’s where the breakdown happened — a case of social engineering.
“Armed with only basic information and no access to the account’s primary email address,” writes Ragan, the impostor “should have failed. Yet, the exact opposite happened; he succeeded despite GoDaddy’s layered protections.”
The call centre accepted the explanation that “there were a lot of office politics at the moment” as an explanation for the lack of some details. The impostor said he couldn’t provide the PIN number or credit card used to set up the account because his assistant had done that.
So he had to provide government-issued ID — and did by creating one with Photoshop.
Unfortunately there are still holes today in call centre authentication policies that allow attackers can take advantage of. It’s a vulnerability that every organization needs to pay attention to.