I once gained access to the ERP system of a $750 million dollar company by impersonating a panicked sales person. I called the helpdesk and told them who I was. I frantically shared that I could not access my email and download my PowerPoint slides for a very important sales presentation. I obviously couldn’t remember my password, so I asked for reset, which they quickly did for me. Unfortunately, the very helpful helpdesk did not ask me to prove my identity — they just told me what my new password was. From there, I logged-in to Outlook Web Access. I then opened a ticket requesting VPN access. Since this request came from within the corporate mail system, this request was also approved. With a network user ID and password, plus VPN access, I was then able to connect to the network and penetrate their HP-UX system. How I gained administrative privileges (root) on that box is another story.
There were several points along the way that should’ve prompted the help desk to verify who I was. In the absence of a clear process or protocol for handling these requests, personnel will often go with what is convenient or presents the least amount of conflict. This is especially true if the helpdesk is understaffed or the social engineer uses anger or frustration as an intimidation tactic.
Password resets should never be handled over the phone. Here’s a simple process I’ve recommended and used to reduce the risk of password reset social engineering:
- The helpdesk resets the password, but does not share the password with the caller
- The helpdesk calls the internal desk phone of the caller and leaves the password in their voicemail
- The caller retrieves the password from their voicemail. The user is forced to change their password as soon as they login.
- The helpdesk emails the caller’s manager. The manager is responsible for calling their employee before close of business to verbally confirm their password reset.
- The caller’s manager responds to the helpdesk’s email confirming their password reset was legitimate
Password self-service systems make processes like this obsolete. You can see self-service in action if you forget a password for the web applications and social media platforms you use. But on the corporate side, only a small number of my largest customers are beginning to implement password self-service. Until then, the helpdesk must make sure all callers are properly authenticated.