you can change their password over the phone, else they have to come to the NCC

The challenge we had was we were a company that had 25 (later 53) locations around the country. Some of the people we supported were mobile users and could be literally anywhere.

Blind callbacks were the preferred method of verification.

Caller:	My name is Sid Down and I need my password reset
HD:	OK Mr. Down I see you are a mobile user, can I call you right back on your Cell Phone?
Caller	Errrmmm... I don't have my cell phone handy and I'm not in the office... can you call me at (555) 555-1212?
HD	Mr. Down please call us back when you are either in your office or have your cell handy. We don't have (555) 555-1212 as an authorised callback number for you at this time.
Caller	(trys another approach) WHO THE Expletetive Deleted IS YOUR MANAGER!?!?! I WANT MY PASSWORD RESET NOW!
HD	I understand your frustration Mr Down and want to help. I will conference your manager into this call as well as my own manager. Perhaps your manager can vouch for your identity.
Caller	****CLICK!******

This is a sanitized version of a conversation that actually took place hetween m help desk and a caller.

A person was looked up in the corporate contacts list and could recieve a callback on one of up to four numbers that were prearranged. There was a security question they were asked (e.g. "What is your dog's name?") that was pre-arranged and then the password would be reset.

In addition an email was sent to a special mailing list "security-managers" so that an eye would be kept on accesses by this user for a few days.

This all worked fairly well. Wasn't a perfect system but it worked. Additionally mobile users were issued SECURE-ID tokens and had to pass the challenge response system in order to dial in.

A similar situation happened to a web/email hosting company to which a small client company outsourced their email hosting. An ex-employee from the small company called the hosting company to reactivate his email account, claiming his company would discontinue their contract and all if they didn't reactivate his account and stuff.

Later the CEO of that small company called the hosting company, telling them not to take order from anyone from his company but him, even if someone claimed to be a CTO or president or whatever threatening their business and everything.

So, a friendly help desk clerk that's far beyond the CEO's mind and control turned out to be his major security hole. It took him a couple of calls to the hosting company before the situation stopped. Apparently, the ex-employee was very convincing.

I wonder if you then forwarded a complaint to their manager anyway? I'm pretty sure I would have.


---
demerphq

_{<Elian> And I do take a kind of perverse pleasure in having an OO assembly language...}